On Confirmed Assumptions

or, Not Trusting Google is Good Idea

Ísafjörður, 21 June 2013.

I received an e-mail Tuesday night from the spammiest-looking account I’ve ever encountered that isn’t sending spam. It was a google.com address, and attached were four PDF documents. The body of the mail informed me that Google had received these documents “in a matter pending in the U.S. District Court for the Eastern District of Virginia”, that Google had provided response documents in compliance with the law, and that under the terms of the disclosure orders I am free to disclose the materials to whomever I choose. Not the most interesting message in the world, you might think. Except, well, you know, the District Court in question is in Alexandria, Virginia. I must confess that I was at a loss for words for a little while. And that’s before I started reading the documents.

There were two orders demanding information, and another two permitting the disclosure of the actual orders. The orders are under seal, you see: Secret.

The disclosure orders, dated 2 May 2013, state that a non-disclosure order has expired, and thus Google is permitted to give me a copy of both the disclosure order and the original order. They must redact two pieces of information: the address of the email account in question, and the name of the person that provided the asked-for information. Google is, however, allowed to tell me what account is involved, and I can do whatever I want with the information Google gave me. The matter in question, however, remains under seal – so I know they requested (and got) a lot of information about me, but I can only guess (but it’s not a tricky guess) what it’s all about.

The earliest of the documents, labelled EC139, is a court order issued under U.S.C. 18 § 2703(d), a provision comparable to data retention requirements in Europe, which requires Google to provide “the United States” (a code phrase meaning whatever prosecutorial office is involved) with metadata records: Names associated with the account, IP addresses that have logged on to the account, when the account has been logged on to and for how long, all that stuff. That’s rather a lot of information, but at least it’s not the contents of emails, chats, calendars, or any of the myriad other things Google accounts are linked to. These kinds of orders have been served on more of the people I know than I really care to think about. A friend of mine – who I incidentally provided with an email account under this domain, for reasons not dissimilar to those I had – was notified of a similar order at the same time I was. That order, however, had been issued a month earlier.

All this is pretty much par for the course; I had assumed that I was caught in the dragnet cast around Julian Assange. To have it confirmed with legal documents was more of an impact than I would have believed beforehand, but there wasn’t anything new in it.

Enter the second document, SW594. That one is not a a court order, but a search warrant:

This warrant applies to information associated with [redacted] that is stored at premises owned, maintained, controlled, or operated by Google, Inc., a company headquartered at 1600 Ampitheatre Parkway, Mountain View, CA.

That seems a little … broad. But okay, that’s Attachment A, “Property to Be Searched”. What about Attachment B, “Particular Things to be Seized”?

I. Information to be disclosed by Google, Inc.

To the extent that the information described in Attachment A is within the possession, custody, or control of Google, Inc., Google, Inc. is required to disclose the following information to the government for each account or identifier listed in Attachment A:

  1. The contents of all e-mails associated with the account, including stored or preserved copies of e-mails sent to and from the account, draft e-mails, deleted e-mails, emails preserved pursuant to a request made under 18 U.S.C. § 2703(f), the source and destination addresses associated with each e-mail, the date and time at which each e-mail was sent, and the size and length of each e-mail;

  2. All records or other information regarding the identification of the account, to include full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the types of service utilized, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative e-mail addresses provided during registration, methods of connecting, log files, and means and source of payment (including any credit or bank account number);

  3. All records or other information stored at any time by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, and files, and including any deleted information and any information preserved pursuant to a request made under 18 U.S.C. § 2703(f);

There’s one detail to notice here: The whole thing ends with a semi-colon. You see, there is a slight difference between the two disclosure orders. Whereas that for EC139 permitted Google to send me a full, albeit redacted, copy of the order, that for SW594 only allows them to send the first page of Attachment B.

Even so, what I am allowed to know is that Google has been compelled to hand over all e-mail associated with my GMail account, every shred of information they had on my identity, and anything I’d uploaded to a Google service. It’s a safe bet that chat logs from GTalk are on the next page – I’m assuming those aren’t lumped in with email, although that’s what Google’s own interface does.

That’s rather a lot of information. Particularly in light of the fact that I’m not allowed to know why they’re asking for this information. I assume it’s because I had a conversation or a few with a white-haired australian guy, but there’s nothing in the documents to confirm this. Let’s reiterate this, because that’s the point I find the most remarkable in all of this: Because I talked to Julian Assange, all information held by Google relating to my user account with them can be handed over to U.S. prosecutors. Not just the contents of my conversations with Julian. (Over GTalk. Now that’s good OpSec for you. Not.) How is this reasonable? How is this a particular description? How, in short, is this shit valid under the U.S. Bill of Rights? I’d really like someone to explain that to me. With a straight face. Preferably without making me want to punch them in the process.

And this is just my Google account. What else did they take — and whose?

Herbert Snorrason,

Of course the contents of those conversations are encrypted. OTR. And, yes, I had a non-GMail account for those conversations. Although there’s probably more spooks on that server now than legitimate users…