Google Pushing Back On Law Enforcement Requests For Access To Gmail Accounts 75
Virtucon writes "Ars technica has an interesting article on how Google is handling requests from law enforcement for access to Gmail accounts. With the recent Petraeus scandal where no criminal conduct was found, it seems that they're re-enforcing their policies and standing up for their users. 'In order to compel us to produce content in Gmail we require an ECPA search warrant,' said Chris Gaither, Google spokesperson. 'If they come for registration information, that's one thing, but if they ask for content of email that's another thing.'"
Duplicate? (Score:1)
http://tech.slashdot.org/story/13/01/23/1712213/google-report-shows-governments-want-more-private-data [slashdot.org]
Re: (Score:3)
I don't think it's a dupe, granted I have only read both summaries and neither article, but the links are different and the headline text is certainly not the same. Two "Google Saves Your Privacy Heroically" articles in as many days, though. You would think they were trying to tell us something.
Re: (Score:1)
They're both referring to the same 'Transparency Report'. Not duplicate articles, but duplicate story.
Re: (Score:3)
service centralization = bad idea (Score:3, Insightful)
Email and other services are way more robust when there are many providers, because there is not one central point for a government to apply pressure. In the 1990s everyone got email through their ISP, and there were a million little ISPs all around.
Now, there are fewer ISPs, and even though they all still provide email via the standardized protocols, everyone ignores that and uses webmail... and most of them use Google. Having the whole world's email in one place is a bad idea. It means there's one place to, say, block encryption if the powers-that-be decide they really should be able to read *every* email. It means there's just one place to censor. Just one place to move away from standard protocols to achieve lock-in.
The entire concept of the internet was about decentralization to achieve robustness. Once, robustness in the face of nuclear war, but it also provides other kinds of robustness, like robustness against censorship, against control, and against monitoring. Now, for some bewildering reason, we want to discard the robustness of decentralization and put all our eggs in one basket. I do not understand why everyone prefers that.
Re: (Score:3, Interesting)
Re: (Score:1)
Re: (Score:2)
Because GMail is more convenient to use and feature rich than running your own server, which you are still perfectly free to do.
Well, "free to do" if you pay for a commercial/business-class account with an ISP, and then one usually must make several calls to get them to open up the ports for your mail server(s).
Your mail server is also likely to get on anti-spam blacklists and be filtered by mail services like Yahoo as well. Running small, private mail servers is generally discouraged among private individuals.
Strat
Re: (Score:2)
turn in your geek card, running an emailserver is not exactly quantum mechanics.
once configured running a linux-emailserver is as much work as ssh-ing in every once in a while to run apt-get
You need to turn in yours instead, as you fail at reading comprehension.
"Running" the server itself isn't the issue. Whether you'll actually be able to have it receive and send mail because of ISP port blockages and/or anti-spam service blacklists is.
If you aren't aware of these common hazards/problems with running your own personal mail server, you likely never had a geek card to begin with.
Strat
Re:service centralization = bad idea (Score:5, Insightful)
I do not understand why everyone prefers that.
I wanted to run my own email server. However, I do not do IT for a living. That's not a problem, most people say, email servers are simple. I agree, opening up the port and running a server would be simple, but what would crush me is trying to keep that server secure, and my email mostly free from spam.
I just don't have the time to setup the server properly, with subscriptions to spammer blacklists, maintaining security patches, and the whole slew of work required to make that simple email server something that would work for me.
I found that my old gmail account generally worked well with regard to keeping spam away from my account, and I never had to worry about making the server secure. So I signed up for google apps (back when it was free for small users), and setup my domain to use google to host my email.
Now I have all the email addresses I want, associated with my domain, and google handles ALL the annoying work of maintaining the server, handling security, general administration and so on. I can be reasonably assured that whenever I want to access my email, I will be able to via a simple web browser. I don't need to worry that my ISP is crappy, or blocking me, or that I had a power outage at my home.
For me, that amount of time savings and convenience is well worth the tradeoff that someone in the government could gain access to that specific email address' contents.
And most importantly, nothing prevents me from creating or using a throw-away email address on another site if I wanted more obscurity. Privacy, unfortunately, requires a proactive effort, but the benefits I receive from a centralized, managed, and to date uncensored email service currently far outweighs the current drawbacks. If that ever shifts in the other direction, as I mentioned, nothing is really preventing me from just dropping google.
Re: (Score:2)
Who cares about email now anyway?
Re: (Score:1)
Alternatively, you could use a simple webmail service, such as Gmail.
Who cares about email now anyway?
Apparently Google does
Re: (Score:1)
If that ever shifts in the other direction, as I mentioned, nothing is really preventing me from just dropping google.
If that ever shifts you can drop Google only for future emails.
...
When the shift comes (e.g. sudden government interest in your person) there will be much information at Google already you may not want to share: who your friends are, business contacts, personal views,
Re: (Score:3)
I do not understand why everyone prefers that.
Convenience. Plus most people don't give a shit if the government reads all their emails anyway. I realise this isn't sufficiently paranoid for slashdot, but it's how the vast majority of people behave. How many people bother to encrypt their emails for instance?
Also, if I was planning to overthrow the government, stage an armed robbery or even (if I was a public figure) conduct an extra-marital affair, I certainly wouldn't use email to exchange details with anyone about it.
What about contacts graph? (Score:5, Insightful)
Contents are private, post office does not read it, and you need a warrant from a court to intercept and read mail, so google demands a warrant for contents of email. OK fine.
Now, in each letter, the from address and the to address are open in the public. Technically the post office could build a graph of who communicates with who and how frequently using just the public information. But it is expensive, painful and so USPS does not do it. Or I think it does not do it. But it is trivial for gmail to build all people who correspond with me, and rank them by the frequency of communication. In fact it already does, it suggests a CC list based on the addresses in the To list. Is it considered public information? Would google share it with the government without warrant? Or would it require a warrant?
Re: (Score:2)
It just occurred to me: does a Gmail message ever reach the public internet when it's sent to another Gmail user?
Re: (Score:2)
That's what I thought but I was curious, you patronising ass.
Re: (Score:2)
Well, not just an ass but also lacks imagination. Since many people pick up their Gmail via POP or IMAP then, regardless of whether it's from the same server or not, it still goes through the 'public' Internet, (not via VPN, but at least they support secure connection).
In another post somebody said that "most" people access Gmail via web interface...eh? Everybody, yes everybody, I know also gets their Gmail on their BB/iThing/Android/Outlook/whatever...
Re:What about contacts graph? (Score:4, Interesting)
Stupid answer.
How many mail servers do you think Google has? Lots. Geographically distributed.
And guess where the traffic goes to get from one to another? Public internet.
Re: (Score:2)
At least, when it comes to Google, there's at least a good chance the data travels between their data centers encrypted.
Re: (Score:2)
To every Google data center? Very likely not.
Re: (Score:2)
Every reputable company implements a VPN, MPLS or something similiar for internal traffic between their remote locations.
I would be completely shocked if they did not. Router management traffic or log data dumps, for example, is completely inappropriate over the broader Internet.
Now, it's possible that some traffic between datacenters is using public pipes, but I would think they have it set up to prefer internal VPN or MPLS or other private circuit arrangements between their own locations.
Re: (Score:2)
So, Chile to Finland to Taiwan?
http://www.google.com/about/datacenters/inside/locations/index.html [google.com]
Re: (Score:2)
It could be over leased line or VPN, but for security purposes, assume public internet.
Re: (Score:2)
so, you think that from one data center to another is always a public network?
(who's the stupid one here?)
Re: (Score:2)
I'm pretty sure that ALL of Google's data centers that contain mail servers are not privately connected, yes.
Re: (Score:2)
Now, in each letter, the from address and the to address are open in the public.
Is a from address mandatory in the US?
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Only on certain types of mail:
http://pe.usps.com/text/qsg300/Q602.htm [usps.com]
(those qualifying for reduced rates for being non-profit, &c.)
If one pays full postage, no return address is necessary.
Re: (Score:2)
In this case though, Patraeus and Broadwell did not actually send but just left unfinished drafts. w/o a warrent, gmail still handed over the drafts, nothing to graph if it all just sits there 'unfinished'.
H.
Re: (Score:2)
But it is expensive, painful and so USPS does not do it. Or I think it does not do it.
I never thought about that before, but those high speed scanning machines are doing OCR on the destination address, so the return address could be included as well. If the USPS were run like a company, they'd at least be using it for analytics and process optimization.
Re: (Score:2)
Re: (Score:2)
I believe that it doesn't matter what Google does. With all the wiretaps and Echelon type stuff going on, I would be surprised if the social graphs based on who is calling who does not include all email service by this point. Like you said, the sender and receiver are well-known, and if you have a MITM such as a slutty ISP who gives it up easily, then you really don't need Google or Yahoo to comply.
Re: (Score:1)
>> Or I think it does not do it.
Letters are all machine processed anyhow. Wouldn't this be pretty easy to implement for most letters?
Unless, of course, they get a Patirot Act request (Score:3, Insightful)
Patriot Act federal requests do not require a warrant and cannot be reported when served against a company like Google when serviced. Even A fast Google search reveals dozens of specific instances of Patriot Act abuse, and the law itself at http://www.fincen.gov/statutes_regs/patriot/ shows that it wildly exceeds any sane Constitutional interpretation.
Similar abusive laws in other countries mean that Google, forced to follow local law enforcement in numerous countries, is wide open to abusive but legal requests for private content. There seems to be no sign that they do more than provide more than the slightest lip service to genuine privacy concerns, and many of their business modes are based on *selling* information about their customers.
Re:Unless, of course, they get a Patirot Act reque (Score:4, Funny)
Not "Patriot Act", it's the U.S.A. P.A.T.R.I.O.T. Act, and each of those letters stands for something, because US civil defense policy is now run by the marketing arm of Mattel.
Re: (Score:2)
Thus, I say that email must not be placed in a cloud. Some companies like Google try to be no evil but have little wiggle room -- the bad guys (yes, the current crop of governments work against rather than for you) can access your mail at a whim. Unless you use email only to send Christmas greetings to aunt Jane, you have private and/or business data that should not be viewable by third parties.
If you host your own mail server (even at home), the bad guys at least need an actual warrant, and can't do this
Re: (Score:2)
I think you need to balance risks. If my mail is hosted outside my home, on my ISP or on Google, then it increases the risk of it being searched by the government without my knowledge. If I set up and run my own mail server on my own machine, then I need to correctly install and configure the OS and mail server and keep up with all the security patches and spam filters, or I severely risk having my mail accessed by script kiddies without my knowledge. Or maybe I will know about it because they'll reset pass
Re: (Score:2)
I need to correctly [...] keep up with all the security patches and spam filters
Uhm, and that's much work... how? You need to do a manual intervention once a couple years, to move to the next stable release. Security updates get pretty thoroughly tested (Microsoft aside...), so outside of especially complex deployments not having them as a cronjob tends to be a waste of time. Spamassassin updates its rules automatically, which is probably good enough if you don't feel like tweaking them.
Re: (Score:2)
That's why we need a way to force encryption, limitting their knowledge to just the source and target IP.
Re: (Score:2)
Unless you use email only to send Christmas greetings to aunt Jane, you have private and/or business data that should not be viewable by third parties.
If you send emails without encryption, you should certainly limit them to not much more than Christmas greetings to aunt Jane. I assume that any email I send is as secure as a letter, since I can't be arsed with encryption. My bank wouldn't send me a new PIN on a postcard, but it certainly would in an envelope.
Re: (Score:2)
And, in fact, they have NEVER fought one of these requests. Ever. The only ISP operator to fight one of these requests is Nick Merrill, and he had to enlist the ACLU and others just to get the right to be represented by an attorney, much less make his fight public. Otherwise, the only other people to fight these requests were a few librarians. Considering that these requests can actually dragnet in huge amounts of data from multiple accounts, I wouldn't feel so sanguine about Google's "pushing back".
I wonder if there was a drop off in .gov and .mil (Score:1)
Theft? (Score:2)
Re: (Score:2)
Great way to win the trust of their users... (Score:1)
TOO BAD (Score:1)
And WHO issues these warrants?
One of the reasons I don't use Google services. I don't recognize the 'ECPA search warrant'. the only warrant I recognize is a bonafide court issud warrant, issued by a bonafide seated judge. Anything else does not exist, and all access is denied.
Weasel words... (Score:2)
He doesn't explicitly say that Google doesn't produce content in Gmail without that warrant. Just that warrant compels them.
I'd be happy if he said "Google never produces content in Gmail without receiving a valid ECPA search warrant first"
Of course an NSL is the trump card...
Privacy? (Score:2)
Re: (Score:2)
One could argue this isn't really about protecting your private data - it's just one of the times that Google's interest and yours align.
I.e., if Gmail started giving access to your email, then it devalues Gmail's service to that of other free email providers like hotmail and such - disposable email and spam box. Google doesn't want that because they get more analy
Google privacy in a nutshell (Score:2)
Yes, we're raping it 10% more times a day, but we're allowing a lot more content through.
The headline is a lie (Score:1)
Requirements from US's agencies done under PATRIOT Act are never accounted for on Google's Transparency Report, because they are issued along with gag orders. Google has never revealed how many of this did they fulfil, nor they do it now.
Cyrus Farivar's article on Ars Technica doesn't even mention PATRIOT Act, for a start - and when it refers to the break down of legal request types, we are linked to a Google page that breaks them down to three types - subpoenas, ECPA and other. Once again, PATRIOT Act re