Don't be evil

Third party data dangers

Protecting against web application threats using SSL

What is the big deal if Google has to give up records you store remotely? I mean, after all, its just a matter of whether the subpoena goes to Google or goes to you. After all, if YOU were subpoenaed for the same records (whether stored at Google or elsewhere) you would have to produce them. In the end, its all the same, no? Not exactly.

You see, increasingly not only are YOUR documents and records (or documents and records about you) being compelled to be produced, but - at least in criminal cases - the government is more or less routinely demanding of ISP's or other third party custodians that they not tell the person whose records are being sought that the records are being produced. And there is little in the law that mandates that the third party tell you that they are ponying up your records.

In the case of "traditional" document storage facilities - you know, the kind where you box everything up and they store them - you have a contract with the storage facility that says that they will tell you if they get a subpoena. But then again, you are paying them every month for the storage. And they want to keep you happy. Even then, if a court orders that they NOT tell you, the court order trumps the contract.

In the case of Google documents and spreadsheets, there is, as far as I can tell, no similar requirement. Sure, they have Terms of Service and a Privacy Policy, but the privacy policy specifically says that they can turn over records (doesn't say whose) if there is a court order or other legal process. While they want to keep their customers happy, lets face it, you aren't writing them a check every month.

A case coming out of Cincinnati, Ohio on June 18, 2007 (pdf) is illustrative. The federal government wanted to read the Yahoo! and NuVox (an ISP) e-mails sent and received by Stephen Warshak, the owner and operator of a company that sold nutritional supplements. The government was investigating Warshak for allegations of fraud.

The government got a court order under the Stored Communications Act, 18 U.S.C. § 2703, requiring the ISP's to pony up the contents of Warshak's emails, and further prohibiting the ISP from "disclos[ing] the existence of the Application or this Order of the Court, or the existence of this investigation, to the listed customer or to any person unless and until authorized to do so by the Court." The magistrate further ordered that "the notification by the government otherwise required under 18 U.S.C. § 2703(b)(1)(B) be delayed for ninety days." A year later, Warshak learned about the fact that the government had been reading his emails, and applied for a court order to prevent any future reading of his emails without at least letting him know.

The government argued that Washak had no standing or ability to challenge the subpoena, since it called for records that were not HIS, but rather those of the ISP. By "giving" his records to the ISP, he had, according to the government, forfeited his privacy rights. The court disagreed. It properly noted that, while a mere subpoena could be used to get access to non-personal records like billing records or usage records, and might reach the contents of the records if, for example, you subpoenaed a party to the communication, the ISP merely was a "holder" of the records, and therefore a search warrant was required to access the records and contents of communications. The court stated:

. . . the government could not get around the privacy interest attached to a private letter by simply subpoenaing the postal service with no showing of probable cause, because . . . postal workers would not be expected to read the letter in the normal course of business. . . . Similarly, a bank customer maintains an expectation of privacy in a safe deposit box to which the bank lacks access (as opposed to bank records, like checks or account statements) and the government could not compel disclosure of the contents of the safe deposit box only by subpoenaing the bank.

The court went on to address the privacy interests of the users of commercial ISP's noting that:

. . . individuals maintain a reasonable expectation of privacy in e-mails that are stored with, or sent or received through, a commercial ISP. The content of e-mail is something that the user "seeks to preserve as private," and therefore "may be constitutionally protected." . . . It goes without saying that like the telephone earlier in our history, e-mail is an ever-increasing mode of private communication, and protecting shared communications through this medium is as important to Fourth Amendment principles today as protecting telephone conversations has been in the past.

The government also argued that, since the ISP's Terms of Use give it the right to read e-mails for certain purposes, (such as to comply with court orders or screen for malicious code) the user could not possibly have expected their email to be private - an argument the court soundly rejected.

In the end, the Warshak court effectively told the government that it could not merely subpoena the ISP - a third party custodian - for the personal and private records of its customer (communications) except under certain circumstances. It could get the records: (1) if the government obtains a search warrant under the Fourth Amendment, based on probable cause and in compliance with the particularity requirement; (2) if the government provides notice to the account holder in seeking an SCA order, according him the same judicial review he would be allowed were he to be subpoenaed; or (3) if the government can show specific, articulable facts, demonstrating that an ISP or other entity has complete access to the e-mails in question and that it actually relies on and utilizes this access in the normal course of business, sufficient to establish that the user has waived his expectation of privacy with respect to that entity, in which case compelled disclosure may occur if that entity is afforded notice and an opportunity to be heard.

In effect, the Court said that the ISP was standing in Warshak's shoes, and therefore Warshak had to be given a chance to object to the subpoena. Good idea. But remember, if the government gets a SEARCH WARRANT (as opposed to a subpoena) it can search for and seize your Google Documents and Spreadsheets, and can likewise get a court order that the ISP not tell you about it. In fact, the rules of criminal procedure in the United States, Federal Rules of Criminal Procedure 41(f)(1)(C) merely require that an inventory of what has been seized be left with the "person from whom, or from whose premises, the property was taken" - the ISP, not the person whose records were taken. Again, physical presence trumps privacy interests.

What we need to do is establish rules similar to those established by the Court in Warshak. While location of records, and the nature of records is important, we need to look at the privacy interests involved. By storing my documents at Google instead of at my own server, have I really intended to give up privacy interests? Should we not create the concept of a "temporary custodian" someone who holds OUR personal information FOR US for a brief period of time, but who has to notify US if there is a demand for OUR records? I think a good hard look at substance over form is in order here.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.