On topic, collaborative docs with end to end encryption https://cryptpad.fr/ I use the Kanban app, it's so snappy. In comparison Trello is a bloated PoS.
Also on topic, the XMPP protocl is federated and supports E2E encryption via OMEMO aka "the signal protocol". Go create an account and get your friends into it. I use Dino on Debian and Conversations on Android. These two clients support all the "modern" features that whatsapp does, including audo and video calls, in addition to niceties like public channels where you can meet new people outside your circle of friends. For providers, find one on https://providers.xmpp.net/. All of this is free software, (although in the case of XMPP being federated you can't guarantee that your messages won't be routed through proprietary servers.)
Not affiliated with either, I just LOVE those two.
There is only a single sentence about how this works with US-resident data and foreign intelligence or LE apparatus.
I'm under no illusion about the willingness of most corporations to hand over everything from subscriber info to content on a dime, but does anyone have any experience with specifics?
Especially pertinent to my question: what is to stop a member of a (non-sanctioned) foreign country (let's say not five eyes) from requesting data on a user of an American service "pursuant to a foreign investigation" (whatever that means)? Does it make a difference in practice if the user is an American resident, a resident of said foreign country, or a resident of a 3rd country altogether?
Example: a dissident launches a website and employs a registrar-provided domain privacy shield (these have notoriously vague guarantees of actual privacy). A "law enforcement officer" from country Xyz "subpoenas" the .com or .tld registry (hosted in the USA) and requests information about the owner of the domain. What happens next (in practice, not in theory)? Do some normally go through US intermediaries? Can American companies just refuse (consider both if the registrar/company has or doesn't have a physical presence in the foreign country in question)?
(Not exactly the same situation, but I was surprised that the FBI request to subpoena the identity of the hero behind the archive.tld service made the news [0]. I a) thought these were very much normal order-of-business things that would happen quietly behind the scenes, b) expected companies would roll over on this info without even a subpoena given the loose guarantees most registrars make about privacy, c) made me wonder if the specific registrars were selected for related reasons, and d) wondered about when and where it makes sense to avoid registering a domain with you real identity even if you use a privacy shield service. Also, I think most companies/registrars wouldn't even bother to notify their customers/users, regardless of whether a gag order was in place or not.)
I don't know why the article says the recipient of a search warrant for stored communications can't challenge it prior to disclosure. They can, and often do, especially on the grounds of lack of particularity or undue burden. As an example, Google claims that of all search warrants received by them for user data in 2024, they disclosed data for 90% of them, not 100%.
I also feel like the article generally misrepresents the entire American legal system, since the system itself does not really prevent the cops from doing the bad things, but instead tries to say that the result of the bad thing cannot be used as evidence. So it really isn't structured to ensure that the cops can't get your voice mails. It is structured such that if the cops improperly accessed your voice mails that can't be used against you in court.
> It is structured such that if the cops improperly accessed your voice mails that can't be used against you in court
Yes, it's true that illegally obtained evidence can be excluded.
But warrants -- prior authorization -- are required for searches. The law is structured to prevent both use and gathering if improper. (Whether warrant practice is effective at prevention is another question.)
Should not a query towards some provider about the online-data
about some citizen be protected by the first amendment? In other
words, if a search warrant would be required to enter a house,
unless invited, why would this not apply to online data stored
somewhere? There are only very few situations where a warrantless
search may be conducted, e. g. such as when driving a car and
a cop has an objective and reasonable suspicion. When the court
systems is no longer involved, it then means that people objectively
have lost certain basic rights, freedoms and safeguards against any
governmental overreach.
The courts view service providers as "third parties" and when you knowingly give them your data, the courts believe that it is no longer yours and is thereby not protected by the Fourth Amendment.
The "Third Party doctrine" is a blatantly unconstitutional power grab.
It was originally controversially applied to a person's transactions with a bank, and then absurdly extended to include anything anyone holds for someone else, even someone who holding it for the purpose of providing secure storage.
>and then absurdly extended to include anything anyone holds for someone else, even someone who holding it for the purpose of providing secure storage.
Was there actually a court ruling affirming this interpretation? Skimming the wikipedia article, all the court cases has to do with metadata generated by the third party provider (eg. cell site data or cryptocurrency transaction information). You can argue those should be protected as well, but it's not something like "someone who holding it for the purpose of providing secure storage", like an email inbox or whatever.
I'd not be surprised if that's exactly why those boxes always come with a keyhole that the renter has the only key for; the official process for "lost my keys" is paying the lock drilling and replacing fee stipulated in the rental agreement.
The crux of the issue is that, just like how you're free (if extremely ill-advised) to invite a cop to search your car or home without requiring a warrant from them, the companies are letting the cops search "their" information (about you) freely.
The companies are entirely within their rights to say "fuck off and get a warrant, you ghouls", but from their perspective, it's a lot easier to just hand it over.
The first amendment is not related. I think you are talking about the fourth amendment (protection from unreasonable searches and seizures). In this case the online data is stored by the provider, and there is no private location for which to obtain a warrant. The provider's database is not your private domicile. Legally, it is no different from a cop asking a store for footage from their cameras.
Of course, the claim is that it should not be considered this way, because it is bad for privacy. But the reasoning that led here is pretty comprehensible.
Legally, it is probably the case that the laws are just not written to satisfy those of us who want privacy, right? The “ubiquitous privatized surveillance” industry came about after our government lost the institutional capability to pass new laws that help people (around the turn of the century).
4A says "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures" so I would think the provider of the service could consider their data to be "their papers/effects" but is the provider a member of "the people" if it's not a sole proprietor?
Yes, providers can absolutely deny requests that aren't lawful. A company is within its right to say the data is their property stored on company property and a warrant is required to search it.
They probably could refuse, but isn’t selling access to surveillance information about you part of their business model? As they say, “we value your privacy…”
> In other words, if a search warrant would be required to enter a house, unless invited, why would this not apply to online data stored somewhere?
The government has long considered the 4th amendment to be a major hindrance. The only reason that they even seek a warrant to search your home or belongings is because the 4th amendment explicitly says
> The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated
I don't know the legal justification for excluding things like email metadata, but I imagine it goes like this:
> Your emails are not in your house, on your person, or are papers or effects. They are numbers stored in someone else's computer, and we only need the consent of someone else to get that information, which they will provide because they don't want to get on our bad side.
But the realistic reasoning is: the 4th amendment is a pain in the ass to law enforcement and they'd much rather it was never written at all, so they will cast whatever legal incantations are required to put a wall between your rights and your data
Broadly speaking if the data is on someone else’s computer, it’s in their “house” for the purpose of the search.
Cracking open your phone might require a warrant. But basically every byte of data on it has come from your ISP and is backed up to Apple\Google etc. and those companies will let me search their computers for your data no questions asked (or for a nominal fee).
That’s how you sidestep the 4th amendment when it comes to tech in the modern age.
About a decade ago, there was outrage over just having access to metadata. Since then, the backdoor access has expanded. Now they have moved past metadata and on to content of your messages.
The public is largely unaware of just how much control third party governments give law enforcement. They can manipulate your search results to hide information from you or promote certain things they want to be presented to someone they are looking into.
If the historical basis of this access is being able to read the list of library books you check out, now it has expanded to controlling which books are recommended to you and they have the ability to control the content of the media you receive.
A common dismissal of this issue is that nothing can be accessed without court orders or a subpoena. It's important to remember that this is only really true if they intend to directly use the information obtained from you in a court proceeding. Often times it is about information gathering on a target that is not meant to be used in court. Even then, they have endless ways of using a form of parallel construction to hide the source of the information. This also extends to data brokers, which have to work with the Government to continue operating. The same is true for app developers who want their apps to be listed on app stores. Or device manufactures that want the ability to sell their products and pass FCC certifications...
In more serious cases, it extends to the concept of your identity itself. Law enforcement often will not hold itself accountable for violating the laws or your rights. Identity theft tied to online actions against you is not out of the question for them either. When it is taken this far, good luck reporting it and having it resolved.
The stuff they can do with the backdoors in YouTube, the advertising system, cloud document storage (LE can view your live work in cloud storage like Google Docs, etc... Imagine working on a lawsuit against someone watching you formulate your legal arguments)... It just goes on and on...
> Law enforcement often will not hold itself accountable for violating the laws or your rights
How naive and idealistic to write "often" in that sentence. Law enforcement will NEVER hold itself accountable. Law enforcement has been given carte blanche to violate every constitutional right Americans have. Policing at all levels has been corrupted by overzealous politicians and lobbyists of all shades of blue and red.
The title should begin with "At minimum", I hope cops having access isn't a surprise, what might surprise is how other parties can too. In some cases, cops can't legally access the data but 3rd parties can, so cops get it through third party brokers.
Small example: Accurately correlating a phone number or IP address to the current real-time physical address.
You can edit the title after submission, for some limited period of time. The HN auto-rewrite rules are only applied upon submission, not when editing the title subsequently. It's recommended to always check the title immediately after submission, and correct it if the auto-rewrite did the wrong thing.
Are we sure it did the wrong thing? If a rule was put in to remove an initial "How" then presumably TFA is a fine exemplar; I can't imagine such a rule having some majority of outcomes be somehow better than this one. If this was a bad outcome, then the rule itself needs to go, unless I'm missing some very different and more typical syntax that it's good for.
If the "how" of a situation is newsworthy, presumably the existence of the situation is as well, so the benefit of a more concise title isn't creating a major downside. On the other hand, I wouldn't consider the more verbose title a major downside either, so the adjustment isn't worth the potential issues.
As the submitter you can be the judge of whether it did the wrong thing, you don't have to agree with the auto-rewrite rules. I often don’t agree with them, but they are what they are, and I see it as my responsibility to adjust the title when necessary after submitting. So far I never had an edit reverted by moderation.
I agree with that completely. I'm just struggling to agree that what we see in this case is an edge case to be manually adjusted back, due to my inability to think of examples that we wouldn't see as having the exact same "wrong" nature. If virtually every application of this rule feels the same as this one, then leaving the adjustment in place (or abolishing the rule if possible) would be the more sensible outcome.
Yes, but I'm accepting of this result, with no inclination to work around it, if this is actually considered good by the rule maker. If the rule maker would say "this instance is a poor outcome, but here are examples of the more-typical good outcomes" then in that scenario, the latter half of which I don't yet believe in but am interested to learn, I'm all for the workaround (manual edit).
Isn't it the other way around? The police are asking permission to synthesis abuse images so they can pose as abusers in order to access forums of those actually perpetrating or encouraging abuse. The parallel given (I read it using Google Translate) is of posing as a drug dealer.
On topic, collaborative docs with end to end encryption https://cryptpad.fr/ I use the Kanban app, it's so snappy. In comparison Trello is a bloated PoS.
Also on topic, the XMPP protocl is federated and supports E2E encryption via OMEMO aka "the signal protocol". Go create an account and get your friends into it. I use Dino on Debian and Conversations on Android. These two clients support all the "modern" features that whatsapp does, including audo and video calls, in addition to niceties like public channels where you can meet new people outside your circle of friends. For providers, find one on https://providers.xmpp.net/. All of this is free software, (although in the case of XMPP being federated you can't guarantee that your messages won't be routed through proprietary servers.)
Not affiliated with either, I just LOVE those two.
> There is no “cloud,” just someone else's computer
The EFF are quoting Stallman now? I wonder if they're slowly coming to realize that yes, once again, Stallman was right.
There is only a single sentence about how this works with US-resident data and foreign intelligence or LE apparatus.
I'm under no illusion about the willingness of most corporations to hand over everything from subscriber info to content on a dime, but does anyone have any experience with specifics?
Especially pertinent to my question: what is to stop a member of a (non-sanctioned) foreign country (let's say not five eyes) from requesting data on a user of an American service "pursuant to a foreign investigation" (whatever that means)? Does it make a difference in practice if the user is an American resident, a resident of said foreign country, or a resident of a 3rd country altogether?
Example: a dissident launches a website and employs a registrar-provided domain privacy shield (these have notoriously vague guarantees of actual privacy). A "law enforcement officer" from country Xyz "subpoenas" the .com or .tld registry (hosted in the USA) and requests information about the owner of the domain. What happens next (in practice, not in theory)? Do some normally go through US intermediaries? Can American companies just refuse (consider both if the registrar/company has or doesn't have a physical presence in the foreign country in question)?
(Not exactly the same situation, but I was surprised that the FBI request to subpoena the identity of the hero behind the archive.tld service made the news [0]. I a) thought these were very much normal order-of-business things that would happen quietly behind the scenes, b) expected companies would roll over on this info without even a subpoena given the loose guarantees most registrars make about privacy, c) made me wonder if the specific registrars were selected for related reasons, and d) wondered about when and where it makes sense to avoid registering a domain with you real identity even if you use a privacy shield service. Also, I think most companies/registrars wouldn't even bother to notify their customers/users, regardless of whether a gag order was in place or not.)
[0]: https://arstechnica.com/tech-policy/2025/11/fbi-subpoena-tri...
I don't know why the article says the recipient of a search warrant for stored communications can't challenge it prior to disclosure. They can, and often do, especially on the grounds of lack of particularity or undue burden. As an example, Google claims that of all search warrants received by them for user data in 2024, they disclosed data for 90% of them, not 100%.
I also feel like the article generally misrepresents the entire American legal system, since the system itself does not really prevent the cops from doing the bad things, but instead tries to say that the result of the bad thing cannot be used as evidence. So it really isn't structured to ensure that the cops can't get your voice mails. It is structured such that if the cops improperly accessed your voice mails that can't be used against you in court.
> It is structured such that if the cops improperly accessed your voice mails that can't be used against you in court
Yes, it's true that illegally obtained evidence can be excluded.
But warrants -- prior authorization -- are required for searches. The law is structured to prevent both use and gathering if improper. (Whether warrant practice is effective at prevention is another question.)
Posted this last month, definitely an informative set of data
https://transparencyreport.google.com/user-data/overview?use...
I've never even heard of a "super warrant"... until this article.
Sounds like just a layman's way of describing the enhanced Fourth Amendment restrictions case law has placed on live wiretaps.
I am not sure I have understood this fully.
Should not a query towards some provider about the online-data about some citizen be protected by the first amendment? In other words, if a search warrant would be required to enter a house, unless invited, why would this not apply to online data stored somewhere? There are only very few situations where a warrantless search may be conducted, e. g. such as when driving a car and a cop has an objective and reasonable suspicion. When the court systems is no longer involved, it then means that people objectively have lost certain basic rights, freedoms and safeguards against any governmental overreach.
The courts view service providers as "third parties" and when you knowingly give them your data, the courts believe that it is no longer yours and is thereby not protected by the Fourth Amendment.
https://en.wikipedia.org/wiki/Third-party_doctrine
The "Third Party doctrine" is a blatantly unconstitutional power grab.
It was originally controversially applied to a person's transactions with a bank, and then absurdly extended to include anything anyone holds for someone else, even someone who holding it for the purpose of providing secure storage.
>and then absurdly extended to include anything anyone holds for someone else, even someone who holding it for the purpose of providing secure storage.
Was there actually a court ruling affirming this interpretation? Skimming the wikipedia article, all the court cases has to do with metadata generated by the third party provider (eg. cell site data or cryptocurrency transaction information). You can argue those should be protected as well, but it's not something like "someone who holding it for the purpose of providing secure storage", like an email inbox or whatever.
Does it apply to safe-deposit boxes?
I'd not be surprised if that's exactly why those boxes always come with a keyhole that the renter has the only key for; the official process for "lost my keys" is paying the lock drilling and replacing fee stipulated in the rental agreement.
The crux of the issue is that, just like how you're free (if extremely ill-advised) to invite a cop to search your car or home without requiring a warrant from them, the companies are letting the cops search "their" information (about you) freely.
The companies are entirely within their rights to say "fuck off and get a warrant, you ghouls", but from their perspective, it's a lot easier to just hand it over.
Not just easier. But more profitable/lucrative, indirectly, and sometimes disturbingly, pretty directly.
The first amendment is not related. I think you are talking about the fourth amendment (protection from unreasonable searches and seizures). In this case the online data is stored by the provider, and there is no private location for which to obtain a warrant. The provider's database is not your private domicile. Legally, it is no different from a cop asking a store for footage from their cameras.
Of course, the claim is that it should not be considered this way, because it is bad for privacy. But the reasoning that led here is pretty comprehensible.
Legally, it is probably the case that the laws are just not written to satisfy those of us who want privacy, right? The “ubiquitous privatized surveillance” industry came about after our government lost the institutional capability to pass new laws that help people (around the turn of the century).
Given the analogy, I assume the provider can refuse to disclose information except under a warrant.
And that the client and provider can sign a contract forbidding the provider to disclose the information except under a warrant.
> I assume the provider can refuse
4A says "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures" so I would think the provider of the service could consider their data to be "their papers/effects" but is the provider a member of "the people" if it's not a sole proprietor?
Yes, providers can absolutely deny requests that aren't lawful. A company is within its right to say the data is their property stored on company property and a warrant is required to search it.
They probably could refuse, but isn’t selling access to surveillance information about you part of their business model? As they say, “we value your privacy…”
If you don't pay for a service, you are the product..
If you pay for service you are premium product. Even more useful private data for interested parties.
> In other words, if a search warrant would be required to enter a house, unless invited, why would this not apply to online data stored somewhere?
The government has long considered the 4th amendment to be a major hindrance. The only reason that they even seek a warrant to search your home or belongings is because the 4th amendment explicitly says
> The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated
I don't know the legal justification for excluding things like email metadata, but I imagine it goes like this:
> Your emails are not in your house, on your person, or are papers or effects. They are numbers stored in someone else's computer, and we only need the consent of someone else to get that information, which they will provide because they don't want to get on our bad side.
But the realistic reasoning is: the 4th amendment is a pain in the ass to law enforcement and they'd much rather it was never written at all, so they will cast whatever legal incantations are required to put a wall between your rights and your data
Broadly speaking if the data is on someone else’s computer, it’s in their “house” for the purpose of the search.
Cracking open your phone might require a warrant. But basically every byte of data on it has come from your ISP and is backed up to Apple\Google etc. and those companies will let me search their computers for your data no questions asked (or for a nominal fee).
That’s how you sidestep the 4th amendment when it comes to tech in the modern age.
"Sidestep" : "violate" :: "po-tay-to" : "po-tah-to"
Where does search history fall in the table?
Search history is fair game with no warrant or notification requirements.
https://en.wikipedia.org/wiki/Third-party_doctrine
I just rotate my searches among 5 search engines now. They can never get the full picture lol
About a decade ago, there was outrage over just having access to metadata. Since then, the backdoor access has expanded. Now they have moved past metadata and on to content of your messages.
The public is largely unaware of just how much control third party governments give law enforcement. They can manipulate your search results to hide information from you or promote certain things they want to be presented to someone they are looking into.
If the historical basis of this access is being able to read the list of library books you check out, now it has expanded to controlling which books are recommended to you and they have the ability to control the content of the media you receive.
A common dismissal of this issue is that nothing can be accessed without court orders or a subpoena. It's important to remember that this is only really true if they intend to directly use the information obtained from you in a court proceeding. Often times it is about information gathering on a target that is not meant to be used in court. Even then, they have endless ways of using a form of parallel construction to hide the source of the information. This also extends to data brokers, which have to work with the Government to continue operating. The same is true for app developers who want their apps to be listed on app stores. Or device manufactures that want the ability to sell their products and pass FCC certifications...
In more serious cases, it extends to the concept of your identity itself. Law enforcement often will not hold itself accountable for violating the laws or your rights. Identity theft tied to online actions against you is not out of the question for them either. When it is taken this far, good luck reporting it and having it resolved.
The stuff they can do with the backdoors in YouTube, the advertising system, cloud document storage (LE can view your live work in cloud storage like Google Docs, etc... Imagine working on a lawsuit against someone watching you formulate your legal arguments)... It just goes on and on...
End rant
> Law enforcement often will not hold itself accountable for violating the laws or your rights
How naive and idealistic to write "often" in that sentence. Law enforcement will NEVER hold itself accountable. Law enforcement has been given carte blanche to violate every constitutional right Americans have. Policing at all levels has been corrupted by overzealous politicians and lobbyists of all shades of blue and red.
News like these cause "I Really Like the Cops" to start playing in the back of my head.
https://www.youtube.com/watch?v=sX_EHeCbMqc
The title should begin with "At minimum", I hope cops having access isn't a surprise, what might surprise is how other parties can too. In some cases, cops can't legally access the data but 3rd parties can, so cops get it through third party brokers.
Small example: Accurately correlating a phone number or IP address to the current real-time physical address.
Needs the “How” adding back to the beginning of the title
HN truncated it, unfortunately.
Sorry about that! Recapitated.
You can edit the title after submission, for some limited period of time. The HN auto-rewrite rules are only applied upon submission, not when editing the title subsequently. It's recommended to always check the title immediately after submission, and correct it if the auto-rewrite did the wrong thing.
Are we sure it did the wrong thing? If a rule was put in to remove an initial "How" then presumably TFA is a fine exemplar; I can't imagine such a rule having some majority of outcomes be somehow better than this one. If this was a bad outcome, then the rule itself needs to go, unless I'm missing some very different and more typical syntax that it's good for.
If the "how" of a situation is newsworthy, presumably the existence of the situation is as well, so the benefit of a more concise title isn't creating a major downside. On the other hand, I wouldn't consider the more verbose title a major downside either, so the adjustment isn't worth the potential issues.
As the submitter you can be the judge of whether it did the wrong thing, you don't have to agree with the auto-rewrite rules. I often don’t agree with them, but they are what they are, and I see it as my responsibility to adjust the title when necessary after submitting. So far I never had an edit reverted by moderation.
I agree with that completely. I'm just struggling to agree that what we see in this case is an edge case to be manually adjusted back, due to my inability to think of examples that we wouldn't see as having the exact same "wrong" nature. If virtually every application of this rule feels the same as this one, then leaving the adjustment in place (or abolishing the rule if possible) would be the more sensible outcome.
As with many things in life, rarely are you in a position to change the rules. You just have to find workarounds to get the desired results
Yes, but I'm accepting of this result, with no inclination to work around it, if this is actually considered good by the rule maker. If the rule maker would say "this instance is a poor outcome, but here are examples of the more-typical good outcomes" then in that scenario, the latter half of which I don't yet believe in but am interested to learn, I'm all for the workaround (manual edit).
Oh so that's why I like paying paper board games with friends in person so much!
Good to know. We are all not experts on the HN ui of course
I hope they like porn, because I do.
The amount of LEO that are scarred everyday by weird fury porn is my comfort in this life .
Why do you think they're scarred by it?
Here's a recent news article about swedish politicians planning to make our cops synthesise CSAM, because they supposedly need it:
https://www.aftonbladet.se/nyheter/a/jQV959/polisens-nya-ver...
Isn't it the other way around? The police are asking permission to synthesis abuse images so they can pose as abusers in order to access forums of those actually perpetrating or encouraging abuse. The parallel given (I read it using Google Translate) is of posing as a drug dealer.
Seems reasonable to me?