Feeds

Cloud computing lets Feds read your email

You have 'no expectation of privacy'

High performance access to file storage

When the new iPhone 3G went on sale last week, I was sorely tempted to wait in line for one. (I didn't - no patience.)

One of the features of Apple's device that appeals to me is the new MobileMe service, where you can "access and manage your email, contacts, calendar, photos, and files at me.com," according to Apple. More companies, among them Microsoft and Google, already allow people to store information and use common services online - or "in the cloud" - leading analysts to refer to the entire trend as "cloud computing".

This iteration of "cloud computing" puts your personal data on an accessible server held by a third party, which you replicate on multiple machines and access from virtually anywhere. Putting aside the security, data storage, data retention, data destruction and other pesky issues associated with doing business in the cloud, one fundamental issue remains: Your data is being hosted, stored and transmitted through a third party. As far as the law is concerned then, that third party has control of your data and may therefore be subject to a subpoena for your data, often without your knowledge or ability to object.

On July 11, 2008, Steven Warshak, the president of a nutrition supplement company, learned the hard way (pdf) about the dangers of using web-based email. On May 6, 2005, the government got such an order for the contents of his emails.

Generally, the internet service provider (ISP) is required to give the subscriber notice of the subpoena, but the statute allows a delay of up to 90 days if the government just asks for the data and the court finds that "there is reason to believe that notification of the existence of the court order may have an adverse result", like endangering the life or physical safety of an individual, flight from prosecution, destruction of or tampering with evidence, intimidation of potential witnesses, or otherwise seriously jeopardizing an investigation or unduly delaying a trial. Using this provision the government got an order allowing it to delay telling Warshak of its access for 90 days, until early July 2006.

July came and went, as did August, September, October, November, December, January, February, March, April and May of 2007 before the government finally got around to telling Warshak that it had been reading his mail.

Warshak, like many others, used web-based or third-party provided email services like Yahoo! mail and NuVox communications. Thus, his inbox and outbox were literally out of his hands. If Warshak had used an internal email service that he controlled and the government wanted to get access to the contents of his email, they would have had to do it the old-fashioned way: Obtain a search warrant supported by probable cause, issued by a neutral and detached magistrate, specifying the place to be searched and the items to be seized. In fact, those are the precise words of the Fourth Amendment.

Now the government could have issued a grand jury subpoena to Warshak ordering him to pony up his emails. Warshak could then have challenged the scope and breadth of the subpoena, argued that it called for production of irrelevant or privileged materials, challenged the jurisdiction of the grand jury to issue the subpoena, or raised a series of other defenses to the subpoena itself.

But the government didn't want Warshak to know it was investigating him and his company. It wanted to be able to read his emails without him knowing about it. So it used a statute called the Stored Communications Act, which allows the government to require an ISP to hand over the contents of your emails that have been in storage for more than 180 days even without a warrant, as long as it has a court order showing "reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation".

3 Big data security analytics techniques

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.