See my post about distributed filing systems for more information. My analogy was just that, and isn't perfect.
The problem with this ruling is it's forcing Google to make huge technical changes to their infrastructure. I'm talking Billions of dollars worth here. At best, Google can spend a couple million to put in hacks and treat the person under investigation as a special snowflake. Except, if those hacks do involve moving data out of say the EU, then Google just broke EU law. Especially since, everyone but this judge believes ordering Google to move things so the Feds can get it is a seizure.
Even ignoring the dubious international legality, the US really doesn't want to be known for having courts that can force company's to completely restructure their internal organization on a whim. The cost to implement the court order means this will be fought as long as possible. If Google loses, then this is additional (not codified) regulation international companies will be wary of when dealing with US markets.
Google is a major contributor to distributed file system development. These are things that look like one "disk" to anyone accessing it, but are based on man hard drives running on many different computers.
These systems are "intelligent". So if I were in Japan, it would see that and slowly move my data over to an Asian data center. Because, that way I'm not waiting for signals to travel halfway across the world and back again every time I want to read an E-mail.
Here's a more likely example: Someone in Japan sends me (in the US) an E-mail. Google recieves that E-mail at their Asian data center, but knows I'm in the US. So, whenever I read that E-mail, or if the US data center has extra space and Google have spare bandwidth, Google will transfer it over to the US.
Managing such a system has to be a huge effort. To find where a specific file is, they have to: find all the data blocks, map those blocks to actual disks/machines, and find out where those machines are. The best part is there are multiple copies of each block, so if a machine dies it doesn't take data with it. Then, 5 minutes later the system could shift and move all that data overseas.
The tools just aren't designed to say that this file must be on this machine. The way Google dealt with China was just setting up an entirely separate network. That is why orders like this, or the possibility of the EU requiring all data to be stored within it's borders scares Google so much. They'd go from one distributed fault tolerant network, to a bunch of small vulnerable networks.
The best way to think about this is if Microsoft and Google were letter carriers that store copies in filing cabinets.
Microsoft keeps their letters all in one place per client. Meanwhile, Google says shipping is cheap and puts the letters wherever they have free space. The court order is telling google to ship the letters to the US so the FBI can then seize it.
If the filing cabinets are in the US, then the US can easily get to them. If they're in a foreign country, then you need a foreign country's permission to get to their filing cabinets. Countries don't take it lightly when foreigners raid their businesses. It's that whole sovereign nation thing.
The only time this analogy breaks down is in the US you don't actually need a warrant to get old E-Mails. As far as US law is concerned, if those E-Mails have been sitting in the filing cabinets for long enough they're considered "abandoned." Microsoft and Google aren't exactly going to say that the US can do this though. In addition to the business loss, widely publicizing this government over reach jeopardizes multiple treaties these companies rely on.
Nope, they'd need an Irish search warrant. It's private customer communications, that are protected by EU law.
The interesting part about this case is that the EU and US have procedures especially designed for just that scenario. Except, in the US E-Mails are considered "abandoned" after a time so they don't need a warrant to force MS to turn them over. The EU and most of the world see this as crazy, and want to see actual probable cause first.
Yes, I realize the US law that declares E-Mail to be "abandoned" seems to violates the 4th amendment. Funnily enough, US law enforcement doesn't really care about that...
Umm, you know that Congress is the DC government right? Every single thing a normal city council or state legislature does is handled by congress.
The best part is, DC doesn't even get a vote. If you live in DC you don't even get to vote in the US presidential elections. There's a reason why Washington DC has license plates saying "Taxation without representation." It's not a joke, it's a sad reality.
> If Microsoft were to lose this fight they'd lose much of their overseas cloud hosting business.
It's much worse than that. Currently most country's (including the EU*) laws lets US companies do business as long as they keep data in country. If Microsoft lost this fight it would be a perfect excuse to kick all US companies out.
Keep in mind, that cording to Irish/EU data privacy laws Microsoft can not legally share that data with law enforcement without an Irish warrant. Meaning, the US is trying to force Microsoft to violate Irish/EU law.
*EU has a data sharing agreement that says US companies can keep EU data in the US, but if this court decision went the other way it would probably have been canceled.
No, because the SSL key is separate from E-Mail encryption.
SSL keys are used to secure communication between machines. In the case of encrypted E-Mail that's the "To" "From" and "Subject" fields that aren't encrypted. So, the metadata.
The thing about SSL keys is that they prove that a site is who it says it is. They're the reason we trust the green lock icon in our browser. If a website lost one, they could just get another. It would be a bit of a hassle, but isn't too big of a deal.
We only worry when an adversary has those keys. Then they can sniff traffic, or even pretend to be the website to get the e-mail encryption key.
That they cooperate with law enforcement as legally required, but don't hire informants.
At the least I expect them to fire the employee. I also expect them to try whatever legal wrangling they can to ferret out all the other informants and fire them as well.
It's a huge black eye to the company. They've always been known to be scummy as far as pricing and diagnosing issues goes. If they're also associated with the FBI to this extent they may lose even more business.
On a minor side note, if the informant's name's been revealed I doubt he'll be able to get work in a technical field outside of law enforcement or government contractor.
Plus, the embedded and process control people are still new to this whole "security" thing. Stuxnet and the IOT security disaster should be proof enough of that.
No really, I'll bet you good money that if you go to any large plant or refinery and hook into a data bus you'll see large amounts of un-encrypted traffic. That's the data keeping machines and tanks from exploding.
> Example, the Telephone poles and the underground pipes that handle the cabling are public property.
Umm, the entire fight about the one touch make ready legislation is the telephone poles **are not** public property. They are owned by the telcos. Who make it as difficult as possible for a potential competitor to use them.
If you're suggesting that the government should use eminent domain to forcibly purchase vital public resources to allow competition, then I agree. Combine that with one touch make ready rules and competition becomes possible.
> But, do you want to have the government get access to the birth certificate you have stored in your bank safe deposit box because someone who rents one on the other side of the vault MIGHT be storing marijuana in it?
If I were a company using one of these products I'd be rather unhappy.
Businesses, especially ones large enough to have this software, tend like stability and abhor risk. Especially in core infrastructure.
It's why they're willing to pay so much money to Oracle for something that free products do just as well. Corporate inertia means they're not willing to face the possibility of breakage when moving to a new back end.
PwC is relying on their products being so complicated and integral to companies that no one will switch. Unfortunately, they're probably correct. However, this may prevent new businesses from using their software. Plus, companies will implement stopgap measures, like stopping using the fancy features of the software that requires extra connectivity. Not a good way to keep customers in the long run.
The trick is to explain to the CFO that hacks to such a system don't just mean theft. If they understand that an SAP system hack means potential securities fraud they start paying attention.
These devices are meant to be used by smartphones away from home, but the manufacturers don't want to pay for infrastructure. Home routers have a feature, called UPNP, to allow devices to punch through the Network Address Translation (NAT) layer and become accessible to the public internet. These devices use that feature.
Turning off UPNP will not protect you if someone is close to your house in person, but will prevent the attacks talked about in the article.
It's actually worse than that. The EU has, historically, relaxed it's privacy protections when dealing with US companies. The NSA leaks have caused them to now lean towards a "all EU data must be on EU soil" policy.
The big problem with this lawsuit is the data is on EU soil, but the US wants access to it without going through the EU. If the US wins the EU may go one step further and everything to be under the control of an EU company. A company that the US can not compel to divulge data.
This actually wouldn't be too big of a deal for Microsoft and other big companies. Sure it wouldn't be easy, but they'd basically set up subsidiaries in the EU to deal with it. The problem is any US company that stores user data would be required to have an EU subsidiary with at least one employee. Not exactly easy for things like a one man startup.