I wish we pushed for a law that said you can only serve a warrant for a data request to the person whose data you want. I think from a human rights principle it makes the most sense. The only reason the government can take it from third parties that store our data for us is because it's "easier" for them to do that, and because there hasn't been enough pushback against it.
Imagine if the government said "hey, that money in your bank account, we can just automatically take our taxes from it, because we're not really taking it from you, we're just taking it from the bank." Probably not the most accurate analogy, but I think you see where I'm going with this.
Since the ruling that invalidated Safe Harbor, Microsoft has been pushing for laws and agreements between nations that say law enforcement shouldn't be coming to Microsoft (as a cloud service provider) with a warrant for data requests, but to their corporate customers. So for instance, if FastMail uses the Azure cloud service, they're saying that if the government wants access to a user's data, they shouldn't be going to Microsoft but to FastMail with the warrant.
It's a small improvement, but Microsoft and all of the other companies should be pushing so this works for all of their customers, not just the corporate ones. It's exactly the same principle, but Microsoft just takes the easier way out here, because that still gets them off the hook, and it's really what they care most about. The corporations (even if they are "people") shouldn't be having more rights than actual people.
> Imagine if the government said "hey, that money in your bank account, we can just automatically take our taxes from it, because we're not really taking it from you, we're just taking it from the bank."
That's exactly the logic used to justify civil asset forfeiture. There was a link on here two months ago showing that the assets seized were more than all burglaries in 2014: https://news.ycombinator.com/item?id=10591250 .
Unfortunately there is a flip-side to that: How do you investigate or prosecute a company (for, say, fraudulent billing) when they insist that you need a million individual warrants to prove your case?
Thanks, most privacy activists conveniently forget this argument. In most cases, the absolute approach taken by most privacy activists ends up hurting Students/Patients/Customers etc. since Universities/Hospitals & Insurers/Companies cite privacy laws to escape from the burden of accountability. At the same time the entities are free to mine their own data under guise of "Performance enhancement".
Essentially stringent privacy laws often have adverse effect where activities that might be of public benefit Research on Rare diseases/Teacher Accountability/Class action lawsuits are curtailed.
"hey, that money in your bank account, we can just automatically take our taxes from it, because we're not really taking it from you, we're just taking it from the bank."
>> You are clearly not familiar with how IRS functions. IRS can and often times does automatically freeze bank accounts if they suspect tax evasion.[1]
The reality is that when it comes to user data the analogy is even weaker, since most user data is transactional in nature. Hence both parties can assert their rights. This is particularly of importance in medical data. Where there are no laws that assure patients of his ownership of his own data.[2]
In reality when it comes to information/data the ownership argument is on a shaky legal grounds. And in some cases data ownership might be counterproductive.
> I wish we pushed for a law that said you can only serve a warrant for a data request to the person whose data you want
Among the potential problems with such a solution is that it gives the government the imperative to adjudicate the "ultimate owner" of data. It will not always be obvious, and when it's not, it can surely be decided in such a way that tramples, rather than bolsters, individual rights over data.
It's an amazing racket, the art of making criminals out of ordinary citizens, a racket the US government has got down pat. I have to really hand it to them. When the country and the world no longer requires their existence, they keep coming up with faux reasons for continuing to exist, faux reasons for arresting, torturing, and murdering innocent people, faux reasons to continue to get funding and hurt more innocent people.
You'd almost think that this country no longer has problems (at least none it wants to solve so poverty, justice, racism, education, healthcare, etc. are out), that government's new role is to create problems simply so it can solve them all while making money in the process and justifying its unconstitutional existence. Then you'd be right.
>"The mere existence of the "police state" anywhere is the sure sign of old arrangements being propped up by newer forms that have already rendered the older forms irrelevant."
-Take Today: The Executive as Dropout, Marshall McLuhan
Lavabit didn't refuse requests --- he had apparently been responsive to others --- until the Snowden incident, where his refusal cost all its users their privacy in a futile effort to preserve one user's privacy.
In a sense, yes. One of Lavabit's failings is that they didn't design for scope-limited disclosure. When the FBI demanded their certs, it exposed all their users.
Don't overthink it. The failure of Lavabit was designing a system that enabled disclosure at all. It wasn't end-to-end encrypted; its users had to trust its operators, which, because operators can always be coerced, is never safe.
He had to give up other peoples' privacy, as well.
The alternative (that the FBI demanded until he started playing childish games) was actually only handing over Snowden's mails.
Which, to be clear, would still have been a disaster for Lavabit! It's not my suggestion that he should have gone along with the FBI and then continued to run the service.
But had he complied, as he was legally obligated to do, with the FBI, he could have immediately and gracefully shuttered the service without having given up the TLS keys that unlocked all communications to the site.
I've always presumed that ALL of my online activities are visible to the government or other nosy parties. I do stupid things sometimes, but not really stupid.
I've always countered with "So, you'd be okay if a government agent was watching you have sex with your wife? Every time it happened? For the next 10 years?"
You're doing nothing wrong, nothing bad will come of it, but that question always brings that awkward pause: that realization that "wait a second, privacy IS important even if I'm not doing anything wrong."
As a side note, people hide things from other people all the time. That's what people do. None of us would like it if all of our insecurities, resentments, any negative thought were exposed to others. In my opinion, those who say they have nothing to hide, are either profoundly ignorant of their selves, or simply lying to themselves and others, i.e. my job depends on me believing and extolling this untruth.
To which I would ask "Under what circumstances would the government pay a federal agent to watch me have sex for the next 10 years?" This and the similar comparisons that I often see raised in response to the "I have nothing to hide" argument are ridiculous hypotheticals that are raised without taking into account who is violating the subject's privacy and why. When someone says "I have nothing to hide" it's generally short for "I have committed no crimes and I trust law enforcement officials to a) only invade someone's privacy when they have reasonable grounds (implying that they got a warrant); and b) use any data collected only in pursuit of actual criminal investigations (e.g. they're not going to steal my credit cards and broadcast naked pictures all over the internet).
If you're going to change people's minds with that argument, you need to be able to demonstrate that people's data is being routinely searched without just cause and/or police are routinely abusing the fruits of those searches.
> "Under what circumstances would the government pay a federal agent to watch me have sex for the next 10 years?"
When the federal agent is abusing her or his authority, of course. This point can then serve to to bring up deeper research which illustrate that this "ridiculous" hypothetical is a stone's throw away from what has already happened, and what may be happening now. Such as:
The first step of persuasion is describing how the problem for the many is a problem for the individual, i.e. the other party. People are less inclined to read more into things ( or listen to a longer explanation) if they don't see an immediate personal stake. "God, this guy keeps on talking. The NSA is listening in to ten million people's phone calls? Their email too? Well, that's their problem! I haven't done anything wrong!"
> "I have nothing to hide" it's generally short for...
The statement I intended to castigate was "I don't have anything to hide, so I don't care if they spy on me". I did not clearly elucidate that in my original response and instead shortened the statement to "I have nothing to hide", which was a mistake.
"I have nothing to hide" by itself is indeed shorthand that can be said in some contexts without reflecting badly on its speaker. But in discussions about government abuses/ovverreach in which there is ample evidence that law enforcement officials have been untrustworthy, the "so I don't care if they spy on me" indicates some self-delusion.
There's a huge difference between those links and showing systemic abuse. When I actually go and read the stories behind your links, what you state is that 13 people in 10 years abusing their position at the NSA to spy on their significant others (and subsequently being fired, resigning or being relieved of their positions[1]) is a stone's throw away from having a federal agent being assigned to watch me personally have intercourse. This says to me that the average American should be about as worried about being spied on by the NSA as they are worried about being struck by lightning on a clear day. The odds might go up slightly if they had a jealous ex working at the NSA.
I have better odds of getting shot by a government agent than being spied on, and I generally manage to get through my day without worrying that I'll die at the hands of the US government. I think that's probably the biggest reason that so few people outside of HN/Reddit/etc. care about Snowden leaks. I can find plenty of people that are upset about police brutality, and there's lots of discussion about implementing body cameras, discrimination in law enforcement, etc. because I can find new, documented evidence of someone getting shot by a cop every other week. It's still not at the level where I worry that I'm going to get shot by a cop. Snowden showed potential for abuse, not actual abuse. That's why "I have nothing to hide" persists.
I'm not sure that's the best way to counter the quite common "I don't have anything to hide so I don't care if they spy on me" reaction.
As the other reply to your comment shows, many would say that it's very unlikely a government agent would bother or want to watch them having sex.
I usually counter by reminding them that it's not just about them - it's about journalists, whistleblowers, lawyers, judges, activists, politicians, etc. Should the government be able to access their communications and track their online activities? People generally understand why that is a bad thing. While everybody absolutely should be worried that their personal online activities are being tracked, it seems like that's a harder sell.
> I've always countered with "So, you'd be okay if a government agent was watching you have sex with your wife? Every time it happened? For the next 10 years?"
That actually wouldn't bother me at all. I'd kind of feel sorry for them, though. Neither of us is a trained actor/actress for that sort of thing, and we're not in prime shape, either.
It sounds to me like an acknowledgement that defending yourself against all possible vectors a determined attacker could take to obtain your data is a lot more work than just being a bit careful about what you say and do online. I'm not saying that's a desirable situation.
(2) There will never, ever be guaranteed privacy or security as long as you continue to use other people's equipment and network. Using the internet expecting privacy is like continually saying, "I'm going to have sex with everyone and going to complain about the people that have STD's."
> Using the internet expecting privacy is like continually saying, "I'm going to have sex with everyone and going to complain about the people that have STD's."
I don't think this comparison is apt. Comparing internet usage to having sex with strangers might be the equivalent of comparing <insert western world leader> to Adolf Hitler in politics. It's not completely wrong, but it certainly makes the discussion considerably more negative, and distort its the details: i.e. casual usage of the internet !== casual sex.
A better analogy for expecting privacy on the internet: I'm going to go to different places outside. Some of them will be completely public, where it's clear anything I say or do can be heard by other people. Other places have walls and give the impression of privacy: although I cannot tell if there are tiny holes in the wall that people can watch me through.
I expect, correctly or incorrectly, different people will know where I am and what I'm doing at a given moment. I also expect that no one person will know all of my day except for me.
>Using the internet expecting privacy is like continually saying, "I'm going to have sex with everyone and going to complain about the people that have STD's"
It's more like, no matter how careful you are to choose who you have sex with, there's no avoiding the STD risk when everybody has already been fucked by the NSA
There may be safer theoretical options (or very limited deployed ones). But our society is increasingly reliant on the centralized networks.
"Yes I'm on the internet but I don't use email, Facebook or any other service that you use, I only accept hand-crafted UDP packets on port 12345 to my static IP..."
But to your point, I think this has created a void that P2P protocols can fill, and I certainly look forward to more solutions that actively follow the Internet's original decentralized vision instead of "client-server-over-decentralized-network" that we have today.
I have little or nothing to hide, but I'm sufficiently informed to realize that people with a lot more political involvement than I have need a lot more privacy than I bother to create for myself.
Projecting one's own apathy onto the whole populace is irresponsible and destructive to everyone's freedom, whether they are direct participants in politics, or not.
They have bureaucracy and misguided projects and overreaching power but they do protect our national security. They aren't some evil corporation headed by a supervillain, they're full of people just like you and me.
...what? I'm sure there are plenty of other places for steady paychecks if that's what people are looking for. Also don't think 30k employees joined up so they could spy on their spouses.
The government isn't a bad thing, and neither is working for it. I really don't get this irrational fear and judgement.
again, what? Is this a defense of your original comment? I just said that people aren't doing it for the money because there are plenty of other places to work if it was just about a paycheck.
Imagine if the government said "hey, that money in your bank account, we can just automatically take our taxes from it, because we're not really taking it from you, we're just taking it from the bank." Probably not the most accurate analogy, but I think you see where I'm going with this.
Since the ruling that invalidated Safe Harbor, Microsoft has been pushing for laws and agreements between nations that say law enforcement shouldn't be coming to Microsoft (as a cloud service provider) with a warrant for data requests, but to their corporate customers. So for instance, if FastMail uses the Azure cloud service, they're saying that if the government wants access to a user's data, they shouldn't be going to Microsoft but to FastMail with the warrant.
It's a small improvement, but Microsoft and all of the other companies should be pushing so this works for all of their customers, not just the corporate ones. It's exactly the same principle, but Microsoft just takes the easier way out here, because that still gets them off the hook, and it's really what they care most about. The corporations (even if they are "people") shouldn't be having more rights than actual people.