The Briscoe Syndrome

No court order required

  • alert
  • submit to reddit

Protecting against web application threats using SSL

SecurityFocus logo Fear of terrorism and a desire to cooperate with law enforcement has lead many corporate insiders to pony up sensitive information on their customers to anyone with a badge... with no court order required, Mark Rasch writes.

Watching the TV drama Law & Order, Detective Briscoe confronts the manager of a seedy Times Square hotel, demanding records of the suspect in room 206. The manager, behind a wall of bulletproof glass and wearing a stained T-shirt, tells the detective to "shove it." Briscoe then says something like, "I can get the health department down here to shut you down, " and the manager hastily turns over whatever records the detective demands.

This common scene from TV detective shows now has support from real-life. A recent study by CSO magazine found that many Chief Security Officers have or would turn over corporate, business partner and customer records just because a law enforcement or government official requested it, without a subpoena, court order, or any other formal legal process.

Despite all the concerns about expanded law enforcement powers under the USA-PATRIOT Act and the Homeland Security legislation, beyond all the fretting over Carnivore, Magic Lantern, or other technologies, the willingness of corporate agents to simply "turn over" our private personal records represents a much more significant threat to privacy and civil liberty. And while appropriate and reasonable in some circumstances, in many cases the voluntary disclosure of information may represent a violation of corporate privacy policies, which could result in legal liability for the corporations and their officers and directors.

A recent New York Times article discussed an FBI investigation of possible terrorist training at U.S. SCUBA schools, and indicated that virtually all such schools voluntarily disclosed the identity of their students to the FBI without a warrant or other legal process. A California SCUBA school that successfully challenged the FBI's demand for its records received hate mail from around the country.

In some cases law enforcement agents lied to ISPs about the existence of search warrants or subpoenas, but the court enforced no remedy because the subscriber himself had no privacy interest in the information.

In the post 9/11 era, American attitudes toward privacy and cooperation with law enforcement changed dramatically. The same CSO survey indicated that about half of the security officers responding believed that there will be a terrorist sponsored cyber attack in the near future. Fear of terrorism and a desire to cooperate with law enforcement has lead many corporate insiders to pony up your sensitive information to anyone with a badge, a gun and a simple request.

Who's Information Is It Anyway?

One of the difficulties with the issue of voluntary dissemination of information to the government is determining who "owns" the information in corporate databases. The answer is not always clear.

Some information is derived from business partners, associates, suppliers, contractors and others, and the "privacy" of this information would likely be determined by reference to any contractual non-disclosure agreements. Typical NDA provisions would require the party of whom the information is requested to notify the party from whom the information is received of the government request, and give them an opportunity to object to the disclosure. In such circumstances, voluntary disclosure would violate the NDA.

In addition, there is corporate information that "belongs" to the company, and which the company is free to disclose or not as it sees fit -- though even in these circumstances, the disclosure to law enforcement must serve the interests of the company and its shareholders. H.R. information, such as employee medical records, personnel files or payroll data, are for the moment in a legal great area -- it is not clear whether that information belongs to the company, or whether the employee has some enforceable right to privacy.

Finally, and perhaps most commonly, there is customer or consumer information -- the kind of information a company may have collected pursuant to a stated or published privacy policy. Some companies, like eBay, expressly state that, "[w]e can (and you authorize us to) disclose any information about you to law enforcement or other government officials as we, in our sole discretion, believe necessary or appropriate..." Others, like Amazon, are slightly more ambiguous, stating that they "release account and other personal information when we believe release is appropriate to comply with the law."

Major ISPs like AOL, are more reticent about voluntarily turning information over to law enforcement -- perhaps because of the more sensitive nature of the information they collect. AOL's privacy policy informs its subscribers that "AOL does not read or disclose private communications except to comply with valid legal process such as a search warrant, subpoena or court order, to protect the company's rights and property, or during emergencies when we believe physical safety is at risk" and further that they "will not give out your telephone number or screen names except where needed to deliver a product or service you ordered. We will not give out information that would link your screen names with your actual name."

Despite these express policies, courts have been reluctant to protect the privacy of any information when it comes to corporate disclosure to government in general and law enforcement agencies in particular. A long line of cases has made it clear that, for example, ISP billing information -- the subscriber's name, screen name, address, telephone number, etc. -- is information that belongs to the ISP, and not the subscriber, and therefore the ISP is generally free to disclose this to the government.

This line of cases even includes some where law enforcement agents lied to ISPs about the existence of search warrants or subpoenas, but the court enforced no remedy because the subscriber himself had no privacy interest in the information. So just like Detective Brisco's hotel occupant, the law may afford the online user little remedy.

The problem of companies turning over your information is compounded by child pornography and obscenity laws that mandate disclosure of certain activities, by a genuine fear of crime in general and terrorism in particular, and by the fact that many corporate security officers are former law enforcement officials themselves, with close working relationships with government officials. Companies are reluctant to be seen as impeding governmental investigations.

The traditional methods the government has to compel production of information -- a grand jury subpoena or a court authorized search warrant -- may be unavailable to in a simple "intelligence gathering" investigation like the as the SCUBA inquiry, where the link between the evidence sought and any actual or anticipated criminal activity is tenuous at best.

What Should A Company Do?

Companies have a fiduciary obligation to protect the confidentiality of the information they maintain -- particularly that of subscribers, customers, employees and business partners.

That's not to say that all voluntary disclosures are improper: where the law mandates disclosure, like SEC filings and mandatory financial reporting, such reports must be made in a timely and complete fashion. Similarly, where there is an imminent threat to public health, safety or welfare, companies should reserve and exercise the right to disclose this information, even in the absence of legal process. And where the company, its property or its personnel are the victim of a crime, fraud or tort, it must maintain the flexibility to report the information it discovers to law enforcement or regulatory agencies.

For other information, however, corporations should be prepared to live up to their privacy obligations and insist that the government obtain subpoenas or search warrants. Even then, companies should consider notifying their customers of the existence of the subpoena or warrant (unless a valid court order precludes this), and giving the customer the opportunity to challenge the breadth, scope or legitimacy of the government's attempt to obtain their private information..

Of course, after September 11, American companies, like the hotel operator in Law & Order, may simply capitulate, and turn any and all information to the government. Unfortunately, there may be no way for a consumer to know in advance whether this will happen.

© 2002 Security Focus

SecurityFocus columnist Mark D. Rasch, J.D., is the Senior Vice President and Chief Security Counsel at Solutionary Inc. He lives in McLean, Virginia.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.