How Patriot Act Search Warrants Can Affect All of Us Online

A recent Associated Press article about the FBI raiding an Ohio-based chat host company's offices and confiscating its servers sent a chill up my spine.

The FBI acted on information that someone may have used the service for hacking. It was within its jurisdiction, obtaining a warrant for the search and seizure. But it's what they could do with those servers and the information stored on them that really has me spooked.

These chat rooms' servers have IPs and probably e-mail addresses (if not much more) stored on them about both the regulars and the "just-passing-through" users. Since the FBI was looking for someone who may have hacked someone else's computer through the aforementioned chat hosting service, everyone came under scrutiny. In other words, if you ever visited that chat room and participated (or maybe just looked around) you're a suspect.

As a practical matter, seizing an entire server to use as evidence is almost a necessity; there's not really any other way to ensure that data on that server is both safe from alteration and available to both prosecution and defense. Most "evidence" on a server consists of log files or the files left over by a hacker after breaking in, and both of those types of evidence are almost necessarily deleted over time by a properly run system.

The people whose information is actually on that server will see it differently. If a server gets taken, everyone who accessed it will have their data examined as least cursorily (to see if their data is evidence). In theory, if the evidence isn't covered by the current search warrant, it's supposed to be ignored -- but who wants to bet on that actually happening, once it's been examined, if the investigating officer finds something a little suspicious about it? And even if there's nothing suspicious about it, there are still a lot of things you don't want random people reading.

The first-line answer: use encryption. The problem with that is that the police won't be able to read it either, and that's going to put you in the suspicious list by itself; not to mention, most people don't have even the first idea how to use encryption for their email.

There isn't a good answer for this yet. But there will be, and it's pervasive, server-managed encryption. Implemented properly, such a system would allow the truly private to use their own encryption mechanisms, but allow those who aren't as concerned to use encryption managed by their email address provider. Using such a system, when presented with an email warrant, the owner of the server could decrypt only the emails to or from the specific email addresses named. No one else would have their privacy violated. It's not as secure for the end-user, but it's a hell of a lot better than the current situation.

Of course, that won't stop law enforcement from simply taking the whole thing, at least for now.