As I've said elsewhere, you're confusing the search DOMAIN with the search TARGET.

The search DOMAIN is "every google search". The search TARGET is "contains a specific address".

If I look through your entire house for a piece of paper with evidence, I'm still looking through your entire house. And whatever I happen to find in the process is actionable.

When you're talking about the google searches of potentially millions of people, and you can use whatever you happen to find, there's an incentive to open up the search terms and capture more false positives. Even if this search's target isn't overly broad, it opens up a precedent that is very hard to codify and restrict.

You're confusing the scope and volume of the data being searched with the scope and volume of the data matching the objective of the search.

Reviewing camera footage is only going through data on the people that were present in a particular place and their physical actions at the time, looking for specific persons.

Reviewing all Google searches involves looking through a large volume of personal information for a single search matching certain criteria. The scope isn't "naturally" limited, it's limited by a search term, algorithm, or person. It is very hard to define the specificity of what is being sought, leading to misuse and poor oversight. They're not the same thing at all for that reason.

It's like specifying a search warrant for an entire city for a piece of paperwork, then trying to justify it by saying you're only looking for that one piece of paper, so what's the fuss about? Any false positives that come up in the process of conducting a legal search can themselves be used for separate purposes. There's an incentive to make the search overly broad and capture many false positives to cast a wider net. It's more like the "stop and frisk" laws that cause a disproportionate number of POCs to be arrested.

Nope.

If a company discovers evidence of a crime and turns it over to law enforcement of their own volition, the evidence will not be rendered inadmissible for improper collection.

If law enforcement directs a company to collect evidence and they do so, whether paid or not, they are acting "under color of law" and the evidence can be rendered inadmissible if improperly obtained.

You mean my nefarious activities like looking up an address on Zillow to know how much it would sell for?

Judges are limited by laws and rules all the time in what they can or can't do. The 4th amendment limits their power to issue warrants only under certain conditions. Federal and state laws not only limit this further, but even specify minimum and maximum sentences they can issue.

I don't think I would want a judge's power to be absolute. While many of them got there because of reputation for sound judgement (pun nonwithstanding), there are doctors, lawyers, judges, politicians, cops, and others that are completely off the rails and that's why there must be limits on their power. A judge gone rogue is a bad thing.

In my work we strive that no individual's actions - malicious or careless - can bring down critical pieces of our infrastructure alone without checks and balances or collusion. And that's just for revenue-critical activities, not those of a government that literally has peoples' lives in its hands.

Women are being advised to delete their period-tracking apps now because of the overturning of Roe v. Wade. That's because the data could be used to draw a conclusion about them should they have a miscarriage or miss a couple of periods for the many reasons that can happen other than pregnancy.

The way this country works, being charged with or even suspected of a crime - even if eventually exonerated - can be a life-ruining thing. It's not only criminals who would be adversely affected by this.

The 4th amendment states that the description of either a place or persons to be searched. In most interpretations that would probably mean a suspect would not necessarily need to be named if the search is instead limited in place.

There are many gray areas behind this. Is Google a "place"? Would we have to name each and every datacenter where this data would be located? Is the information being searched through physical or the content of electronic communications, which bring other laws in and out of scope? Is that communication - the text of a search - considered speech?

These are nuances that courts at all levels and jurisdictions debate endlessly. The opinions and interpretations change all the time. These same nuances lead to loopholes and wild interpretations which are exploited - part of my "slippery slope" comment above. They are of much more consequence that should be given to any factor this unstable.

If an officer executes a search warrant describing the property to be searched and seized as "firearms" and comes across a small box which happens to be filled with cocaine, that isn't part of the legal search and would likely not be admissible as evidence - nor any leads coming from that discovery - because a firearm wouldn't fit in that box and it's not in the officer's scope to look. If on the other hand the warrant listed "firearms and/or ammunition" suddenly the cocaine is admissible because the box is capable of containing something named in the search. In other words, the scope of the search is limited to the minimum needed to determine if the thing being searched for is present.

Evidence that a search occurred is not itself evidence that a crime was committed. It's weak even for circumstantial evidence. It can provide leads but not evidence of wrongdoing. The item being searched for might be "Google search records containing this specific address" but the size of the "box" is "every google search everyone did between dates x and y". That's like saying that evidence of the arson might be somewhere in the county, and so we're searching every home within it. That might seem like an exaggeration because searching everyone in the county's homes would be extremely invasive, but the information contained within our electronic records is often even more sensitive than that you might find in the physical contents of anyone's home.

That search is by nature limited in place and scope. You're not getting the content of people's conversations or thoughts, just a record of their physical presence in a very limited area.

A judge can issue a search warrant that is limited in location and describes the things being searched for. This is supposed to be done after a suspect is identified in order to gather evidence for or against that suspect.

We're talking instead about a blanket search of the information for anyone who uses Google, in order to identify a suspect in the first place. This is totally outside the scope of a usual search warrant.

Even the NSA denied before Congress that they were using "dragnet" techniques like this to find suspects. Of course they were, but they wouldn't admit to it. Do you think that if it was legally, morally, and in the public opinion justified to use these techniques that they would bother denying it?

Also, as far as what I search: there are a lot of things I search out of curiosity that I wouldn't want made public or that don't match my actual intent. There are activities that, while currently legally and socially acceptable, might be criminalized in the future by some corrupt administration. I imagine authors often search for things that would get them into trouble. There was also the guy whose family (different people, same IP) just so happened to search for pressure cookers and backpacks online within a day of each other right around the time of the Boston Marathon bombing, and was questioned extensively by law enforcement.

"If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." - Cardinal Richelieu

So where do you draw the line on what is "narrow" or "specific" enough? Can you codify your opinion in a way that's unambiguous?

Even if you can, it's opening up a precedent that can be pushed.At some point you'll end up with either unfettered access or disallowing this use of law enforcement power completely. There are no half-measures.

Agreed. Unfortunately, as this hack and many others have revealed, we are at the mercy of many things outside our control - libraries, docker containers, update servers, OS vendors, etc.

If you do the best you can with security, a realistic threat model is a good place to start and I was hoping to point out that "we're not a target" is not the basis for a realistic threat model. It's about as relevant to security posture as "I have nothing to hide" is to privacy.

If that sentence isn't a mantra that lures you into a false sense of safety, good. However, I am afraid that the more often it's repeated, the more others may buy into that path of delusion.

"Luckily our customers are small and medium companies and thus not likely targets for targeted attacks, just the generic ones."

That is a dangerous statement to make and believe. How many of those companies have large clients? It only takes one level of indirection to make YOU the victim of a targeted attack because one of those companies is a vendor to a Fortune 100.