Don't be evil

Third party data dangers

Choosing a cloud hosting partner with confidence

What is the big deal if Google has to give up records you store remotely? I mean, after all, its just a matter of whether the subpoena goes to Google or goes to you. After all, if YOU were subpoenaed for the same records (whether stored at Google or elsewhere) you would have to produce them. In the end, its all the same, no? Not exactly.

You see, increasingly not only are YOUR documents and records (or documents and records about you) being compelled to be produced, but - at least in criminal cases - the government is more or less routinely demanding of ISP's or other third party custodians that they not tell the person whose records are being sought that the records are being produced. And there is little in the law that mandates that the third party tell you that they are ponying up your records.

In the case of "traditional" document storage facilities - you know, the kind where you box everything up and they store them - you have a contract with the storage facility that says that they will tell you if they get a subpoena. But then again, you are paying them every month for the storage. And they want to keep you happy. Even then, if a court orders that they NOT tell you, the court order trumps the contract.

In the case of Google documents and spreadsheets, there is, as far as I can tell, no similar requirement. Sure, they have Terms of Service and a Privacy Policy, but the privacy policy specifically says that they can turn over records (doesn't say whose) if there is a court order or other legal process. While they want to keep their customers happy, lets face it, you aren't writing them a check every month.

A case coming out of Cincinnati, Ohio on June 18, 2007 (pdf) is illustrative. The federal government wanted to read the Yahoo! and NuVox (an ISP) e-mails sent and received by Stephen Warshak, the owner and operator of a company that sold nutritional supplements. The government was investigating Warshak for allegations of fraud.

The government got a court order under the Stored Communications Act, 18 U.S.C. § 2703, requiring the ISP's to pony up the contents of Warshak's emails, and further prohibiting the ISP from "disclos[ing] the existence of the Application or this Order of the Court, or the existence of this investigation, to the listed customer or to any person unless and until authorized to do so by the Court." The magistrate further ordered that "the notification by the government otherwise required under 18 U.S.C. § 2703(b)(1)(B) be delayed for ninety days." A year later, Warshak learned about the fact that the government had been reading his emails, and applied for a court order to prevent any future reading of his emails without at least letting him know.

The government argued that Washak had no standing or ability to challenge the subpoena, since it called for records that were not HIS, but rather those of the ISP. By "giving" his records to the ISP, he had, according to the government, forfeited his privacy rights. The court disagreed. It properly noted that, while a mere subpoena could be used to get access to non-personal records like billing records or usage records, and might reach the contents of the records if, for example, you subpoenaed a party to the communication, the ISP merely was a "holder" of the records, and therefore a search warrant was required to access the records and contents of communications. The court stated:

. . . the government could not get around the privacy interest attached to a private letter by simply subpoenaing the postal service with no showing of probable cause, because . . . postal workers would not be expected to read the letter in the normal course of business. . . . Similarly, a bank customer maintains an expectation of privacy in a safe deposit box to which the bank lacks access (as opposed to bank records, like checks or account statements) and the government could not compel disclosure of the contents of the safe deposit box only by subpoenaing the bank.

The court went on to address the privacy interests of the users of commercial ISP's noting that:

. . . individuals maintain a reasonable expectation of privacy in e-mails that are stored with, or sent or received through, a commercial ISP. The content of e-mail is something that the user "seeks to preserve as private," and therefore "may be constitutionally protected." . . . It goes without saying that like the telephone earlier in our history, e-mail is an ever-increasing mode of private communication, and protecting shared communications through this medium is as important to Fourth Amendment principles today as protecting telephone conversations has been in the past.

The government also argued that, since the ISP's Terms of Use give it the right to read e-mails for certain purposes, (such as to comply with court orders or screen for malicious code) the user could not possibly have expected their email to be private - an argument the court soundly rejected.

In the end, the Warshak court effectively told the government that it could not merely subpoena the ISP - a third party custodian - for the personal and private records of its customer (communications) except under certain circumstances. It could get the records: (1) if the government obtains a search warrant under the Fourth Amendment, based on probable cause and in compliance with the particularity requirement; (2) if the government provides notice to the account holder in seeking an SCA order, according him the same judicial review he would be allowed were he to be subpoenaed; or (3) if the government can show specific, articulable facts, demonstrating that an ISP or other entity has complete access to the e-mails in question and that it actually relies on and utilizes this access in the normal course of business, sufficient to establish that the user has waived his expectation of privacy with respect to that entity, in which case compelled disclosure may occur if that entity is afforded notice and an opportunity to be heard.

In effect, the Court said that the ISP was standing in Warshak's shoes, and therefore Warshak had to be given a chance to object to the subpoena. Good idea. But remember, if the government gets a SEARCH WARRANT (as opposed to a subpoena) it can search for and seize your Google Documents and Spreadsheets, and can likewise get a court order that the ISP not tell you about it. In fact, the rules of criminal procedure in the United States, Federal Rules of Criminal Procedure 41(f)(1)(C) merely require that an inventory of what has been seized be left with the "person from whom, or from whose premises, the property was taken" - the ISP, not the person whose records were taken. Again, physical presence trumps privacy interests.

What we need to do is establish rules similar to those established by the Court in Warshak. While location of records, and the nature of records is important, we need to look at the privacy interests involved. By storing my documents at Google instead of at my own server, have I really intended to give up privacy interests? Should we not create the concept of a "temporary custodian" someone who holds OUR personal information FOR US for a brief period of time, but who has to notify US if there is a demand for OUR records? I think a good hard look at substance over form is in order here.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, watchdog claims
Attack harvests users' info at iPhone 6 launch
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.