The first one where the police uploaded videos and wanted viewer information is absolutely egregious and makes me wonder how a court could authorize that.
The next one, which I didn’t fully understand, but appeared to be in response to a swatting incident where the culprit is believed to have watched a specific camera livestream and the police provided a lot of narrowing details (time period, certain other characteristics, etc) appears far more legitimate.
I don't understand how either of these are remotely constitutional. They sure aren't what is in the spirit.
They asked for information about a video watched 30k times. Supposing every person watched that video 10 times AND supposing the target was one of the viewers (it really isn't clear that this is true), that's 2999 people who have had their rights violated to search for one. I believe Blackstone has something to say about this[0]. Literally 30x Blackstone's ratio, who heavily influenced the founding fathers.
> The first one where the police uploaded videos and wanted viewer information is absolutely egregious and makes me wonder how a court could authorize that.
The police didn't upload they videos. It's not entrapment, and it doesn't sound like the actual content of the videos is illegal.
Instead, they had an open communication channel with their target and were able to send them various links to youtube videos.
Their theory being if they can find any user who clicked on all (or most of) those links, it's probably their target. And it's unlikely some random user would have accidentally viewed all those videos.
The actual request for the raw list of all viewers seems unconstitutional to me. Too broad, gives the police a lot of infomation about all users who watched just one of the videos. But I suspect a much narrower request where google identified the target user and past just that user's info on would be constitutional.
On the one hand, a narrow warrant that reveals a lot of people (classic example are warrants on motels to provide the names of everyone who checked in on a certain date, or was registered on a certain date) are certainly constitutional and have been upheld many times.
If you see a YT which is remotely dodgy, don’t watch it… It very well could be planted there as bait.
And that’s great Google are trying to fight back, a little. Though I wonder that for us Non-American Brits that they’d do the same for us too (doubtful)
> The court orders show the government telling Google to provide the names, addresses, telephone numbers and user activity for all Google account users who accessed the YouTube videos..
Hopefully that clarifies for some folks why these big tech/social media companies insist on having your phone number as a “2FA for security” despite all the sim-swap attacks.. simply for this moment, because you might be using a VPN, and address/name aren’t in your google account, but definitely your phone number is there, it’s even worse if you’re using an android too, as they probably will pull out all your app/browsing history..
I'm not saying that there aren't other motives, but there are legitimate security concerns.
Credential stuffing is a huge issue for large providers and requiring 2FA is a huge mitigation. Sure, a targeting attack will make the SIM swap, but that is a huge difficulty upgrade from generic credential stuffing.
You can avoid this with Google by using a virtual WebAuthN device (ironically via Chrome devtools), and then you will unlock the ability to enroll in MFA with a QR code for an OTP URL.
> The court orders show the government telling Google to provide the names, addresses, telephone numbers and user activity for all Google account users who accessed the YouTube videos between January 1 and January 8, 2023.
Interesting aside: Viacom used a similar broad request back in 2008 [1] in its lawsuit that nearly put YouTube out of business in its infancy. This time, it's the government making the request, and Google has way more data to potentially provide.
Im increasingly coming to the opinion that anonymity isnt guaranteed so you should assume everyone knows what you do.m and who you are. So you should probably just use your real name and do way less online.
Havent fully swallowed this pill but its feeling inevitable.
We're on a tech forum known to have some of the best and brightest and visited by tech giants. If anyone can solve this problem, it is us. If we are the ones giving up, then who is there to make things right?
As I see it, our only choice is to make privacy and anonymity trivial. Not for techies, but for our tech illiterate grandparents. Push hard for tools like Signal where people can get encryption without having to think about encryption. People want privacy and security but they just don't know how or don't understand what leaks data. But there's the clear irony that the sector __we__ are critical to is the one who is creating this problem.
I'm not ready to swallow that pill. I'm unconvinced we have to. Clearly __we__ can do something about this. Even if that is refusing to build such things, let alone build defenses. Apathy is no different than supporting these authoritarian takeover, because that's what it is. Authoritarian creep.
I think it's all about how many clues you leave behind. If you make a HN account that you only access via Tor through a browser with Javascript turned off and stick your writing through some AI editing service, it's probably pretty difficult to trace anything back to you. If you stream yourself 16 hours a day every day, your nickname probably isn't saving you from much, as it only takes one person to go "oh I know them" and then your secret's out. So like everything, it's about a striking a balance. Who is out to get you, and how much do you like doing things online? Just a question you can ask yourself before you move into a cabin in the woods and work on your novel 24/7 or whatever. (Publish it under a pen name, though, obviously.)
There's a crucial distinction here between the pragmatic and the normative, or else there's a feedback trap where accepting it as normal makes it even more common.
In other words you can plan around the worst case, but don't let go of the opinion/social-value that it's too-common and wrong and aberrant.
Talk to anyone in advanced privacy work or out of government -> full stop, yes, if you’re not doing Snowden-style measures (TailsOs) or really reconsidering where and how your phone travels around with you and browser controls, it’s done.
Tracking and the firms that do it is incredibly extensive and hard to beat (ie browser ad you just scroll by can fingerprint you well enough).
What you say is indeed one possible way to deal with it.
Treat it as a public postcard signed with your name, and never for a minute assume that someone doesn't link what you say to your identity.
This mode of operating means you will be more polite when angered by some troll online, as you are not hiding behind some pseudonym.
And at least you won't be shocked when a Website does what Glasdoor recently did, i.e. convert from pseudonyms to people's real names WITHOUT CONSENT OR WARNING. Surely by using always your real name you will not bitch about your employer on a Website when you name is shown as the poster and you will still want to get promoted, or at least retained as an employee.
I'm also waiting for the day, which is pretty much here now, when you will have to use a real name for any sign up form on any website. Something verifiable and not John Smith at phone 123 456 7890.
I more or less do that. Not really related to privacy, but I find that if I post as myself, I am more honest, less likely to troll, more considerate of others when I post. For me it's healthier.
What are you talking about? Use VPN outside of US jurisdiction, register a random google account, and use YouTube all you want in almost full anonymity.
Just keep in mind that if you write comments, and you also write under your real name, it's relatively easy to identify you by the writing style.
100%. We probably shouldn’t protest or even discuss non-conforming ideas. Just agree with the current rulers on all things to be safe. Also make sure to vote for the right leaders because who knows how long that’ll remain private.
The order was merely a nicety. I cannot imagine any company succeeding at taking a stand against the United States Federal Government on when it really wants something.
Likely the same with any other major nation state (I bet the chinese govt once showed Google it could at will access all their data, in order to capitulate cooperation, while the US is given full access at any time for any reason)
I don't like Apple. I'm cheering on the current lawsuit brought by the feds. I do not, and never have owned, an iPhone, and Apple is not the bastion of privacy they sell themselves as.
Eh, no. Are you familiar with MUSCULAR? It was in the Snowden leak. Basically Google kept telling the NSA to fuck off, so the NSA dug a hole and tapped some fiber to exfiltrate clear text communications between data centers, which was apparently a lot of important stuff back then. Within weeks of the MUSCULAR leaks, all Google datacenters were communicating with each other with proper SSL termination.
Are you familiar with Aurora? It was that time in 2009 when a Chinese military unit broke into Google and started poking around for information about some known dissidents. They were expunged quickly and the level at which Google stepped up their security game is unparalleled in the history of infosec.
Yes, the NSA or various law enforcement groups can get information from Google if it goes through the proper channels, and there's probably a handful of intelligence community insiders who hand data out of Google from time to time as well, even as part of various intelligence sharing agreements, but the idea that the NSA just has free access to whatever they want there is ridiculous.
1. Upload a video to YouTube,
2. Make it non-public, but possible to view for people who have links,
3. Post it to some shady underground forum full of people who want to do bad things to you for money,
4. Build the net of connections and track people who did watch the non-public link, see who knows who in this degenerate world of extorsions and theft,
5. Send the message to criminals that if they want to continue what they're doing, then even YouTube isn't safe for them,
6. Profit.
TBH, if the above would be true, I would even be happy. But I'm biased, because I sincerely hate thieves and extorsionists.
"In conversations with the user in early January, undercover agents sent links of YouTube tutorials for mapping via drones and augmented reality software, then asked Google for information on who had viewed the videos, which collectively have been watched over 30,000 times."
Huh? Why? Is this because some country doesn't like people having good mapping technology? Israel and China object to precision mapping, but the US historically has not.
It was likely a fake mutual interest and they hoped "elonmuskwhm" would watch the videos so they could gather some data about them. That's how I interpreted it anyway.
Eleven hundred steaming pantloads of hot bullshit. This is textbook fishing trip. The real zinger of all this . . the thing that has me riled . . is that this is going to be used to put away who knows how many poor-ass sadsack innocent citizens who can't afford counsel, before the poooh-leeeeease finally bust that one guy who has the money to afford legal representation. Upon which everyone goes oh right this was really illegal SILLY US
Someone posting up illegal videos? We already got laws for that, you sons of bitches. WATCHING videos? Like, "everyone in the country who watches this video?" Get the hell out of here.
Casual reminder that Invidious[0] and Piped[1] exist. Farside[2] can automatically redirect you to a working instance, for example: https://farside.link/invidious
If you add a redirector plugin for your browser, you can add a capture for something like this:
Take the crime they are investigating and ignore that; it is a red herring. Say that there is a stalker who hacked someone's devices and pulled private information and videos from them, and posted them publicly. Something unequivocally bad. We would all agree that there needs to be a way to investigate and stop this person and seek justice for the victims.
Until recently, taking this to the cops would get you a blank stare and nothing would happen. At least now in certain places it is taken seriously. But traditional investigative methods don't work. They would need to get access logs to the places where that data was uploaded, at the very least.
Cops are not particularly great at investigating (most crime is solved by confessions or just catching them in the act). They don't have any reason not to just blindly grab all the data and sort through it by hand, because that's what they know how to do, and if they request it and get denied, why would they care? They either try something else or say 'fuck it'.
Local Judges see a request for records and a block of time and it seems reasonable to get that info. No one is sitting and explaining to them the implications of allowing cops access to personal information from viewer logs. Historically, the lower courts are not the place to seek enlightened rulings.
Google? I honestly have no love for them, and they bend over for China every day for worse stuff, so I would be surprised if they gave two shits about their users, except that if this becomes common enough they might actually have to devote support to these requests, and they hate giving support, so they might fight it just for their own self-interest.
The problem is that there is no settled case law here and no clear legislation, and I would hesitate to take any important cases to the Supreme Court until at least Mr. "Is This a Pube on My Coke Can" is gone.
[+] [-] addicted|2 years ago|reply
The first one where the police uploaded videos and wanted viewer information is absolutely egregious and makes me wonder how a court could authorize that.
The next one, which I didn’t fully understand, but appeared to be in response to a swatting incident where the culprit is believed to have watched a specific camera livestream and the police provided a lot of narrowing details (time period, certain other characteristics, etc) appears far more legitimate.
[+] [-] godelski|2 years ago|reply
They asked for information about a video watched 30k times. Supposing every person watched that video 10 times AND supposing the target was one of the viewers (it really isn't clear that this is true), that's 2999 people who have had their rights violated to search for one. I believe Blackstone has something to say about this[0]. Literally 30x Blackstone's ratio, who heavily influenced the founding fathers.
I don't think any of this appears legitimate.
Edit: Ops [0] https://en.wikipedia.org/wiki/Blackstone%27s_ratio
[+] [-] phire|2 years ago|reply
The police didn't upload they videos. It's not entrapment, and it doesn't sound like the actual content of the videos is illegal.
Instead, they had an open communication channel with their target and were able to send them various links to youtube videos.
Their theory being if they can find any user who clicked on all (or most of) those links, it's probably their target. And it's unlikely some random user would have accidentally viewed all those videos.
The actual request for the raw list of all viewers seems unconstitutional to me. Too broad, gives the police a lot of infomation about all users who watched just one of the videos. But I suspect a much narrower request where google identified the target user and past just that user's info on would be constitutional.
[+] [-] ChuckMcM|2 years ago|reply
On the one hand, a narrow warrant that reveals a lot of people (classic example are warrants on motels to provide the names of everyone who checked in on a certain date, or was registered on a certain date) are certainly constitutional and have been upheld many times.
The first seems, odd.
[+] [-] helpmefindpurp|2 years ago|reply
[+] [-] supposemaybe|2 years ago|reply
And that’s great Google are trying to fight back, a little. Though I wonder that for us Non-American Brits that they’d do the same for us too (doubtful)
[+] [-] tamimio|2 years ago|reply
Hopefully that clarifies for some folks why these big tech/social media companies insist on having your phone number as a “2FA for security” despite all the sim-swap attacks.. simply for this moment, because you might be using a VPN, and address/name aren’t in your google account, but definitely your phone number is there, it’s even worse if you’re using an android too, as they probably will pull out all your app/browsing history..
[+] [-] kevincox|2 years ago|reply
Credential stuffing is a huge issue for large providers and requiring 2FA is a huge mitigation. Sure, a targeting attack will make the SIM swap, but that is a huge difficulty upgrade from generic credential stuffing.
[+] [-] chatmasta|2 years ago|reply
[+] [-] WillieCubed|2 years ago|reply
Interesting aside: Viacom used a similar broad request back in 2008 [1] in its lawsuit that nearly put YouTube out of business in its infancy. This time, it's the government making the request, and Google has way more data to potentially provide.
[1]: https://web.archive.org/web/20100702111029/http://afp.google...
[+] [-] goles|2 years ago|reply
[+] [-] nonethewiser|2 years ago|reply
Havent fully swallowed this pill but its feeling inevitable.
[+] [-] godelski|2 years ago|reply
As I see it, our only choice is to make privacy and anonymity trivial. Not for techies, but for our tech illiterate grandparents. Push hard for tools like Signal where people can get encryption without having to think about encryption. People want privacy and security but they just don't know how or don't understand what leaks data. But there's the clear irony that the sector __we__ are critical to is the one who is creating this problem.
I'm not ready to swallow that pill. I'm unconvinced we have to. Clearly __we__ can do something about this. Even if that is refusing to build such things, let alone build defenses. Apathy is no different than supporting these authoritarian takeover, because that's what it is. Authoritarian creep.
[+] [-] jrockway|2 years ago|reply
[+] [-] Terr_|2 years ago|reply
In other words you can plan around the worst case, but don't let go of the opinion/social-value that it's too-common and wrong and aberrant.
[+] [-] dogman144|2 years ago|reply
Tracking and the firms that do it is incredibly extensive and hard to beat (ie browser ad you just scroll by can fingerprint you well enough).
[+] [-] cbolton|2 years ago|reply
> If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place
which you can read either as a terrible "nothing to hide nothing to fear" comment or as a good warning about the factual state of things.
[+] [-] jll29|2 years ago|reply
Treat it as a public postcard signed with your name, and never for a minute assume that someone doesn't link what you say to your identity.
This mode of operating means you will be more polite when angered by some troll online, as you are not hiding behind some pseudonym.
And at least you won't be shocked when a Website does what Glasdoor recently did, i.e. convert from pseudonyms to people's real names WITHOUT CONSENT OR WARNING. Surely by using always your real name you will not bitch about your employer on a Website when you name is shown as the poster and you will still want to get promoted, or at least retained as an employee.
[+] [-] fsflover|2 years ago|reply
[+] [-] ilrwbwrkhv|2 years ago|reply
[+] [-] dghughes|2 years ago|reply
[+] [-] JKCalhoun|2 years ago|reply
[+] [-] brikym|2 years ago|reply
[+] [-] datavirtue|2 years ago|reply
[+] [-] bufferoverflow|1 year ago|reply
Just keep in mind that if you write comments, and you also write under your real name, it's relatively easy to identify you by the writing style.
[+] [-] AdamJacobMuller|2 years ago|reply
Nonsense.
[+] [-] wiseowise|2 years ago|reply
[+] [-] rapind|2 years ago|reply
[+] [-] knightoffaith|2 years ago|reply
A list of public instances (which you probably want to use if you're concerned about being identified) here: https://docs.invidious.io/instances/
[+] [-] recursive|2 years ago|reply
[+] [-] arp242|2 years ago|reply
Justice Department withdraws FBI subpoena for USA Today records ID'ing readers - https://news.ycombinator.com/item?id=27408647 - Jun 2021 (174 comments)
[+] [-] password4321|2 years ago|reply
2022-06-30 https://news.ycombinator.com/item?id=31938350
[+] [-] balls187|2 years ago|reply
Likely the same with any other major nation state (I bet the chinese govt once showed Google it could at will access all their data, in order to capitulate cooperation, while the US is given full access at any time for any reason)
[+] [-] xethos|2 years ago|reply
That said, credit where it's due: https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
[+] [-] px43|2 years ago|reply
Are you familiar with Aurora? It was that time in 2009 when a Chinese military unit broke into Google and started poking around for information about some known dissidents. They were expunged quickly and the level at which Google stepped up their security game is unparalleled in the history of infosec.
Yes, the NSA or various law enforcement groups can get information from Google if it goes through the proper channels, and there's probably a handful of intelligence community insiders who hand data out of Google from time to time as well, even as part of various intelligence sharing agreements, but the idea that the NSA just has free access to whatever they want there is ridiculous.
[+] [-] c0pium|2 years ago|reply
Edit: this is also not the federal government, state and local government has even less juice than the little the Feds possess.
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] self_awareness|2 years ago|reply
TBH, if the above would be true, I would even be happy. But I'm biased, because I sincerely hate thieves and extorsionists.
[+] [-] Animats|2 years ago|reply
Huh? Why? Is this because some country doesn't like people having good mapping technology? Israel and China object to precision mapping, but the US historically has not.
[+] [-] templeosenjoyer|2 years ago|reply
[+] [-] Razengan|2 years ago|reply
[+] [-] tacocataco|1 year ago|reply
Working as intended.
[+] [-] atlgator|2 years ago|reply
I don't even drink bourbon.
[+] [-] phkahler|2 years ago|reply
[+] [-] MilStdJunkie|2 years ago|reply
Someone posting up illegal videos? We already got laws for that, you sons of bitches. WATCHING videos? Like, "everyone in the country who watches this video?" Get the hell out of here.
[+] [-] datavirtue|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] someotherperson|2 years ago|reply
If you add a redirector plugin for your browser, you can add a capture for something like this:
And push it to something like this: For example: https://farside.link/invidious/watch?v=Ag1AKIl_2GM[0] https://github.com/iv-org/invidious
[1] https://github.com/TeamPiped/Piped
[2] https://farside.link/
[+] [-] Eisenstein|2 years ago|reply
Take the crime they are investigating and ignore that; it is a red herring. Say that there is a stalker who hacked someone's devices and pulled private information and videos from them, and posted them publicly. Something unequivocally bad. We would all agree that there needs to be a way to investigate and stop this person and seek justice for the victims.
Until recently, taking this to the cops would get you a blank stare and nothing would happen. At least now in certain places it is taken seriously. But traditional investigative methods don't work. They would need to get access logs to the places where that data was uploaded, at the very least.
Cops are not particularly great at investigating (most crime is solved by confessions or just catching them in the act). They don't have any reason not to just blindly grab all the data and sort through it by hand, because that's what they know how to do, and if they request it and get denied, why would they care? They either try something else or say 'fuck it'.
Local Judges see a request for records and a block of time and it seems reasonable to get that info. No one is sitting and explaining to them the implications of allowing cops access to personal information from viewer logs. Historically, the lower courts are not the place to seek enlightened rulings.
Google? I honestly have no love for them, and they bend over for China every day for worse stuff, so I would be surprised if they gave two shits about their users, except that if this becomes common enough they might actually have to devote support to these requests, and they hate giving support, so they might fight it just for their own self-interest.
The problem is that there is no settled case law here and no clear legislation, and I would hesitate to take any important cases to the Supreme Court until at least Mr. "Is This a Pube on My Coke Can" is gone.
[+] [-] Bu9818|2 years ago|reply