What's Your Threat Model?- Part 2

Start9 Team

12 Feb 2026 — 5 min read

The Legal Reality of Cloud Storage (And How to Fix It)

Most people assume their data belongs to them. It's their photos, their documents, their messages. They created it. Of course it's theirs.

Legally speaking, the moment you uploaded it to the cloud, it stopped being yours.

The Third Party Doctrine

There's a legal principle most people have never heard of that governs almost everything they do online. It's called the Third Party Doctrine, and it was established by the Supreme Court in the 1970s through United States v. Miller and Smith v. Maryland.

The core idea is simple and devastating: when you voluntarily hand information to a third party, you lose your Fourth Amendment protection against unreasonable searches and seizures. (Source: Institute for Justice)

In practical terms, when you upload a document to Google Drive, send an iMessage, or store anything on a third-party server, law enforcement can request that data without a warrant. You gave it up when you clicked "agree" on the terms of service you didn't read. Under the law, it's not your property anymore. It's theirs.

The Supreme Court did narrow this doctrine somewhat in Carpenter v. United States (2018), ruling that cell-site location data specifically requires a warrant. Courts are still debating how broadly the doctrine applies to other types of digital data. But for most cloud-stored information, the core principle holds: you shared it with a third party, so the Fourth Amendment doesn't protect it.

Now compare that to data stored on a server in your home. That's your property. It cannot be searched or seized without a warrant. A normal person is not going to have the FBI raid their home and take a server without one. That's top-ten-list stuff. For everyone else, a home server is legally protected in a way that cloud data simply is not.

This isn't about creating some new loophole. It's about restoring the protections that existed in the analog world for centuries. Privacy was the default. Property was respected. That can exist again in the digital world, but only if you own the infrastructure.

The Danger of Half-Measures

Before you rush off to download every privacy app you can find, there's a counterintuitive trap worth knowing about.

There's a fundamental principle in cyber surveillance: bad guys hide, good guys don't. Anyone who is trying to hide is automatically a person of interest. Anyone just using iMessage and posting on Facebook is not.

In a way, you're almost better off hiding in plain sight than trying to use privacy tools and failing.

Take Tor as an example. If you use Tor to visit a normal website like Facebook, you have to go through what's called an exit node. It's well understood in the privacy community that exit nodes are highly compromised. Using Tor to visit a normal website actually draws more attention to you than just visiting it directly. Tor hides you from the website (useful if you want to be anonymous to Facebook specifically). But if your goal is hiding your activity from state-level surveillance, it can backfire.

The same concern applies to encrypted messaging apps like Signal. You don't really know what code is running on your phone. You don't really know what code is running on their servers. They publish open-source code, but you didn't compile it yourself. The published code might have nothing to do with what's actually running. Is it better than nothing? Maybe. It might also be worse. You have no way of knowing.

The takeaway isn't that you should give up on privacy. It's that if you're going to pursue it, you need to actually succeed. And half-measures that still rely on third parties don't cut it. You can't beat the cloud with the cloud. You need to get out of the cloud entirely.

What Actually Works

Perfection is unattainable. But something is better than nothing, and a lot is better than something. The question isn't whether you can achieve perfect privacy. It's whether your actions match your actual threat model.

For most people, that means a few high-leverage moves.

Use a password manager you control. There is no higher-leverage action you can take for cybersecurity than using a password manager. If you're not using one, you are fundamentally insecure. You're either reusing the same password everywhere (or some tiny variation, which is basically the same thing), or you've got them scrawled on a notepad somewhere.

But here's the critical part: if you're going to use a password manager, run it yourself. The LastPass breach is a case study in why. In 2022, hackers stole encrypted vault backups from roughly 25 million users. Because many users had weak master passwords, attackers have been cracking those vaults ever since, draining cryptocurrency wallets in waves that continued through 2025. More than $35 million in crypto has been traced to these thefts, including a $150 million heist linked to the co-founder of Ripple. The FBI and Secret Service corroborated the connection. (Source: Krebs on Security; Source: TRM Labs)

These weren't careless people. Many were longtime crypto investors and security-minded individuals who thought they were doing the right thing. They were. Their mistake was trusting a third party to host it.

A self-hosted password manager like Vaultwarden (the open-source version of Bitwarden) keeps your encrypted passwords on your own hardware. Even if someone physically stole your server, they couldn't crack the encryption. And nobody is going to steal your server because they don't know it's there, don't know what's on it, and wouldn't know how to crack it anyway.

Replace your cloud services with self-hosted alternatives. Nextcloud alone can replace Google Drive, Google Calendar, Google Photos, Zoom, and more. All running on hardware you own, with data that's legally yours.

Understand what you're gaining. This isn't just about privacy as a vague principle. You're gaining Fourth Amendment protection for your data. You're eliminating the single points of failure that make massive data breaches possible. You're removing the middlemen who mine, monetize, and censor your information. And you're cutting out the subscription costs that are only going to get worse.

The Bar Is Lower Than You Think

Running your own server used to require serious Linux systems administration skills. That's genuinely no longer the case.

The bar today is two things: are you comfortable going into the settings menu on your phone or computer and making changes? And can you put together Ikea furniture (meaning: can you follow directions)?

If yes to both, you can own and operate a personal server. The technology exists. The learning curve has been flattened. And there's a growing community of people doing exactly this who are happy to help newcomers figure it out.

The barrier isn't technical anymore. It's psychological. It's the black-pilled mindset that says it's hopeless. It's the inertia of convenience. It's the assumption that privacy requires expertise you don't have.

None of that is true anymore.

The Bottom Line

Your threat model is almost certainly more mundane than you think, and more solvable than you've been told. The threats you actually face all share a common root cause: you handed your data to someone else. The fix is to stop doing that.

Own your infrastructure. Run your own server. Take back the legal protections that come with keeping your data in your home.

You're not on the list. And that means you can win.

Learn more at start9.com.