If these companies, whether it's Microsoft, Google, or others, encrypted as much of their services as possible, end-to-end, without them having the ability to decrypt that data, this wouldn't be such an issue, because the US gov can't legally force the companies to decrypt what they can't decrypt.

Countries such as Russia, China, Brazil and others would also have less of an argument when demanding these companies build their data centers locally "to make sure their citizens' data isn't given to the US government".

But companies like Microsoft and Google want to have their cake and eat it, too. They'd rather keep their ability have full access to our most intimate conversations, while at the same time take on the might of an unaccountable and out of control US government to limit its access to our emails and chats. Good luck with that.

The more advanced surveillance technologies private companies build to track their users, the more irresistible the access to that data will be to the government, and the more they'll want it. So the solution is to make that data useless for them. If it's encrypted and nobody but the users can access it, then they'll be much less interested in trying to get the companies to give them the data.

One more thing that people shouldn't forget when they see this "freedom fighting Microsoft". Microsoft voluntarily built backdoor technology for Skype years before it purchased it.

http://www.computerworld.com/article/2509604/data-privacy/mi...

http://venturebeat.com/2013/05/20/busted-microsoft-intercept...

They want access to our conversations because we demand features that require this. As a user, I want to type in "from:priyanka secluded beach" and get the exact message I was thinking of. And I don't want to bother handling my own encryption keys.

It's simply not possible to accomplish this without Google having access to my email.

I am not aware of anything proving that.

It might indeed be possible to construct a (homœomorphic-encryption-based? Some curve with pairings? Some form of encrypted Bloom filter in a tree?) indexed storage that an untrusted service can store and only a trusted client with a key can search or access. (How practical that is, and what the service can learn from access pattern metadata, is another question entirely. Frontloading onto clients may actually be more amenable in practice.)

Key handling is primarily a UX problem (and a big one), but is also not insoluble, or at least, not harder than bloody passwords.

It may be tricky, but I am not entriely convinced it is impossible.

However, to address the grandparents' point: Lavabit provides some evidence that US authorities perhaps can compel an uncooperative provider in this scenario to backdoor their software, allow their service to be impersonated, or some other facilitation if they cannot access contents in a service as designed - at the very least, if it is not already available, there are legislative and pre-legislative pushes in the US and UK for that capability to be made available to nation-state adversaries in the future, although it's unclear if that'll come to fruition - hopefully not, but get ready for a fight on that in the future. (iOS-related correspondence from FBI; the so-called "snoopers' charter" over here.)

Let me point out the key line of my comment: And I don't want to bother handling my own encryption keys.

The proof is quite simple. If I don't have my own keys I have no information the NSA lacks. Thus, they can only access the same information I can.

Homomorphic encryption would theoretically allow google to do encrypted indexing, but I still need to handle my keys to construct the query. It's also mainly theoretical at this point, though I am eager to see it built for real.

There's no reason that handling your own keys has to be something that you, personally, have to bother with. Just because you don't interact with the key handling doesn't mean it can't happen in a safe and secure environment on your local machine. Yes there are plenty of implementation concerns, but that doesn't mean they're insurmountable. It's so possible, in fact, that ongoing work is happening in exactly this space. See https://code.google.com/p/end-to-end/ for example.

>because the US gov can't legally force the companies to decrypt what they can't decrypt.

I can't speak as to whether this is illegal, but the US government definitely forces companies to put in ways to capture data that's supposed to be encrypted - look at Lavabit as an example.

> If these companies, whether it's Microsoft, Google, or others, encrypted as much of their services as possible, end-to-end, without them having the ability to decrypt that data, this wouldn't be such an issue, because the US gov can't legally force the companies to decrypt what they can't decrypt.

That's possible for some, but not for all services. For example you can have a personal online storage that's encrypted, but you can't have an online store that's encrypted where you can easily share files with somebody else who can see the files in a web browser. Or collaborative document editing. You can't easily and without end-user involvement have an end-to-end encrypted mail service etc.

If the document is shared with select people, you can still use encryption to share keys. If it's shares with anyone with a link, you have very little to stand on to say it's protected by the 4th amendment in the first place.

If that's true, it's also true that it's reasonable to access someone's bank account with a SQL injection, since those are just different kinds of links.

I'm not sure I follow. I'm thinking of a Google Docs link where anyone can access the document if they know the URL. How is that like an SQL injection?

Often times, part of a URL is fed directly into a database. Tweaking this part is how you do SQL injection, which then gives you access to documents you weren't originally authorized for.

It sounded like Thomas's point was that if you base legal claims off of the mere fact that URLs are used, then you must consider all types of URLs. One type of URL is a kind that performs SQL injection, which gives you access to unexpected documents, which is already quite illegal.

Such URLs are fundamentally accessible by anyone. (Anyone can type any URL into any browser, so hypothetically one could inject SQL by accident and end up with an unauthorized document.) So if you consider URLs enough to determine whether a document is protected, it must be true that many private digital documents on the planet are in fact public, because many private documents are vulnerable to SQL injection.

That's why I specifically mentioned web browsers. That implies the key is on the server or sent to the server and thus it's possible to intercept or recover it. You need a trusted client on the end users device and the key must never be passed to the server to be considered secure.

   >  the US gov can't legally force the companies to decrypt what they can't decrypt.

No, but they can compel the companies to disable their encryption. And in the latest 'wide net' sorts of court orders disable it for many more people than just a 'few.'

As with most things, once a business starts arguing with the government about what they can and cannot do, it is going to be very expensive for the business. Potentially disastrously so.

A lot of people seem to believe Microsoft has a moral obligation to protect humanity here and that because they didn't protest before, they shouldn't be supported. I completely disagree with both of those sentiments.

Microsoft has an obligation to stay in business- it will protect its users so that they don't go elsewhere. That's pretty much it. The US Government has begun to clash with this core objective and so Microsoft is fighting back. This is good for everyone, regardless of the profit motive behind it.

For once money will motivate a corporation (Microsoft this time) to fight for us, and not just give away all of our private personal data any time the government asks for it. We have Edward Snowden to thank for this.

I hope Microsoft wins; but the government pretty much always gets their way (one way or another).

The fact that profit is motivating Microsoft to do this is an accident. A good one, but still an accident.

Shh, why are you letting the US government know before he's ready? They might be reading Hacker News!

They're not fighting for privacy. They're fighting for the competitive advantage of being able to say 'Our servers are in Europe and so subject to European data protection laws instead of US ones'. That sort of thing matters to a lot of european users, especially government ones. But so far, the US govt is refusing to recognise that a server in Ireland is outside of their jurisdiction.

tldr: They're doing this for business reasons.

I'd say marketing reasons, but yeah, that's what I meant as well.

Also, the company that runs Skype, which is known to have devolved its network infrastructure to centralize more and give the NSA an immediate and free back door to all communications over it.

As a German I'm slightly confused by the use of the word "Stadtpolizei". Other than being kinda longish and looking German, the meaning seems to vary by context and I'm not sure it is being used as a correct analogy here.

Stadtpolizei in most parts[0] of Germany seems to be mostly synonymous with the Ordnungsamt (in either case, it's a communal agency, it's not standardized on a federal level) and thus concerned with Ordnungswidrigkeiten, i.e. various misdemeanors and traffic violations.

The case over which the warrant against Microsoft was issued seems to involve charges of drug trafficking and money laundry. As far as I know, this would involve the Kriminalpolizei.

I realize that using German words verbatim can spice up dry articles like this, but this article doesn't really benefit from it and the author seems to be confused about what they actually mean.

[0]: In Frankfurt in particular, the Stadtpolizei is merely part of the Ordnungsamt. Here's the (German) website describing Frankfurt's Stadtpolizei: https://www.frankfurt.de/sixcms/detail.php?id=2943&_ffmpar%5... -- obviously drug trafficking and money laundry are outside their scope, but I even doubt that the "press leak" in the example would be within their scope.

It's probably a botched allusion to the Geheime Staatspolizei.

'Now he is spearheading Microsoft’s fight against US government demands for access to emails from a Microsoft customer which are currently sitting on a server in Dublin, Ireland, as part of a narcotics investigation. Earlier this year, a US court ruled that Microsoft should hand the data over. Microsoft declined to comply, voluntarily entering into contempt.'

If you're not gonna read the article, maybe don't post about how terrible they are? Refusing to hand over other people's mail is exactly what they're doing here.

Because https://hn.algolia.com/?q=Microsoft#!/comment/forever/prefix...