| Actually, this is a quite interesting distinction to consider. There is significantly more danger in hacks which can "scale" due to centralization and non-physical access compared to physical access. In the case of cloud data, the government should be held to a higher standard of restriction, because all of the data is in one location, and requires only a single "factor", the identity of the target to collect data for. This applies to both "encrypted at rest" and "encrypted in flight" data. But for data encrypted at rest on actual physical devices, there's an inherent '2-factor' security to the private invasion. The government must not only know the identity of the target to collect the information, they must possess the physical device as well. ("something you know" + "something you have") This means, IMHO, there is far less danger, and far less scalability to "one off" hacks like the ones being requested to Apple. They don't scale to Snowden-level dragnets, they don't present low transaction cost barriers to acquisition. The dangerous think for decentralized data is having an active attack on the device, or something which intercepts the data "in flight". These are scalable attacks you need to worry about. E.g. "push a key logger to every iphone software update" Perhaps the law needs to make a distinction to warrants for 1-factor data vs 2-factor data, due to the inherent danger of 1-factor data, given that it scales easily to monitoring millions with little transaction cost. So in this regard, I think there should be MORE push back for collection of cloud data, but individual one-offs for physical devices have a safer threat model. I view this more like a Vault being found at the home of a murderer, and the cops asking the Vault maker to help unlock the Vault without revealing the proprietary locking mechanism, or without the cops needing to blow up the vault and potentially lose whats inside. |