How Cops Can Get Your Private Online Data
Posted2 months agoActiveabout 2 months ago
eff.orgTechstoryHigh profile
heatednegative
Debate
80/100
SurveillancePrivacyLaw Enforcement
Key topics
Surveillance
Privacy
Law Enforcement
The EFF article explains how law enforcement can access private online data, sparking a heated discussion about surveillance, privacy, and the role of third-party data brokers.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
29m
Peak period
30
2-4h
Avg / period
8
Comment distribution64 data points
Loading chart...
Based on 64 loaded comments
Key moments
- 01Story posted
Nov 10, 2025 at 11:01 AM EST
2 months ago
Step 01 - 02First comment
Nov 10, 2025 at 11:30 AM EST
29m after posting
Step 02 - 03Peak activity
30 comments in 2-4h
Hottest window of the conversation
Step 03 - 04Latest activity
Nov 11, 2025 at 9:26 AM EST
about 2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45877206Type: storyLast synced: 11/20/2025, 7:40:50 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
If the "how" of a situation is newsworthy, presumably the existence of the situation is as well, so the benefit of a more concise title isn't creating a major downside. On the other hand, I wouldn't consider the more verbose title a major downside either, so the adjustment isn't worth the potential issues.
Here's a recent news article about swedish politicians planning to make our cops synthesise CSAM, because they supposedly need it:
https://www.aftonbladet.se/nyheter/a/jQV959/polisens-nya-ver...
Seems reasonable to me?
https://en.wikipedia.org/wiki/Third-party_doctrine
Should not a query towards some provider about the online-data about some citizen be protected by the first amendment? In other words, if a search warrant would be required to enter a house, unless invited, why would this not apply to online data stored somewhere? There are only very few situations where a warrantless search may be conducted, e. g. such as when driving a car and a cop has an objective and reasonable suspicion. When the court systems is no longer involved, it then means that people objectively have lost certain basic rights, freedoms and safeguards against any governmental overreach.
Of course, the claim is that it should not be considered this way, because it is bad for privacy. But the reasoning that led here is pretty comprehensible.
And that the client and provider can sign a contract forbidding the provider to disclose the information except under a warrant.
4A says "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures" so I would think the provider of the service could consider their data to be "their papers/effects" but is the provider a member of "the people" if it's not a sole proprietor?
https://en.wikipedia.org/wiki/Third-party_doctrine
It was originally controversially applied to a person's transactions with a bank, and then absurdly extended to include anything anyone holds for someone else, even someone who holding it for the purpose of providing secure storage.
https://www.latimes.com/california/story/2024-01-23/appeals-...
https://archive.is/RnU68
Was there actually a court ruling affirming this interpretation? Skimming the wikipedia article, all the court cases has to do with metadata generated by the third party provider (eg. cell site data or cryptocurrency transaction information). You can argue those should be protected as well, but it's not something like "someone who holding it for the purpose of providing secure storage", like an email inbox or whatever.
Cracking open your phone might require a warrant. But basically every byte of data on it has come from your ISP and is backed up to Apple\Google etc. and those companies will let me search their computers for your data no questions asked (or for a nominal fee).
That’s how you sidestep the 4th amendment when it comes to tech in the modern age.
The companies are entirely within their rights to say "fuck off and get a warrant, you ghouls", but from their perspective, it's a lot easier to just hand it over.
This is why there's a patchwork of statutes requiring Fourth Amendment ish processes for things like wiretaps and emails.
The government has long considered the 4th amendment to be a major hindrance. The only reason that they even seek a warrant to search your home or belongings is because the 4th amendment explicitly says
> The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated
I don't know the legal justification for excluding things like email metadata, but I imagine it goes like this:
> Your emails are not in your house, on your person, or are papers or effects. They are numbers stored in someone else's computer, and we only need the consent of someone else to get that information, which they will provide because they don't want to get on our bad side.
But the realistic reasoning is: the 4th amendment is a pain in the ass to law enforcement and they'd much rather it was never written at all, so they will cast whatever legal incantations are required to put a wall between your rights and your data
I also feel like the article generally misrepresents the entire American legal system, since the system itself does not really prevent the cops from doing the bad things, but instead tries to say that the result of the bad thing cannot be used as evidence. So it really isn't structured to ensure that the cops can't get your voice mails. It is structured such that if the cops improperly accessed your voice mails that can't be used against you in court.
Yes, it's true that illegally obtained evidence can be excluded.
But warrants -- prior authorization -- are required for searches. The law is structured to prevent both use and gathering if improper. (Whether warrant practice is effective at prevention is another question.)
Required in what sense? In that they're unable to perform those searches by some mechanism preventing them from doing it outright? Or just that there are consequences if they do?
If the latter, we immediately jump into "It's only illegal if I get caught" territory.
The public is largely unaware of just how much control third party governments give law enforcement. They can manipulate your search results to hide information from you or promote certain things they want to be presented to someone they are looking into.
If the historical basis of this access is being able to read the list of library books you check out, now it has expanded to controlling which books are recommended to you and they have the ability to control the content of the media you receive.
A common dismissal of this issue is that nothing can be accessed without court orders or a subpoena. It's important to remember that this is only really true if they intend to directly use the information obtained from you in a court proceeding. Often times it is about information gathering on a target that is not meant to be used in court. Even then, they have endless ways of using a form of parallel construction to hide the source of the information. This also extends to data brokers, which have to work with the Government to continue operating. The same is true for app developers who want their apps to be listed on app stores. Or device manufactures that want the ability to sell their products and pass FCC certifications...
In more serious cases, it extends to the concept of your identity itself. Law enforcement often will not hold itself accountable for violating the laws or your rights. Identity theft tied to online actions against you is not out of the question for them either. When it is taken this far, good luck reporting it and having it resolved.
The stuff they can do with the backdoors in YouTube, the advertising system, cloud document storage (LE can view your live work in cloud storage like Google Docs, etc... Imagine working on a lawsuit against someone watching you formulate your legal arguments)... It just goes on and on...
End rant
How naive and idealistic to write "often" in that sentence. Law enforcement will NEVER hold itself accountable. Law enforcement has been given carte blanche to violate every constitutional right Americans have. Policing at all levels has been corrupted by overzealous politicians and lobbyists of all shades of blue and red.
The EFF are quoting Stallman now? I wonder if they're slowly coming to realize that yes, once again, Stallman was right.
But Stallman WAS right about basically everything though.
I'm under no illusion about the willingness of most corporations to hand over everything from subscriber info to content on a dime, but does anyone have any experience with specifics?
Especially pertinent to my question: what is to stop a member of a (non-sanctioned) foreign country (let's say not five eyes) from requesting data on a user of an American service "pursuant to a foreign investigation" (whatever that means)? Does it make a difference in practice if the user is an American resident, a resident of said foreign country, or a resident of a 3rd country altogether?
Example: a dissident launches a website and employs a registrar-provided domain privacy shield (these have notoriously vague guarantees of actual privacy). A "law enforcement officer" from country Xyz "subpoenas" the .com or .tld registry (hosted in the USA) and requests information about the owner of the domain. What happens next (in practice, not in theory)? Do some normally go through US intermediaries? Can American companies just refuse (consider both if the registrar/company has or doesn't have a physical presence in the foreign country in question)?
(Not exactly the same situation, but I was surprised that the FBI request to subpoena the identity of the hero behind the archive.tld service made the news [0]. I a) thought these were very much normal order-of-business things that would happen quietly behind the scenes, b) expected companies would roll over on this info without even a subpoena given the loose guarantees most registrars make about privacy, c) made me wonder if the specific registrars were selected for related reasons, and d) wondered about when and where it makes sense to avoid registering a domain with you real identity even if you use a privacy shield service. Also, I think most companies/registrars wouldn't even bother to notify their customers/users, regardless of whether a gag order was in place or not.)
[0]: https://arstechnica.com/tech-policy/2025/11/fbi-subpoena-tri...
https://transparencyreport.google.com/user-data/overview?use...
Small example: Accurately correlating a phone number or IP address to the current real-time physical address.
Also on topic, the XMPP protocl is federated and supports E2E encryption via OMEMO aka "the signal protocol". Go create an account and get your friends into it. I use Dino on Debian and Conversations on Android. These two clients support all the "modern" features that whatsapp does, including audo and video calls, in addition to niceties like public channels where you can meet new people outside your circle of friends. For providers, find one on https://providers.xmpp.net/. All of this is free software, (although in the case of XMPP being federated you can't guarantee that your messages won't be routed through proprietary servers.)
Not affiliated with either, I just LOVE those two.
https://www.youtube.com/watch?v=sX_EHeCbMqc
2 more comments available on Hacker News