'Today' considers data retention and IMP
Florian Weimer
ukcrypto at chiark.greenend.org.uk
Sat, 10 Jan 2009 21:24:38 +0100
* Igor Mozolevsky:
> 2009/1/10 Florian Weimer:
>
>>> I don't know the innards of Google's mail service, but I'd be
>>> perfectly willing to believe that the TCP connection to gmail.com
>>> from my house would go straight to the LINX and thence to the US.
>>
>> At least the TCP connection for the sign-in is likely terminated
>> locally.
>
> Why would you assume that?
Even Google can't change the speed of light. There's no way that a
signal can cross the Atlantic in five milliseconds.
I wrote "likely" because I didn't test from the UK specifically.
>>> Now Google UK may well wish to respond to requests from law
>>> enforcement that ignore this distinction, because they're good
>>> citizens. But from an enforcement perspective, if the data isn't
>>> within the UK police's jurisdiction, what can they do to _force_ its
>>> production?
>>
>> They can seize Google potentially related equipment in the UK for
>> investigative purposes. Of course, if Google does not cooperate, it
>> might pick the wrong equipment.
>>
>> Isn't this what you would expect the police to do if they faced an
>> uncooperative domestic company?
>
> Would this not land G(US) in hot water wrt ECPA, if they did only
> store that info on their stateside servers?
My understanding is that they woold be fine, as long as they took
appropriate measures to adhere to European privacy standards.
> You are assuming that just because the names are similar, the G(US)
> is offering their `global' services solely through their G(UK)
> subsidiary, but that doesn't necessarily have to be the case.
I suppose G(US)'s position is that G(UK) doesn't do business with end
users. Since many of their services violate law in some European
countries (for instance, Germany does not shield hosting providers
from liability in a way the DMCA does), they have likely arranged that
the local subsidiary does not control Google-related equipment within
the country.
(Please note that I'm not really that obsessed with Google. I'm
interested in how you can deliberately opt out of jurisdiction, and
what can be done against it. Google is just an example.)