Anand Chowdhary
/notes/2025

The jurisdiction gap in privacy

August 11, 2025
375 words
Reply on X
View on GitHub

I re-read my 2013 post on Orwell and the internet. In 2025 the web still feels borderless, but control is territorial. Most of our bits live in a few US anchored clouds and pick up their laws and secret courts along the way. That jurisdiction gap is the real privacy story now.👇 In October 2013 I called out a doublethink: “the internet is free” vs “the US government controls it,” pointing at PRISM and Megaupload. The thesis aged okay. My plot was off. Less movie, more plumbing and procedure. Access shifted from backdoors to legal orders and interfaces. What changed: - Cloud centralization deepened: mostly AWS, Azure, GCP - Law followed data: FISA 702 queries, the 2018 CLOUD Act’s cross border orders, and routine transparency reports - No “direct server access.” Think compelled interfaces, gagged APIs, and audits Tech moved the defense to the client: - E2EE is normal in Signal, WhatsApp, iMessage, Apple’s Advanced Data Protection puts iCloud keys with users - BYOK or even hold your own keys, customer KMS limits provider visibility Still leaky places: - Metadata, backups, and endpoints - Data residency helps compliance and latency, not extraterritorial warrants - Forward secrecy cuts retro reads, not your communication graph I turned on ADP the day it shipped. Worth it. Surprises and misses: - Default E2EE went mainstream faster than I expected (nice) - Workarounds grew anyway: geofence and keyword warrants, and agencies buying from data brokers - Courts called out misuse of 702 queries, companies added audits and minimization, yet the metadata economy thrives - Schrems II killed Privacy Shield in 2020, a new EU US framework arrived in 2023 with caveats - Platform consolidation increased leverage for states and vendors Net result: more user held keys, more regulated yet routine lawful access, and a bigger gray market for “lawfully acquired” data. Design principles that still hold: - Collect less - Encrypt on the client with user held keys - Separate identity from content - Reduce metadata - Assume compelled disclosure can happen Open questions: - Can we make metadata hiding usable at scale? - Where should warrant standards land for US person queries? - How do we align cross border orders with real oversight? Original post (2013 10 09): https://anandchowdhary.com/blog/2013/nineteen-eighty-four