Patriot Act Haunts Google Service

The Globe and Mail has an interesting piece taking a look at Google's latest headache, the US Government. Many people are suddenly deciding to spurn Google's services and applications because it opens up potential avenues of surveillance. "Some other organizations are banning Google's innovative tools outright to avoid the prospect of U.S. spooks combing through their data. Security experts say many firms are only just starting to realize the risks they assume by embracing Web-based collaborative tools hosted by a U.S. company, a problem even more acute in Canada where federal privacy rules are at odds with U.S. security measures."

Privacy is an illusion

[rbanzai]

The war over privacy in the U.S. was fought during the last eight years and common people lost. Nothing is secure. No information is out of reach of any government agency that decides it wants it, and there are no legal protections. Laws are in place now to make sure that our old image of privacy can never be restored, no matter what the current presidential candidates might claim. They don't us t have that privacy back because it does not serve their purpose.

The war was fought. We lost. I don't blame people from other nations for being concerned but if they haven't already lost privacy where they live they soon will, and it isn't coming back.

How did google get singled out?

[joeflies]

ever look at the kind of data stored in an online CRM, like salesforce.com? complete sales records, every email to every client, all the product defect issues. Maybe the SEC and the IRS may decide to look at raw data and not wait for the auditor report to come back.

Re:"Patriot" act

[Fjandr]

I think the problem is assuming that Congresscritters are patriotic on the whole or that they have any thoughts outside of ensuring their own re-election.

All they have to do is shout "Think of the children" or "We need this to fight terrorism" and the majority who have no interest in delving into the consequences of any given action will line up behind them like good little citizens.

Re:Privacy is an illusion

[tmosley]

Just remember that the American people have not yet begun to fight!

The only question is, WILL they fight?

Huh???

[LWATCDR]

While I am not one of the Google faithful I must say that your criticism is at best miss placed.
Google has fought when the US government wanted them to turn over customer records in the past. They do not seem to cooperate with the US government anymore than is required by law. Anytime you use a hosted service you loose some privacy. Once the data leaves your systems you have lost some privacy and control.

If you want to scream at Google for not living up to there "Don't be evil" line. I suggest that there following US laws it far less evil than their good relationship with China.

Tragically PGP is too hard to use

[sjbe]

Perfect time to consider PGP.

When you can figure out a way to make public key encryption so easy even my mother can use it I'll be happy to try. I'd love to use it but the person on the other end of the message has to be willing to try too. I haven't found anyone I correspond with yet willing to jump through the hoops required. Maybe you've had better luck than I have.

Never mind the fact that almost no one except serious geeks have even heard of, much less actually understands, public key encryption.

database =! security

[globaljustin]

the Mountain View, Calif.-based company will not discuss how often government agencies demand access to its customers' information or whether content on its new Web-based collaborative tools has been the subject of any reviews under the Patriot Act

Google isn't doing nearly enough to keeps its users informed about privacy issues. A press release saying "We're doing everything we can" isn't nearly good enough from the company that wants to organize all the world's information.

If anything, the federal law enforcement should be watching Google to ensure they aren't violating their user's privacy.

Part of me is hopeful that eventually the misguided people in government who think you can fight terrorism with a database will learn and change. Not everyone in the government is as evil as Bush/Rove/Cheney. If databases stopped terrorism, we wouldn't have had 9/11...at least one person on each of the 9/11 planes was on the terrorist watch list (in the database).

Re:Not good enough

[grcumb]

Spurning these services will mark you out for further surveillance straight away.

'Mark you out?' The fact of the matter is, everything we transmit outside of the firewall is subject to surveillance these days. And most companies have no clue how much of their data is crossing the firewall every day.

I don't know why people are getting their knickers in a knot over Google, when the main problem lies with the US backbone carriers, who - with only one known exception - have opened their networks to constant and widespread monitoring by US security agencies. Google at very least had the guts to fight a public legal battle with the Feds over release of even sanitised data.

The story here may be the danger to companies when they bring these companies inside the firewall, but again, refusing to trust Google is a funny place to start enforcing data integrity. The plain and simple fact is that the greatest threat of corporate data leaks is from staff who, whether through sins of omission or commission, carry sensitive data on laptops, thumb drives, CDs without any protections whatsoever.

I'd like to believe that data protection regimes are so advanced in these companies that the potential threat posed by Google and other online services is the main concern, but I find that impossible to do. I have to conclude, therefore that this is nothing more than a tiny kernel of truth wrapped in chocolatey FUD-ness that PHBs and corporate counsel love so much.

Re:"Patriot" act

[Sperbels]

All they have to do is shout "Think of the children" or "We need this to fight terrorism" and the majority who have no interest in delving into the consequences of any given action will line up behind them like good little citizens.

That'll only work for so long. Then they'll need a new boogey man to scare the shit out of everyone. It's almost amusing sometimes to watch old movies to see how our nation's top boogey man evolves... right now I'm thinking of Back to the Future. During that era, the boogey men were Libyans. They used to be Russians, and Germans/Japanese before that, and now it's Al Qaida. Is there ever a time when we don't single out someone as the enemy and use them as an excuse to gain more control of the domestic population? I guess I just hate freedom...don't listen to me.

Re:Not good enough

[Naughty Bob]

'Mark you out?' The fact of the matter is, everything we transmit outside of the firewall is subject to surveillance these days. And most companies have no clue how much of their data is crossing the firewall every day.

I was simply saying that boycotting something most people do raises a question mark against you as surely as more obvious, 'incriminating' behaviour. At least, it would if I was in charge.

Re:Not good enough

[grcumb]

I was simply saying that boycotting something most people do raises a question mark against you as surely as more obvious, 'incriminating' behaviour. At least, it would if I was in charge.

Point taken.

... And I'm really glad you're not in charge. 8^)

An example consequence

[Sara Chan]

From TFA:

For instance, a [university] researcher with a Middle Eastern name, researching anthrax or nuclear energy, might find himself denied entry to the United States....

It could be worse than that. He might be allowed to enter, and then be detained on the basis of Google-supplied information. Especially if he was not a Canadian citizen.

No rule of law with data hosted in the US

[farbles]

The trouble here is not Google, it is the fact there is no longer the rule of law with regards to data hosted in the United States. When the government can take any information they like from a server hosted in their country with no warrant, no notification, no nothing, then it's not law, it's criminal activity no matter who does it.

Here in Canada this has been a big deal now for the last couple of years. I've been at many IT meetings where tracking down what was hosted on US-based servers and removing it back to Canada has been on the agenda. We're not perfect here but we do have PIPEDA [privcom.gc.ca], the protection of privacy act, binding our ISPs. You need access to data, convince a judge and get a warrant. That's the rule of law.

That this US government data free-for-all has not been a big deal to American sysadmins has been a source of more than a little concern and confusion to us here north of the border. As long as there remains an Emperor in the White House rather than a President I guess there will be no movement on this.

Erased White House email, backups, and hard drives without penalty despite a legal court order? That's some government you guys have running there. You might want to do something about it.

Re:Time for google.ca?

[Gonoff]

annex The Great White North

Be very careful! Look what happened the last time the US fell out with Canada! http://en.wikipedia.org/wiki/Burning_of_Washington [wikipedia.org]

Re:"Patriot" act

[robertjw]

I think the problem is assuming that Congresscritters are patriotic on the whole or that they have any thoughts outside of ensuring their own re-election.

I really think most people in Congress try to do the right thing. A police state, in theory, is SAFER than a free society. If we all lived in a supermax prison, had our nutritional balanced meals fed to us every day, had a mandated exercise program, forced healthcare and bars on the door we'd probably all live a lot longer.

Problem is this country was based on liberty, but freedom comes with a lot of risk and responsibilities. When people are free to do what they want there are a certain segment that will abuse those freedoms by blowing up buildings or shooting people in college classrooms. Unfortunately, most people don't want to be free, they want to be safe, and Congress tries to do what the people want. Historically, this is how cultures survived. Rulers came to power because they could protect their citizens. Sure, they got rich and powerful in the process, but why shouldn't they. They were protecting their people.

The Patriot Act is just another method to keep people safe. Until the average Joe decides he would rather be free than safe, the oppression will continue.

Re:Not good enough

[dwalsh]

I don't know why people are getting their knickers in a knot over Google, when the main problem lies with the US backbone carriers, who - with only one known exception - have opened their networks to constant and widespread monitoring by US security agencies.

Who dat?

Ir surpasses understanding...

[John Hasler]

...why anyone would entrust any data of any importance at all, secret or not, to free services provided by an advertising agency. I can see using it to plan your frat party or organize Little League games, but using it for business?

Re:"Patriot" act

[Fjandr]

I quite agree. If there is no enemy, one will be invented. Like stereotypes, there's always some truth involved in making a particular group "the enemy," but that's just to make it plausible among the masses. No critical thought required to accept that some new group is Public Enemy #1.

Re:Tragically PGP is too hard to use

[Zatar]

It's not just hard to use, it's also ugly as hell. I thought about starting to use PGP again recently and just using it for digital signatures makes my email nearly unreadable never mind using actual encryption. Here's a nice one-line email:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey dude, how's it going?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFH6CrifPJd VEzW7qwRAs8fAKCSg8j qWO8zfHpIrNKJ zBtrHF54UwCfQWhO
lGZk7Ys4hl e1OqxyEuHn1EY=
=izSS
-----END PGP SIGNATURE-----

If I sent this it a non-geek they'd probably go WTF? and tell me my email program is broken.

It would need to be transparently integrated into all popular email programs so that no one actually needs to see the code in their inbox. An argument could be made that in the long run PGP has actually made the problem worse by allowing email vendors to punt on the concept of encryption and just tell users "if you want encryption use PGP" instead of having to develop an integrated solution that actually works well enough for mass adoption.

Are they just NOW figuring that out?

[erroneus]

I'm rather surprised more aggressive measures to circumvent US communications and all other paths of commerce and communications haven't been attempted. Wanna do warrantless wiretaps on foreigners? Fine. Watch the foreigners build new lines of communications that do not connect to the U.S. Wanna log, fingerprint, probe and scan all foreigners who happen to fly over or through the U.S.? Fine. Watch the foreigners start to build airports in Mexico and Canada to avoid U.S. soil. Wanna monitor and observe all foreign commerce through U.S. banks? You get the idea.

At some point, the rest of the world will tire of these policies and take step to make the U.S. less relevant.

we've seen this ourselves

[ddent]

First hand experience this is true:

We have several customers who have dedicated servers with us where one of their deciding factors in choosing us was that we can offer them service out of our Vancouver data centre.

In some cases this is not just a 'nice to have' feature. For some customers, putting their data in the US would be illegal - the patriot act is not compatible with our privacy laws.

Re:Time for google.ca?

[Albanach]

make Google a bank there and users account holders (with a zero balance of course)

Crazy idea. They should make all the account holders with a balance like their gmail quota. That way, I could sit all day with online banking open watching my balance increase!

Re:Not good enough

[rtb61]

I think you miss the point. Google a for profit corporation, is basically doing what those government agencies are doing and that everybody is complaining about. Really, which is worse a corporation with profit as it only goal (aside from the typical modern feel good marketing campaign), which will ultimately seek every competitive advantage in the pursuit of endless profit growth (censoring freedom and democracy in autocratic countries, no problem), or a government agency with public oversight, subject to independent audits and review.

Now the only public battle I saw between google and US agencies was, the very public battle that google fought so they did not have to give it away the valuable data they now own for free.

When it comes to securing a companies data, they of course mention the dominant provider of services, rather than rattling off a whole list. So why would any company allow external companies that also provide services to their competitors access to their companies data or their business communications. Whilst the certainly does put the carriers in the spot light and obviously require a complete review of their operations, it still makes google look far worse as they are the most infamous collectors and collators of other peoples information known on the net.

So really this is just the beginning, as privacy is catching up the the internet, and companies seek default secure communications and data enforced by law, so individuals will gain protection by those same laws, a major shift in privacy landscape, that google amongst many others will be forced to adjust to as the laws are updated.

Re:Only terrorists host files abroad!

[Metasquares]

Tangential, but I find that small groups of people can restore faith in humanity, while it generally takes the actions and behaviors of large groups to dash it.

Re:Huh???

[iminplaya]

Google has fought when the US government wanted them to turn over customer records in the past.

That's what we've been told...by Google. There's no way of knowing what they log, or what they hand over, while they supply plenty of dramatics to keep us distracted.

Re:No rule of law with data hosted in the US

[farbles]

No, I'm not confusing anything. Do a lookup on National Security Letters. Their power is greatly expanded under the Patriot Act. The upshot is if a high ranking FBI, CIA or Pentagon person or their designee wants some information, digital or physical, they can take it and not tell you about it for as long as they want. No judicial oversight and limited administrative oversight which has found that these "rules", as loose as they are, are still being broken lots of times. They can "sneak and peek" anything anytime.

Sure sounds like a free-for-all to me. Laws work differently than that.

About someone else's point about people and data bypassing the US, it is already happening. You'll never see that on US news though so try reading non-US newspapers and non-US news sources.

Re:"Patriot" act

[pimpimpim]

the standard phrase comes to mind:

you only want what they tell you to want

But really, you could decrease bombings, high-school shootings, and all of that shit, by not actively trying to destroy governments of foreign countries, and by instead spending that amount of money on fighting poverty and uneducation. People being too little educated as they are, they are easily convinced to believe the "let's invade and stop terrorism" stuff they are told.

As for "how cultures survived", I am not sure if you can give me the name of a culture that traded freedom for oppression that survived in a healthy way.

between government and a profit-seeking corporatio

[reiisi]

I'm looking at that question, and thinking, uhm, you know, lobbies?

Government is watched by whom?

Private, profit-seeking corporation is watched by whom?

I don't think there is a good alternative.

Re:This could work

[ScuzzMonkey]

I haven't looked at it lately, so maybe it's one of the expired provisions, but wasn't one of the more insidious problems with PATRIOT was that subpoenas issued under its auspices could not be revealed to anyone, or even the fact that they had been issued at all? Don't want those terrorists to know we're looking for 'em, after all.

That was really the most frightening part of the whole thing, although few people picked up on it (apparently--maybe those that did were just hustled off in the middle of the night and shot). With those provisions, we have absolutely no idea how often the act is being used or to what ends. Presumably the subpoenas you were issued weren't part of PATRIOT investigations, though.

Re:This could work

[theonetruekeebler]

I believe you were entirely within your rights to act as you did, Fyodor, but would be grateful if you'd take a moment to elaborate on why you chose your course of action.

From Securityfocus's account [securityfocus.com] and your own [seclists.org] it sounds like the FBI was trying to chase down a botnet that, as part of some process, downloaded Nmap 3.77. You emphasized that their requests were very narrowly crafted: a specific file requested via a specific user-agent within a specific five-minute window. It certainly didn't sound like a fishing expedition. If I had to guess, the requests were probably tied to the investigation of a specific criminal act or actor and they were trying to strengthen a case by establishing place-and-time.

My sleep-deprived analogy is this:

There's been a rash of burglaries recently where the perpetrators used a chainsaw to go straight through the side of the building. Yesterday morning a chainsaw burglary took place and the sheriff noticed a broken 16" Stihl chain near the hole. There was a second chainsaw burglary yesterday afternoon.

Meanwhile, you are the owner of Fyodor's Hardware, the busiest hardware store in three counties, and the tri-county area's only seller of Stihl chainsaws and accessories. You easily sell forty or fifty replacement chains a day.

So this morning the sheriff comes to you and asks if you sold or installed a 16" Stihl chain yesterday between 11:00 AM and 2:00 PM, and if so who did you sell it to. In fact, you sold ten, just like any other day.

Not a perfect analogy, I know, but seriously, what do you do? I mean, you could make him come back with a subpoena, but let's skip that step and get to the crux of the matter: You sold ten new 16" Stihl chains yesterday and it's the sheriff's opinion that one of them probably went to the chainsaw burglar. You, he and every defense attorney and Slashdotter all know there's always the chance the burglar got the chain somewhere else and that at least nine of your sales were to honest customers. If you tell the sheriff about all ten sales, to what extent (if any) have you violated the rights of all the non-criminal chain buyers? If on the other hand you refuse to cooperate, how do you justify the social cost of the continued burglaries against the rights of ordinary chain buyers?

I think it's an interesting dilemma. As I said, I certainly respect that you took a principled stand (or at least stayed slippery enough that you didn't have to), but not everything that law enforcement -- even the FBI -- does is a sinister conspiracy against civil liberties. Sometimes they really are just trying to catch a bad guy.

Re:Tragically PGP is too hard to use

[internic]

I can only say that I haven't had that happen. I've never even had anybody ask what it is, and this almost certainly includes people who know nothing about public key encryption. People are also probably used to superfluous attachments since, for example, email clients that send HTML emails usually send both an HTML and a plain text version together using MIME.