I wonder how these "office raids" would work for remote first companies that don't have much of an office presence and with little or no physical documents and everything being stored in the cloud somewhere.
That's basically what happened when they tried (twice I think ?) to raid Uber offices in France, their boss pressed a kill switch and everything went down in seconds. It completely blocked the investigation.
Afterward Uber helped Macron campaign who then ordered National Financial Prosecutor's office to "stop bothering them" so I don't think anything new happened since.
Edit: Some sources in below replies for infos on both. Turn out I'm wrong for 2nd part it started earlier than his campaign.
Not a lawyer, but let’s say the cops were searching my house. If I threw the keys to my unbreakable safe out the window, such that they could never be found, I doubt a judge would care for the distinction. That the evidence exists but cannot be accessed is still going to find you in contempt.
Now let's say that instead you threw the keys to your unbreakable safe to your friend across the Atlantic Ocean. And you say that you didn't know that the people entering were cops. And your friend won't give the keys back. The evidence may exist, you cannot access it, neither can the police. The court has no jurisdiction over your friend and you have no authority to force your friend to give you the keys back.
At that point, whether you are in contempt or not depends on the answer to the question "did you know that the cops were entering to look for evidence before you threw the keys?" Whether the judge holds you in contempt or not is a function of the free choice of the judge and is not related to the answer to the first question (though whether or not the judge should hold you in contempt is a function of what the judge believes about what you believed).
If it were keys to a safe that existed outside of the warrant requirements (in another country in fact), then it would likely not be illegal. The regulators would unlikely be able to legally access that safe anyways without extra due process, so it’s mostly about protecting against unwarranted access.
The keys still exist and are accessible. What the kill switches does is make a fishing expedition harder. If the police knew of the existence of a specific document, or even all documents pertaining to certain terms, they could issue a targeted subpoena which Uber would have to comply with (at least in the US).
That metaphor doesn't seem directly applicable to cutting off cloud access.
If we're trying for a metaphor that would be a similar situation pre-digitization, the cloud servers containing business documents could be considered head office, and the office being raided would be the branch office. The branch office would continually be communicating with head office for their operations, and that communication would be shut down during the raid.
This isn't a great metaphor because the "head office" has become sort of stateless and ephemeral with digitization, but that's part of the interesting question the OP was posing, how does law enforcement collect evidence when that evidence is hosted on cloud servers in nebulous datacenters?
As long as no police has confiscated (in most countries this involves the police man touching it, I bet) the equipment you can break it or make it inaccessibility however you like. It's your stuff, after all.
>Not a lawyer, but let’s say the cops were searching my house. If I threw the keys to my unbreakable safe out the window, such that they could never be found, I doubt a judge would care for the distinction.
What if the safe was never in your house at all, but it was in a foreign country across an ocean? And when the cops showed up, you simply threw the keys across the ocean too?
If the cops know of something particular in the safe, then maybe the judge could find you in contempt for not producing that thing when ordered by the court, but otherwise, I don't see how they have any legal leg to stand on.
This theorycrafting is cute, but in reality you've mixed up corporate entities and yourself as a person in a criminal case.
And if a corporate entity finds a way to openly defy a national government, it tends to happen that those governments find a way to change the law (they're the ones making it, right? :P) for that defiance to become punishable by other parts of those governments which can sanction the corporation, prevent their operations within the country or even throw people in jail.
You are aware of the fact that tax evasion means these companies are freeloading on the tax money the rest of us (including: you) are paying? Especially in the case of uber which is essentially using public infrastructure to make their money having them pay taxes should be normal.
I agree that customer data needs to be protected, but it is bold to assume that is the case at all with these powerful corporate entities: if they lie to the state when filing taxes what makes you believe they are ernest when it comes to the protection of their users privacy?
Maybe it is a weird ideology I am holding here, but the more powerful an entity is, the more transparent it should become — nowaday we got this completely reversed with poor people being naked in front of the state and big corps literally fooling everyone.
Edit: some also seem to think the state is the behemoth that jumps on the poor little companies here. To that I just have to think about the account of the German public prosecutor Bäumler-Hösl (of wirecard fame) where she told about a raid on a bank where she and 4 collegues were opposed by 130 (!) company lawyers.
In general this is not what they do. What they do is read the tax code carefully and structure their operations in such a way as to minimize taxes, e.g. because tax is paid on "profits" (revenues minus expenses) so they shift more expenses into jurisdictions with high tax rates etc., causing "profits" to go down in those jurisdictions and up somewhere else.
Then they don't pay any taxes in the jurisdictions with higher tax rates and politicians go on TV and complain about the companies following the laws that the politicians enacted. Because if they actually fixed the laws, the taxes would be paid based on the extent to which the company does business in that jurisdiction, and then companies could only avoid taxes by not doing business there (costing the country jobs) or, for taxes associated with local sales, by raising prices there. Neither of which the politicians actually want to do, so instead they pass laws that allow companies to avoid taxes and then complain about it when the companies do it.
Thinking the systems that a company has are so sensitive that the company is basically above the law is the insane thing.
It is just a company--a group of people granted certain rights. They have databases...fancy filing cabinets. Just because the company is famous shouldn't preclude their filing cabinets from being searched (presuming legal processes are used and not abused).
> They have databases...fancy filing cabinets. Just because the company is famous shouldn't preclude their filing cabinets from being searched (presuming legal processes are used and not abused).
That analogy doesn't work, because the "filing cabinets" are actually sitting somewhere else, possibly in another country/continent. It's not obvious that authorities in one country has authority over documents stored in another country.
I think it is not crazy to think that if the contents are used from some country then intentional obstruction of justice stuff like kill switches or dropping VPN connections should be treated as intentional obstruction of justice. AKA reality of use matters more than "location" of data.
I and many others think the government should have 0 business in my filing cabinet. That difference in world view might be what makes this topic more complex than you seem to think.
[Not parent poster] So even the most heinous act of violence become unprosecutable when the suspects/accomplices have moved all remaining evidence into a magically inviolable filing cabinet?
No? Then the world is a lot more complex than property rights trumping everything else.
For companies that deliberately obstruct justice work? Have the board and a healthy amount of executives serve 20 years in a high security prison, seize the assets and investigate their investors' due dilligence process. Gather proof with infiltrated workers.
Tech leaders need to learn that criminal conspiracy is not part of a good business plan. If they start using mafia tactics, so can Justice.
The problem is deeper than that. When a physical space is raided, its scope is obvious. Digital spaces don't have that characteristic. There can always be hidden indexes.
Yeah it's hard to see how any French official would have authority to conduct searches 10 meters beyond French borders, let alone over all of Uber's computers located in dozens of other countries.
Hard to see how a company can imagine it can do business in a country and not follow that country’s record keeping laws and be subject to criminal and civil statutes in that country.
If a company is doing business here, the actual location of file is irrelevant.
Also when the government is really motivated, he can arrested the founders or executives directly (Pavel Durov). Which is what they should do to Netflix execs if they are doing business illegally.
>Also when the government is really motivated, he can arrested the founders or executives directly (Pavel Durov). Which is what they should do to Netflix execs if they are doing business illegally.
You're in favor of holding executives hostage to demand access to data? If they actually did something illegal, they can be arrested/tried for that, but arresting executives as a means to coerce companies into doing stuff is a total perversion of the rule of law.
> Afterward Uber helped Macron campaign who then ordered National Financial Prosecutor's office to "stop bothering them" so I don't think anything new happened since.
Why should it be illegal? Isn't it akin to "right to remain silent"? Why the need to present any information to police unless it is asked by court. Assuming that they didn't delete the data, just moved it to somewhere safe where it couldn't directly be taken away.
We had a raid in one of my previous company due to copyright violation due to a user uploaded content. Authorities came in to take in all the codebase, reports and even employee devices. Basically once given court permission, police would try to collect all the unrelated things which could be taken in the permission, so that they could extort you later.
Denying access to data that could still be specifically subpoenaed isn't destruction of evidence, it's a normal security measure. They still have the warrant to search everything in the office, but not the right to use those computers to access uber's entire worldwide infrastructure.
I have no idea what french law says about it but I think it's morally fine and don't care that uber did it.
I think this is an example of law lagging technology. A warrant gives the police the right to inspect and seize contents of a safe inside a house. Similarly, the law should be updated so that a warrant gives the police the right to inspect and seize contents of local computers. Local computers surely have valid certificates that allow the computers to connect to the mothership, right?
It's definitely interference/obstruction at least of the raid itself yeah, but looking at the text and not being a lawyer I have a feeling it may be extremely hard to prosecute for something more substantial than a fine low enough for a french exec have it a as a guaranteed expense (bn€ in tax fraud vs a few k€ in fine). The law does also mention prison but it's not the kind of stuff that ever end up being applied for fiscal related cases.
Because the government already has a warrant to obtain this evidence(they can't raid the office otherwise) and you as the company pushing this button are failing to turn over that evidence.
Presumably the French police aren't randomly deciding on a Tuesday for no reason to check the company for proof of them being tax cheats without some court somewhere requesting it, but even if they were, we're talking about a company here, not a person. A person has the right to remain silent, it doesn't make sense for a company to have that same right.
And the 2nd half just reads like pure corruption to me, they paid off some politician (who just so happens to wield the most power in the whole country) to pressure him to get them to stop their investigation into their illegal acts? In what universe could that 2nd sentence be construed as anything other than slimy, corrupt behavior?
> And the 2nd half just reads like pure corruption to me
Why did you conclude that?
There were some user uploaded pirated content in our platform. As far as I know, some media company won approval by some judge for a raid to discover the extent of piracy. It's just in the police rulebook to get everything during the raid where there could be pirated content, including employees laptops.
I'd imagine you'd get done for not being tax compliant. At least in Ireland you have to able to show all tax accounting for the last four years on request by Revenue. If you can't produce this and all the files 'have gone missing' or 'we can't find the cloud keys' I'd would expect to be fined out of existence and ordered to cease trading immediately. So that would be worse that getting dragged through the courts while you pay lawyers to figure out to mitigate any fines or sentences passed down. I think it can even result in prison time for the CEO and other company officers.
I'd expect it to something along the lines of "sorry Mario, but the princess is in a different castle" bit of shell game. "no no mister Revenue man, we have that information you want, but it's in a different office".
This is why companies are required to have registered addresses. As far as the law is considered, that address is where all your records can be accessed, and requested from.
If the state turns up at that address, and you tell them they’re at the wrong address, then the directors start becoming liable for fraudulent behaviour.
There is only so much you can play whack a mole -- virtually nobody 'cheats' the taxman. There are plenty of legal loopholes etc. if you are smart enough to use them.
If you aren't -- you'll find the enforcement end of the tax authorities in ANY country are pretty efficient. Even in third world countries where many services are falling down the tax authorities will be a well oiled machine as the stability of the entire country rests on the government even corrupt ones to collect taxes.
Accounting audits are done by the FISC agency in France. But those are just audits, not raids. This raid was ordered by a judge, which can probably be seized by FISC if they believe that the documents they have are falsified.
There was an interview with Anne Brorhilker, who used to be state's attorney and was investigating in CumEx cases. She stated that it is a huge pain, because you always need to ask the foreign agencies for assistance, which you sometimes simply won't get.
It was a good listen. At first she needed to go empty handed, but then teamed up with competent tech guys. After that the smug faces stating, that the amount of data would be to much to handle for her little department quickly turned into concerned faces.
That sounds fascinating, do you happen to have a link? (I'm getting a lot of German results, which unfortunately I don't have the fluency to parse to find the 'right' one.)
that's fine! I can handle translating an individual page (or interview) if I've high confidence it's the right/relevant one, just parsing search results is harder cross-language (for me, anyway).
Holy crap that’s an interesting interview. Genuinely hilarious comment from that CIO as well. I knew nothing about this case before. Thanks for sharing.
Sounds like it would make it easier for law enforcement. They no longer need a warrant against/for the company they're investigating, just the place where their data is stored. Get the warrant, raid the place and grab the drives, then continue the investigation. Done the right way, the company under investigation wouldn't even notice it.
Isn't most data in the cloud heavily distributed and broken into shards across many racks and drives and such? And encrypted so is useless outside of the custom block storage system employed by the cloud provider?
They would need to decrypt and assemble the shards to get usable data out.
I have no clue how they would even know which drives out the tens of thousands to grab, and they would also have other customer's data on them.
That is why countries are increasingly demanding (and mandating) those data (of citizens and business done there or that involves that nation or its citizens) to be stored inside their borders.
Completely for show since they even make press releases about it.
And its sad to see the atrocious quality of the BBC article. Even high school students learn that a journalistic piece, should make sure it touches the Five Ws of good journalism...
First the data is stored in another country. Second are they really going to raid and take the drives at an AWS data center that has other customer’s information? How will they know which drive to take?
Plus you can engage in some jurisdiction arbitrage where all the documents pertaining to country A is stored in country B, and all the documents pertaining to country B is stored in country A.
> Second are they really going to raid and take the drives at an AWS data center that has other customer’s information?
You can also ask AWS to produce the files/documents for you.
(Source: I am a current high level employee at a third party AWS consulting company and former employee at AWS working in the Professional Services department)
I actually was imprecise with my wording.
A customer managed KMS key is any key that you make instead of using an AWS provided key. AWS still has the means to theoretically decrypt the data.
I am actually referring to a customer managed KMS key where you import your own key material
I don’t know how far “AWS doesn’t have access to your keys go” when it comes to a government subpoena.
I do know that if anyone accesses anything on your account from AWS, all sorts of internal alarm bells go off at AWS and it would still show up in your CloudTrail logs.
I’m sure there is something that allows internal AWS employees to access your account in unauthorized ways. But I never heard about it in 3.5 years working there in the Professional Services department.
Data stored in another country: are their reciprocal prosecution agreements with that country?
Raiding AWS: call Amazon, provide subpoena, Amazon can either give access to the account or provide copies of data. This would only allow access to non-customer encrypted data.
I played with encryption schemes and obfuscation pretty heavily for a long time, but at the end of the day companies operate within the legal frameworks of the countries they reside in. If you don’t cooperate, you could end up in jail anyway.
I think the conclusion I’ve come to is that you have to play by the rules. If you don’t like them, is it really worth falling on the sword for a corporate entity?
It depends on the type of business. In the EU, VAT registered companies are usually mandated to have a physical location and local representative within the country of operation. So you can be remote all you want, as long as your company and fiscal representative can be reached at a physical location.
A homeless person wouldn’t qualify as they don’t have a fixed address which is mandatory.
Ultimately, if you really have bad intentions, you find a way. It’s a question of risk and responsibility if you want to put yourself in such a position or not.
Actually, in many countries, homeless people have IDs with their last address on. Having a home and having an ID with an address on it are two different things.
I don't know how it works in other countries, but in the US you likely still need to provide a real address for many purposes (tax, immigration if applicable, etc)
The police could just find the correct targets and raid their home instead.
I have a virtualmailbox.com address - all my banks, the IRS, state voting commission and USCIS (immigration authorities) are all perfectly fine with it.
Can't say for sure. I opened all my bank accounts while still having a proper residential address, but after relocating to another country changed the address to a virtual one, no one said a word.
If everything is synchronised to third party could storage an "office raid" can be as easy as getting a court order telling the cloud provider to make a snapshot of everything stored available to the police.
Is there a product allowing for client-side encrypted mounts? Or just use a SAAS outside of the country that doesn't allow for exporting any data under any circumstances?
The whole point (or at least the main point) of the tax paperwork is to be able to produce them to tax investigators.
If you don't want to share anything, then it's easier not to do the accounting. Which I guess is severally illegal globally.
Being unable/unwilling to produce mandatory records is fraud. Technical measures to be unable to produce records (e.g. offshore and encrypted archival) are evidence of criminal intent and possibly separate crimes.
So why did every company in the world start auto-deleting emails ~10 years ago? I don't believe many people were sued for fraud. These days cloud services have auto-delete based on time functionality?
It's called "object lifecycle management", because I guess fraud was too catchy.
If you can get access to someone's laptop with SSO login access to the cloud storage (or their email inbox and Slack messages), then you have what you need.
How does that work if it's a cloud system and you're denied access because the IT admin from another continent locked you out? Are you going to keep the executive around as a hostage in hopes of getting them to release the files?
It doesn’t. Especially with multinationals, and doubly so as crypto gains adoption. Hence why the governments of the world are in a panic. Decentralization is a huge threat to bureaucracy since their tools of intimidation and control are less effective.
Multinationals yes, crypto not really. The problems with crypto are just an extension of the existing "war on drugs" that has never really succeeded at anything besides justifying why lots of tax money should be spent murdering citizens.
The authorities asks for access to these online documents? Similarly to how they ask to access to physical documents (they don't break down doors and break locks on file cabinets). If the personel of the company does not disclose some of the online documents, and these documents come up later (e.g. because they are referenced in some of the documents that did get disclosed), the people who did it get charged with tampering with an tax investigation.
What do you think "the cloud" is? I'm reminded of an old meme, "the cloud is just someone else's computer". They could raid a data center and seize machines. They could also subpoena data they are looking for.
It resulted in another company essentially being shut down, and suing for their data back. Crazy. There has to be a better way of doing that digitally (I assume there is, these days, and we won't see something like this again).
I wasn’t thinking about that at all and don’t think it would -
I was mentioning how things have moved to the cloud these days, and what the implications are for innocent unrelated parties’ data, given that the cloud involves this overlap of data on one device.
I mean, that would be way easier for the government agencies, no? Just send a subpoena to the service providers, they hand over all the data and you're done?
Afterward Uber helped Macron campaign who then ordered National Financial Prosecutor's office to "stop bothering them" so I don't think anything new happened since.
Edit: Some sources in below replies for infos on both. Turn out I'm wrong for 2nd part it started earlier than his campaign.