Feeds

Don't be evil

Third party data dangers

5 things you didn’t know about cloud backup

What is the big deal if Google has to give up records you store remotely? I mean, after all, its just a matter of whether the subpoena goes to Google or goes to you. After all, if YOU were subpoenaed for the same records (whether stored at Google or elsewhere) you would have to produce them. In the end, its all the same, no? Not exactly.

You see, increasingly not only are YOUR documents and records (or documents and records about you) being compelled to be produced, but - at least in criminal cases - the government is more or less routinely demanding of ISP's or other third party custodians that they not tell the person whose records are being sought that the records are being produced. And there is little in the law that mandates that the third party tell you that they are ponying up your records.

In the case of "traditional" document storage facilities - you know, the kind where you box everything up and they store them - you have a contract with the storage facility that says that they will tell you if they get a subpoena. But then again, you are paying them every month for the storage. And they want to keep you happy. Even then, if a court orders that they NOT tell you, the court order trumps the contract.

In the case of Google documents and spreadsheets, there is, as far as I can tell, no similar requirement. Sure, they have Terms of Service and a Privacy Policy, but the privacy policy specifically says that they can turn over records (doesn't say whose) if there is a court order or other legal process. While they want to keep their customers happy, lets face it, you aren't writing them a check every month.

A case coming out of Cincinnati, Ohio on June 18, 2007 (pdf) is illustrative. The federal government wanted to read the Yahoo! and NuVox (an ISP) e-mails sent and received by Stephen Warshak, the owner and operator of a company that sold nutritional supplements. The government was investigating Warshak for allegations of fraud.

The government got a court order under the Stored Communications Act, 18 U.S.C. § 2703, requiring the ISP's to pony up the contents of Warshak's emails, and further prohibiting the ISP from "disclos[ing] the existence of the Application or this Order of the Court, or the existence of this investigation, to the listed customer or to any person unless and until authorized to do so by the Court." The magistrate further ordered that "the notification by the government otherwise required under 18 U.S.C. § 2703(b)(1)(B) be delayed for ninety days." A year later, Warshak learned about the fact that the government had been reading his emails, and applied for a court order to prevent any future reading of his emails without at least letting him know.

The government argued that Washak had no standing or ability to challenge the subpoena, since it called for records that were not HIS, but rather those of the ISP. By "giving" his records to the ISP, he had, according to the government, forfeited his privacy rights. The court disagreed. It properly noted that, while a mere subpoena could be used to get access to non-personal records like billing records or usage records, and might reach the contents of the records if, for example, you subpoenaed a party to the communication, the ISP merely was a "holder" of the records, and therefore a search warrant was required to access the records and contents of communications. The court stated:

. . . the government could not get around the privacy interest attached to a private letter by simply subpoenaing the postal service with no showing of probable cause, because . . . postal workers would not be expected to read the letter in the normal course of business. . . . Similarly, a bank customer maintains an expectation of privacy in a safe deposit box to which the bank lacks access (as opposed to bank records, like checks or account statements) and the government could not compel disclosure of the contents of the safe deposit box only by subpoenaing the bank.

The court went on to address the privacy interests of the users of commercial ISP's noting that:

. . . individuals maintain a reasonable expectation of privacy in e-mails that are stored with, or sent or received through, a commercial ISP. The content of e-mail is something that the user "seeks to preserve as private," and therefore "may be constitutionally protected." . . . It goes without saying that like the telephone earlier in our history, e-mail is an ever-increasing mode of private communication, and protecting shared communications through this medium is as important to Fourth Amendment principles today as protecting telephone conversations has been in the past.

The government also argued that, since the ISP's Terms of Use give it the right to read e-mails for certain purposes, (such as to comply with court orders or screen for malicious code) the user could not possibly have expected their email to be private - an argument the court soundly rejected.

In the end, the Warshak court effectively told the government that it could not merely subpoena the ISP - a third party custodian - for the personal and private records of its customer (communications) except under certain circumstances. It could get the records: (1) if the government obtains a search warrant under the Fourth Amendment, based on probable cause and in compliance with the particularity requirement; (2) if the government provides notice to the account holder in seeking an SCA order, according him the same judicial review he would be allowed were he to be subpoenaed; or (3) if the government can show specific, articulable facts, demonstrating that an ISP or other entity has complete access to the e-mails in question and that it actually relies on and utilizes this access in the normal course of business, sufficient to establish that the user has waived his expectation of privacy with respect to that entity, in which case compelled disclosure may occur if that entity is afforded notice and an opportunity to be heard.

In effect, the Court said that the ISP was standing in Warshak's shoes, and therefore Warshak had to be given a chance to object to the subpoena. Good idea. But remember, if the government gets a SEARCH WARRANT (as opposed to a subpoena) it can search for and seize your Google Documents and Spreadsheets, and can likewise get a court order that the ISP not tell you about it. In fact, the rules of criminal procedure in the United States, Federal Rules of Criminal Procedure 41(f)(1)(C) merely require that an inventory of what has been seized be left with the "person from whom, or from whose premises, the property was taken" - the ISP, not the person whose records were taken. Again, physical presence trumps privacy interests.

What we need to do is establish rules similar to those established by the Court in Warshak. While location of records, and the nature of records is important, we need to look at the privacy interests involved. By storing my documents at Google instead of at my own server, have I really intended to give up privacy interests? Should we not create the concept of a "temporary custodian" someone who holds OUR personal information FOR US for a brief period of time, but who has to notify US if there is a demand for OUR records? I think a good hard look at substance over form is in order here.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?