“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.”

Fourth Amendment to the United States Constitution

I recently documented Apple scanning proprietary business files with an undisclosed machine learning process called mediaanalysisd. Nine gigabytes of RAM. Full user permissions. No off switch. No informed consent. Running silently on every Mac sold worldwide.

People got angry at Apple. Good. They should be. But Apple is a symptom. The real problem is the law.

The Legal Reality

There is a court system in the United States that most Americans have never heard of. The Foreign Intelligence Surveillance Court. FISA Court. Created in 1978. It operates in secret. No public hearings. No adversarial process. No jury. A judge reviews government requests behind closed doors and issues orders that are classified the moment they are signed.

Under Section 702 of the Foreign Intelligence Surveillance Act, the government can compel any US company to hand over communications data without a traditional warrant. The stated purpose is foreign intelligence. The practical reality is that enormous amounts of American data gets swept up in the process. The government calls this “incidental collection.”

Then there are National Security Letters. The FBI can issue these without any judge signing off at all. An NSL demands that a company turn over customer records and it comes with a gag order built right in. The company cannot tell you they received it. They cannot tell you they complied with it. It is illegal for them to speak.

Apple, Google, Microsoft, Amazon, Meta, Anthropic, OpenAI. Every company incorporated in the United States is subject to these laws. No exceptions.

This is a separate issue from Apple’s mediaanalysisd. Tim Cook did not scan files because a court told him to. Apple chose to build that process on their own. No FISA order required. That is a corporate decision, not a government problem. Two different problems. But here is where they meet: Apple built a process that scans every file on your machine and generates structured analysis data. Now that infrastructure exists, it is available to anyone who can compel Apple to hand over what it produces. Apple built the pipeline. The government has the legal authority to tap it. And you are in the middle with no idea either one is looking at your files.

We Already Know This Happened

In 2013, Edward Snowden disclosed PRISM. An NSA program that collected data directly from the servers of nine major US technology companies. Microsoft. Yahoo. Google. Facebook. YouTube. Skype. AOL. Apple. This is documented history, confirmed by classified slides published by The Guardian and The Washington Post.

The companies denied “direct access” and said they only comply with “lawful requests.” The distinction is meaningless. The data left their possession and ended up with the US intelligence community either way.

PRISM was authorized under Section 702 of FISA. That same Section 702 was reauthorized by Congress in April 2024. The legal authority that made PRISM possible is still active law.

Privacy Policies Are Marketing

Go read Apple’s privacy page. “Privacy is a fundamental human right.”

Now go read a FISA Court order. Some are publicly available. The FISC publishes declassified orders on their website. The ODNI releases them. The FBI Vault has them through FOIA. What you will find is page after page of heavy black redactions. You can see the structure but not the substance. Those are the ones they chose to release. The orders that compel specific companies to hand over specific data? Those stay classified. You will never see them.

A privacy policy is a statement of corporate intent. A FISA Court order is a legal obligation backed by the full weight of the federal government. When those two conflict, the court order wins. Every single time.

Apple says they cannot read your iMessages because of end to end encryption. Technically true for messages in transit. But until late 2022, iCloud backups of those messages were not end to end encrypted. Apple held the keys. They eventually introduced Advanced Data Protection, but it is opt in, not default. Most users do not know it exists. Most users’ iCloud data is still encrypted with keys Apple holds. Apple can still be compelled to decrypt it.

Every privacy promise from every US tech company has this same structural flaw. They cannot promise to defy a federal court. And they cannot tell you when they have been ordered to comply.

The Architecture Problem

This is not a policy problem. This is a math problem.

If the company can read your data, the government can make them hand it over. Full stop. Encryption at rest does not solve this if the company holds the decryption keys. That is like locking a safe and taping the combination to the door.

End to end encryption helps, but it breaks the moment a server needs to process your data. Search, AI features, analytics, spam filtering. Every feature that requires the server to understand your content requires the server to see it. And the moment the server can see it, a court order can extract it.

The business model of cloud computing is fundamentally at odds with user privacy under current US law.

Zero Knowledge Architecture

There is one architecture that solves this. Zero knowledge.

The company stores encrypted data. The keys exist only on the user’s device. The company never sees the keys. Never sees the plaintext. Could not read your files even if they wanted to. A FISA Court order to a company that genuinely cannot decrypt user data produces nothing useful. The architecture makes compliance mathematically impossible.

When a grand jury subpoenaed Signal in 2016, they produced two pieces of information: the date the account was created and the date it last connected. That is all they had. That is all they could have.

ProtonMail does the same for email. Encrypted on your device before it reaches their servers. Proton cannot read it. Based in Switzerland, outside US jurisdiction entirely.

Privacy enforced by math, not by policy.

We Still Need Intelligence

I do not have a clean answer to this problem. The threats are real. Terrorism, human trafficking, child exploitation, organized crime, foreign espionage. The tools that help catch these people have saved lives. I support that fully.

But the system we have does not distinguish between a terrorist coordinating an attack and a small business owner storing proprietary code on a cloud server. It collects everything and sorts later. That is not targeted intelligence. That is a dragnet. And dragnets catch the livelihoods of ordinary Americans who are just trying to get ahead.

We have a constitutional right against unlawful search and seizure. It went out the window. Not in some dramatic moment. Quietly. Through classified court opinions that redefined what “search” and “seizure” mean. The founders were thinking about British soldiers kicking down doors. The modern version is a secret court order to a cloud provider. No door gets kicked down. No one even knows it happened. That is exactly what the Fourth Amendment was written to prevent.

Nobody approved this. Congress reauthorized Section 702 in April 2024. Did your representative call you first? Did anyone ask the American people whether they were comfortable with their trade secrets being fair game for incidental collection? No. They voted. It passed. You found out after the fact, if you found out at all.

The declassified compliance assessments from ODNI show FBI agents repeatedly running queries they should not have been running. The FISA Court has called them out multiple times. These are documented violations, not hypothetical risks.

Is IP theft happening to hard working Americans through these systems? I do not know. I cannot prove it. But the architecture makes it possible, the legal framework makes it legal, the secrecy makes it undetectable, and the documented compliance violations prove the system does not always work the way it is supposed to.

Disclose It When It’s Over

There is no structure protecting the American people after their data is collected. No framework that says here is how long it is retained, here is who sees it, here is the proof it was deleted. Nothing. A person can spend twenty years building a company and their entire competitive advantage can be sitting in a government database because it got swept up alongside something that had nothing to do with them.

These are not billionaires with teams of lawyers. These are contractors, developers, accountants, small manufacturers. People running businesses out of their house who built something real with their own hands.

I understand an ongoing investigation. You cannot disclose collection while the case is active. But when the investigation is over? When the case is closed? Disclose it. End of story. Tell the person their data was collected. Tell them it was handled properly. Tell them it has been purged. People just want to know they are safe. That is all anyone is asking for.

Maybe the classified orders are on our side. Maybe the system is working exactly the way it should. If that is true, transparency after the fact costs nothing. It only proves the system works. The only reason to keep it secret forever is if you do not want people to see what happened.

How to Protect Your IP Right Now

The cloud is the problem. As long as your files sit on someone else’s server, they are subject to someone else’s legal obligations. The only way to truly protect your intellectual property is to control the box.

Run your own cloud

Nextcloud is a free, open source platform that replaces Google Drive, Dropbox, iCloud, and most cloud services. File sync, contacts, calendar, photo backup, collaborative document editing. You install it on hardware you own. Your data never leaves your network.

Nextcloud is licensed under AGPLv3. Completely free. No locked features, no enterprise paywall. The company behind it, Nextcloud GmbH, is employee owned, bootstrapped, headquartered in Germany, and has never taken venture capital. Germany, France, Sweden, and the Netherlands use it for government infrastructure specifically because of digital sovereignty concerns.

You can run Nextcloud on a dedicated mini PC for around $200, an old desktop you already own, or even a Raspberry Pi. Add your own hard drives for storage. After the initial setup there is no monthly fee. No subscription. You own it.

Access it securely from anywhere

WireGuard or Tailscale creates an encrypted tunnel between your devices and your home server. No port forwarding. Nothing exposed to the public internet. Tailscale is the simplest option. Install it on the server and your devices and it just works. All traffic between them is encrypted end to end.

Use containers without Docker

Podman runs the same container images as Docker but without the background daemon, without root access by default, and without phoning home to anyone. Developed by Red Hat. Open source. No telemetry. If you run Nextcloud in a container, use Podman.

Encrypted messaging

Signal for messaging. End to end encrypted. The Signal Foundation cannot read your messages even if subpoenaed. They have proven this in court.

Encrypted email

ProtonMail for email. Zero knowledge encryption. Proton cannot read your email. Swiss jurisdiction. Supports custom domains for business use. Or run your own mail server on your own hardware for complete control.

The principle

If you control the hardware, a court order has to come to your door. You know about it. You can call a lawyer. You can challenge it. That is the Fourth Amendment working the way it was designed. The entire FISA problem exists because there is a middleman. Remove the middleman and that attack vector disappears.

The Line in the Sand

Your data is your papers. Your code is your effects. The server where you store them is your house.

We need intelligence capabilities. Go after the terrorists. Go after the traffickers. Get a warrant. Show probable cause. Do the work.

But do not point the machine at every American who is busting their ass to build something. Do not collect the intellectual property of people working eighty hour weeks and call it incidental.

The technology to protect yourself exists right now. The tools in this article are available today. You do not have to wait for Congress to fix this. You do not have to wait for a company to keep a promise they are structurally incapable of keeping. You can take your data off their servers this weekend.

The Constitution guarantees the right to privacy. The technology to enforce it exists. Use it.