zlacker

I would argue this is why all journalists should have their work processes in a major cloud provider with key management and audit services enabled.

Once upon a time I built one of the major providers sensitive data services, and a typical artifact of a warrant for a cloud provider is a stipulation the warrant discovery be done without alerting the customer to the search. By encrypting your data with a key management service and enabling the providers audit services (aka cloudtrail) it is impossible by design to execute the warrant without the customer receiving audit trail information about the providers access of the keys and the data service. In theory the provider could make back doors, but the law actually is on their side in that they are not required to take extraordinary measures that materially impacts their business to circumvent controls.

Further there is no physical seizure possible.

I know most small newspapers this is beyond their technical ability or understanding. I challenge this community, maybe there should be an OSS cloud deployable journalism platform with strong security, information resiliency, and defense in depth and breadth against the state.

>>fnordp+(OP)
Or just make some freely available terraform scripts to spin the whole thing up in a cloud, with the right info requested in the modules. They could even choose a location outside their current legal jurisdiction, if that helps.

>>Andait+q
Yes that’s my challenge to the community more or less. It’s a problem that can be solved. But you shouldn’t expect people with a journalism degree to figure it out. They spent their time partying and making friends and stuff while we were studying cryptography and distributed systems wishing we could be invited to a party or have a friend.

>>fnordp+91
Friend, there are many of us who studied and worked with cryptography and distributed systems while also spending times with friends and attending social events. Consider speaking to someone about this.

>>Andait+q
Why would an organization deliberately put their core business outside the jurisdiction where they are incorporated, have offices, or do their primary business? They would not, just for some sort of tinfoil hat avoidance of legal repercussions, while in fact they could compound their legal troubles, and invite extra scrutiny, if they are crossing state lines, and/or setting up in "interesting" regions.

>>NoZebr+sq
> if they are crossing state lines

In the US, if your business is on the internet, it is crossing state lines, even if all your computers are in the same state.

In fact, pretty much all business in the US is considered across state lines.

>>NoZebr+sq
I think it depends. I don’t think putting their data outside their local jurisdiction would help much because as a cloud provider they would service a lawful warrant across regions unless the accounts are owned by a foreign entity then it would have to be complaint with the region both of the data and the entity owning the account. Some jurisdictions are “safer” than others and some are less willing to honor a warrant from a us court against a local entity.

I think this is fairly complex though to avoid a potential issue that likely won’t exist. By simply instrumenting audit and using service provider encryption services like aws KMS with CMK with audit trails turned on you generally insulate yourself from most warrants. You can still be compelled to turn over data, but it would have to be done with you being aware of it and often with your direct involvement. More importantly you would retain a copy of everything and all your infrastructure. If they have convincing evidence you’re using your infrastructure to commit crimes the cloud provider may freeze your account, though, but it would have to be more than “we think you have evidence of a crime in your data” and more like “you are using ec2 instances to commit crimes actively”