Comment by LeoPanthera
2 years ago
I would suggest that if you are the police, you can break into a datacenter with a flash of a badge. I can't imagine many would attempt to stop you.
2 years ago
I would suggest that if you are the police, you can break into a datacenter with a flash of a badge. I can't imagine many would attempt to stop you.
I would hope they at least:
* Require a copy of the badge number, and verify that this officer is assigned and expected to be at this business right now.
* Require them to sign into and out of the site.
* Annotate which systems / compromises are in place.
- That all of the above MIGHT be sealed under a court order; I would hope any such order has an automatic 'sunset' date, and possibly renewal upon review by a different judge.
A business can request visiting law enforcement to do all those things, and hopefully law enforcement complies. However, if they refuse to comply, realistically you just have to let them in anyway. Document their non-compliance and provide it to your lawyers, who can decide what action to take (lodge a formal complaint to the law enforcement agency, apply to a judge for an injunction to compel their compliance, etc)
Well, that’s true in countries like Germany or the US. I suspect in somewhere like Russia or China, formal complaints are unlikely to achieve anything except invite government retaliation.
> realistically you just have to let them in anyway
No, you don't. If they have a warrant then you need to let them in for the purposes specified in the warrant. Otherwise you're free to tell them to piss off. Unfortunately you're also free to acquiesce to any of their demands.
This kind of passive, default-compliant attitude from service providers, while understandable from a "path of least resistance" standpoint, is exactly the kind of behavior that allows the third party doctrine to circumvent so many of our basic rights. As a service provider, often the more difficult path is to challenge authority, rather than to cooperate with it. And unfortunately that means that most service providers will simply cooperate.
4 replies →
Latter is not correct. It's well known difference in Russia between companies that willingly cooperate with government agencies informally, and those who just provide information upon formal request according to law.
2 replies →
Those are some very optimistic hopes!
You would expect that at AWS, but Hetzner is a low-cost operation.
I highly doubt it is that simple for LE to enter a DC without a warrant signed by a judge, but insiders have all of that access and plants in DCs can and do happen.
I was present when Dutch LE seized a bunch of servers on behalf of an FBI liaison officer in NL and everything went 'by the book', there is no way an LE officer without a signed order from a judge would have been granted access.
> I can't imagine many would attempt to stop you.
You would be 99% wrong. Even if law enforcment presented proper paperwork, every colo I have ever used would call and verify the paperwork. They might not call me, but they sure as hell would call their own lawyers. Once law enforcement is on the other side of the cage, important customers who pay real money could get compromised.
There is a massive difference between getting physical access to your server in a data center and coughing up everything about your server by simply emailing a minion in a cloud provider.