The Briscoe Syndrome
No court order required
Fear of terrorism and a desire to cooperate with law enforcement has lead many corporate insiders to pony up sensitive information on their customers to anyone with a badge... with no court order required, Mark Rasch writes.
Watching the TV drama Law & Order, Detective Briscoe confronts the manager of a seedy Times Square hotel, demanding records of the suspect in room 206. The manager, behind a wall of bulletproof glass and wearing a stained T-shirt, tells the detective to "shove it." Briscoe then says something like, "I can get the health department down here to shut you down, " and the manager hastily turns over whatever records the detective demands.
This common scene from TV detective shows now has support from real-life. A recent study by CSO magazine found that many Chief Security Officers have or would turn over corporate, business partner and customer records just because a law enforcement or government official requested it, without a subpoena, court order, or any other formal legal process.
Despite all the concerns about expanded law enforcement powers under the USA-PATRIOT Act and the Homeland Security legislation, beyond all the fretting over Carnivore, Magic Lantern, or other technologies, the willingness of corporate agents to simply "turn over" our private personal records represents a much more significant threat to privacy and civil liberty. And while appropriate and reasonable in some circumstances, in many cases the voluntary disclosure of information may represent a violation of corporate privacy policies, which could result in legal liability for the corporations and their officers and directors.
A recent New York Times article discussed an FBI investigation of possible terrorist training at U.S. SCUBA schools, and indicated that virtually all such schools voluntarily disclosed the identity of their students to the FBI without a warrant or other legal process. A California SCUBA school that successfully challenged the FBI's demand for its records received hate mail from around the country.
In some cases law enforcement agents lied to ISPs about the existence of search warrants or subpoenas, but the court enforced no remedy because the subscriber himself had no privacy interest in the information.
In the post 9/11 era, American attitudes toward privacy and cooperation with law enforcement changed dramatically. The same CSO survey indicated that about half of the security officers responding believed that there will be a terrorist sponsored cyber attack in the near future. Fear of terrorism and a desire to cooperate with law enforcement has lead many corporate insiders to pony up your sensitive information to anyone with a badge, a gun and a simple request.
Who's Information Is It Anyway?
One of the difficulties with the issue of voluntary dissemination of information to the government is determining who "owns" the information in corporate databases. The answer is not always clear.
Some information is derived from business partners, associates, suppliers, contractors and others, and the "privacy" of this information would likely be determined by reference to any contractual non-disclosure agreements. Typical NDA provisions would require the party of whom the information is requested to notify the party from whom the information is received of the government request, and give them an opportunity to object to the disclosure. In such circumstances, voluntary disclosure would violate the NDA.
In addition, there is corporate information that "belongs" to the company, and which the company is free to disclose or not as it sees fit -- though even in these circumstances, the disclosure to law enforcement must serve the interests of the company and its shareholders. H.R. information, such as employee medical records, personnel files or payroll data, are for the moment in a legal great area -- it is not clear whether that information belongs to the company, or whether the employee has some enforceable right to privacy.
Despite these express policies, courts have been reluctant to protect the privacy of any information when it comes to corporate disclosure to government in general and law enforcement agencies in particular. A long line of cases has made it clear that, for example, ISP billing information -- the subscriber's name, screen name, address, telephone number, etc. -- is information that belongs to the ISP, and not the subscriber, and therefore the ISP is generally free to disclose this to the government.
This line of cases even includes some where law enforcement agents lied to ISPs about the existence of search warrants or subpoenas, but the court enforced no remedy because the subscriber himself had no privacy interest in the information. So just like Detective Brisco's hotel occupant, the law may afford the online user little remedy.
The problem of companies turning over your information is compounded by child pornography and obscenity laws that mandate disclosure of certain activities, by a genuine fear of crime in general and terrorism in particular, and by the fact that many corporate security officers are former law enforcement officials themselves, with close working relationships with government officials. Companies are reluctant to be seen as impeding governmental investigations.
The traditional methods the government has to compel production of information -- a grand jury subpoena or a court authorized search warrant -- may be unavailable to in a simple "intelligence gathering" investigation like the as the SCUBA inquiry, where the link between the evidence sought and any actual or anticipated criminal activity is tenuous at best.
What Should A Company Do?
Companies have a fiduciary obligation to protect the confidentiality of the information they maintain -- particularly that of subscribers, customers, employees and business partners.
That's not to say that all voluntary disclosures are improper: where the law mandates disclosure, like SEC filings and mandatory financial reporting, such reports must be made in a timely and complete fashion. Similarly, where there is an imminent threat to public health, safety or welfare, companies should reserve and exercise the right to disclose this information, even in the absence of legal process. And where the company, its property or its personnel are the victim of a crime, fraud or tort, it must maintain the flexibility to report the information it discovers to law enforcement or regulatory agencies.
For other information, however, corporations should be prepared to live up to their privacy obligations and insist that the government obtain subpoenas or search warrants. Even then, companies should consider notifying their customers of the existence of the subpoena or warrant (unless a valid court order precludes this), and giving the customer the opportunity to challenge the breadth, scope or legitimacy of the government's attempt to obtain their private information..
Of course, after September 11, American companies, like the hotel operator in Law & Order, may simply capitulate, and turn any and all information to the government. Unfortunately, there may be no way for a consumer to know in advance whether this will happen.
© 2002 Security Focus
SecurityFocus columnist Mark D. Rasch, J.D., is the Senior Vice President and Chief Security Counsel at Solutionary Inc. He lives in McLean, Virginia.