El Reg published today a story that gives California what only two other states currently have:
[A] law requiring police to obtain a warrant before searching phones, tablets, and other electronic devices, and accounts in cloud services, too.
Governor Jerry Brown on Thursday signed off the Electronic Communications Privacy Act (ECPA) to require a search warrant for electronic searches. The law means cops will now need to obtain a warrant from a judge in order to retrieve electronic information, including emails, texts, and locational data, on a device or from a hosted service provider.
"For too long, California's digital privacy laws have been stuck in the Dark Ages, leaving our personal emails, text messages, photos, and smartphones increasingly vulnerable to warrantless searches," said Senator Mark Leno (D-San Francisco), co-author of the bill.
"That ends today with the Governor's signature of CalECPA, a carefully crafted law that protects personal information of all Californians. The bill also ensures that law enforcement officials have the tools they need to continue to fight crime in the digital age."
More coverage by Wired and the Electronic Freedom Foundation.
No word, however, on what the state legislature will do about Stingray.
(Score: 3, Informative) by takyon on Saturday October 10 2015, @01:49AM
California cops, want to use a stingray? Get a warrant, governor says [arstechnica.com]
California and the U.S. are like different countries when it comes to privacy law.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1) by Francis on Saturday October 10 2015, @03:45AM
I think it's probably because of both Silicon Valley and Hollywood being in California. You've got a lot of people that have a lot of money and don't want the cops spying on them.
(Score: 0) by Anonymous Coward on Saturday October 10 2015, @01:56AM
In June of 2014, in Riley v. California [wikipedia.org] , the Supreme Court ruled [supremecourt.gov] that
(Score: 4, Interesting) by Runaway1956 on Saturday October 10 2015, @02:03AM
"“For what logical reason should a handwritten letter stored in a desk drawer enjoy more protection from warrantless government surveillance than an email sent to a colleague or a text message to a loved one?” Leno said earlier this year. “This is nonsensical and violates the right to liberty and privacy that every Californian expects under the constitution.”"
I don't like California very much - but they do get some things right. This is one of those "right things".
The crazy thing is, a hand written note generally has no "protection" of any kind, other than it's location. If anyone can access it physically, then it's open to reading. On the other hand, files that are password protected and/or hosted offshore and/or encrypted and/or hidden within a hidden folder enjoy no protection whatsoever from the US and local governments? How in hell did the law get so crazy?
In effect, the more steps you take to keep data secret, the more determined government is to access it.
The only protection that they government has the slightest respect for, is locking your media inside of a safe. If it's located within a safe, then cops are required to get a warrant to open the safe. But then, your media isn't of much use while it is located within the safe.
(Score: 0) by Anonymous Coward on Saturday October 10 2015, @02:37AM
Then use inductive charging and wifi to access it. Best of both worlds :)
(Score: 2) by PinkyGigglebrain on Saturday October 10 2015, @06:02AM
I think you can have a power/data feed into a safe, for a light or temp sensors, so why not a SATA or USB cable? Just set everything up so you have to use a password everytime the drive is accessed, so even if a raid catches the main system running they can't access whats on the "vault drive". Whats the current state of passwords being protected by the 5th? Is it still jurisdiction based or did SCotUS chime in on it yet?
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 3, Interesting) by MichaelDavidCrawford on Saturday October 10 2015, @02:04AM
This is specific to the Washington State Constitution, not Federal. While other states likely have similar privacy guarantees in their own constitutions, I expect this was predicated in part on existing case law, which in general is quite different from that of other states.
An accused Heroin dealer's phone was in the possession of the police when some text messages came through from two associates. These messages were used to obtain his conviction.
The state supreme court overturned the conviction, holding that the text messages were inadmissible under the state's guarantee of privacy. The arguments had something to do with whether one had expectation of the privacy of postal mail; the prosecutor argued that the text messages were in the clear, the defense argued that the accused had the same expectation of privacy as if the messages were in an envelope.
Yes I Have No Bananas. [gofundme.com]
(Score: 5, Insightful) by TrumpetPower! on Saturday October 10 2015, @02:38AM
Something that's been bugging me...us technogeek and cypherpunk types often make the analogy that sending an unencrypted email is like sending a postcard because anybody can read it. But that's a bad analogy. Paper envelopes are, literally, transparently weak "security"; shine a bright enough light through the envelope and you can read what's inside. And even if you add some sort of lining to defeat that attack, it's been known for centuries how to open and re-seal envelopes without any sign of tampering. Or, if you don't care that the recipient knows that you've read it, just grab a letter opener and open the envelope!
In practice, that's exactly how unencrypted email works. Anybody at the Post Office (and lots of other people, besides) could snoop on letters, nobody ever actually does. With, of course, notable exceptions, typically involving either a warrant or a crime. Similarly, anybody at any of the ISPs could snoop on an email, but, again, nobody ever actually does.
And, indeed, how is some random schmuck who's not a network admin or other inside / privileged person supposed to even be able to think of how he'd go about violating the privacy of email? With the mail, you could wait for the mailman to put the envelope in somebody's mailbox on the curb and then just take it out of the mailbox; most non-apartment mailboxes don't even bother with locks. With email...Joe Sixpack is likely left with trying to guess somebody's password, which is akin to lockpicking. Packet sniffing and the like is exotic black magic far beyond steaming envelopes open.
You want a parallel with postcards? Social media -- all those twats and fenceposts and nowpounds and what-not...those are people doing exactly with the Internet what they used to do with postcards. Sometimes semi-private in the sense that you might send a postcard to one cousin but not another, but still with the expectation that the mail carrier may well get a chuckle out of it and there's a good chance it'll get tacked to the refrigerator.
But person-to-person instant messaging? Not a postcard; as with email, you've got to be on the inside or hacking the account in order to get to it.
If we want to see the law reflect this reality, and if we want the public and politicians to understand and recognize it, we need to speak about it this way.
So, unencrypted email is like putting a letter in an envelope. In principle, people at the Post Office could steam it open or otherwise get to it, but, in practice, that only ever happens in extraordinary circumstances.
Encrypted mail is like writing your letter in code and then sticking it in an envelope. Again, the chances that anybody is even going to notice that you've sent the email at all (NSA caveats excluded) are slim, let alone that they'd think to try to steam the envelope open. But, if they do steam the envelope, they're stuck with trying to decipher the code. At the same time, if they're steaming your envelopes and see you're writing in code, you might have bigger worries.
Cheers,
b&
All but God can prove this sentence true.
(Score: 3, Insightful) by CirclesInSand on Saturday October 10 2015, @04:26PM
I'm afraid this is almost entirely wrong.
The Internet doesn't work like a post office, and it doesn't work like a series sealed envelopes (or whatever version of "tubes" is imagined). The Internet is like a crowded room, and though you want to get a message to your friend on the other side, you can only talk to your immediate neighbors.
The "mail" analogy for Internet communication would be: tell the mailman your message, the mailman tells his coworkers, until they get the message to your target. You don't have to be a sysadmin to break that. A Man-In-The-Middle defeats everything. There is NO encryption protocol that can overcome this, despite what "security experts" like to pretend. The only real option is to use multiple channels, or a point to point communication, which is really just redefining what the middle is.
When people use government ISPs to communicate, and then are amazed that the government have the information that was communicated, it is just appalling. Of course they will have the information. You can't ask them not to have the information, only perhaps to not keep it, which itself is a bit of a gray area.
This is what made Snowden's disclosure so important. Everyone knew the government was doing these things, in fact based on the law and practice, we've known they are doing much more for decades. But Snowden made it harder for everyone to live in denial.
(Score: 1) by Murdoc on Saturday October 10 2015, @06:16PM
I think what you're forgetting and they are talking about is, what about once the letter is taken out of the envelope? That is like what has happened once the email in in your inbox (or if you want to go further, you have "opened" it and read it). When a cop takes your phone and they read your messages, it's more like looking at all your opened post-mail in your home than looking at unopened mail from your mailbox outside. Do they have that right without a warrant? Taking your phone to access it, to me, is like forcing their way into your home, where yes you have a an expectation of privacy and they need a warrant.
Other than that, I like your reasoning/analogizing there.
(Score: 2) by Hyperturtle on Saturday October 10 2015, @08:02PM
I disagree somewhat.
Encrypted mail is writing your letter in code, period.
You can write it in code and put it on a post card. No one can read it and hold it up to the light and read it.
Putting the postcard in an envelope just puts it in an envelope. That envelope offers NO security -- it only offers privacy.
You can buy a "security envelope" that obscures the visibility of the contents; those are better called privacy envelopes, because they are no more secure than a regular envelope. But, because of that obscurement of the "payload" of that envelope, it can mean the difference between someone ripping the envelope open and stealing the money your Great Aunt Matilda sent to you with a letter professing her desire to see you in the knickerboxers she wove for you. The thieves probably wont even care about the message; they'll just steal the money. Security through Obscurity can be a good thing, because your Great Aunt Matilda can't send an encrypted payload of actual physical cash.
If you hired an armored truck for the delivery, that is a secure method of postal delivery, but it's still physically available for examination and reading by the armored truck company, but otherwise it's presumed to be secure, if not private. It's just as private as if it went through the postal service, maybe even less, due to the personal level of service involved, rather than some jaded mail carrier with a bunch of other messages to deliver. However, the armored truck delivery company can be used to reduce the chance of random people from tearing open the envelope and making off with your Aunt's thoughts. There is much more trust in the armored truck company's delivery mechanism than simply dropping something in the mail and hoping no one steals it or unseals it.
That's where the subject of trust with encryption and security would come into play, as well. What if the armored truck drivers were going to rob the truck? If you do not trust them very well, them maybe Auntie should not be sending cash, which routinely is not recommended for delivery via the mail anyway, right?
If you sent a letter via armored truck, but did not write it in code, but trusted them to deliver it securely, then this is not much different than sending email via google on an https connection. We'll get to the cash in a moment. That's tough to encrypt in code considering its in violation of federal law to ruin physical money like that.
If you used PGP to encrypt your message and then used HTTPS on the website to send the message, then that is encrypted mail, with encrypted delivery. I mean, my mom uses Outlook express. She didn't use HTTPS to retrieve the message, your scheme has been foiled due to user behavior. She used unencrypted SMTP port 587... but thankfully the content was still encrypted, right?
So... Back in the real world, the truck drivers might tear open the envelope and find that instead of cash or a check, Auntie's message to you included a 64 digit code redeemable only by you when you log into your amazon account with an email address previously agreed upon! Curses! But +1 for security, privacy and authentication validation mechanisms that prevented unauthorized actors from stealing your stuff! Even when thugs bust in, the payload was still safe even though the contents were known!
Note that the meta data is still available despite all of this -- people can see who and to whom messages have been sent, and if responses come back -- even if they cannot read the content of the messages as they are being delivered, and even if they open the envelopes after stealing them from the armored truck. They KNOW your aunt is loaded with money, and that you're getting some of that hot cash action in some form or another.
They can then use that information to try to hack your account and get the gift card redeemed while pretending to be you. They might try to go after her login instead.
There are even more complicated things we can discuss to help prevent that, but at this point, you've got problems and bigger worries if they are that determined, as you had said. They can watch you and see you give it to the armored truck company, even if there is nothing written on the envelope. All of those non-content things are what the government likes to call meta data, and meta data is quite hard to encrypt and still have a working, and convenient, system. How can you encrypt the source and destination without the delivery mechanism also being able to determine where to deliver it? And there-in lies a problem that is not convenient to resolve. It's more feasible to just secure the heck out of the content, unless you happen to own the armored truck company.
--
I think some of the problem with the confusion around post cards and envelopes and security comes from network documentation describing UDP as a post card and registered mail as TCP. Somehow, envelopes got involved, probably because it is absurd to send a post card via registered mail.
(Score: 2) by CirclesInSand on Saturday October 10 2015, @11:56AM
We already know that police are supposed to get warrants. What we don't know is what is supposed to happen when they don't get warrants. I'm still waiting for a court ruling on that.
(Score: 0) by Anonymous Coward on Saturday October 10 2015, @01:01PM
Sure, we know that. Now at least there's hope the courts do, too.