Feeds

Cloud computing lets Feds read your email

You have 'no expectation of privacy'

Reducing the cost and complexity of web vulnerability management

When the new iPhone 3G went on sale last week, I was sorely tempted to wait in line for one. (I didn't - no patience.)

One of the features of Apple's device that appeals to me is the new MobileMe service, where you can "access and manage your email, contacts, calendar, photos, and files at me.com," according to Apple. More companies, among them Microsoft and Google, already allow people to store information and use common services online - or "in the cloud" - leading analysts to refer to the entire trend as "cloud computing".

This iteration of "cloud computing" puts your personal data on an accessible server held by a third party, which you replicate on multiple machines and access from virtually anywhere. Putting aside the security, data storage, data retention, data destruction and other pesky issues associated with doing business in the cloud, one fundamental issue remains: Your data is being hosted, stored and transmitted through a third party. As far as the law is concerned then, that third party has control of your data and may therefore be subject to a subpoena for your data, often without your knowledge or ability to object.

On July 11, 2008, Steven Warshak, the president of a nutrition supplement company, learned the hard way (pdf) about the dangers of using web-based email. On May 6, 2005, the government got such an order for the contents of his emails.

Generally, the internet service provider (ISP) is required to give the subscriber notice of the subpoena, but the statute allows a delay of up to 90 days if the government just asks for the data and the court finds that "there is reason to believe that notification of the existence of the court order may have an adverse result", like endangering the life or physical safety of an individual, flight from prosecution, destruction of or tampering with evidence, intimidation of potential witnesses, or otherwise seriously jeopardizing an investigation or unduly delaying a trial. Using this provision the government got an order allowing it to delay telling Warshak of its access for 90 days, until early July 2006.

July came and went, as did August, September, October, November, December, January, February, March, April and May of 2007 before the government finally got around to telling Warshak that it had been reading his mail.

Warshak, like many others, used web-based or third-party provided email services like Yahoo! mail and NuVox communications. Thus, his inbox and outbox were literally out of his hands. If Warshak had used an internal email service that he controlled and the government wanted to get access to the contents of his email, they would have had to do it the old-fashioned way: Obtain a search warrant supported by probable cause, issued by a neutral and detached magistrate, specifying the place to be searched and the items to be seized. In fact, those are the precise words of the Fourth Amendment.

Now the government could have issued a grand jury subpoena to Warshak ordering him to pony up his emails. Warshak could then have challenged the scope and breadth of the subpoena, argued that it called for production of irrelevant or privileged materials, challenged the jurisdiction of the grand jury to issue the subpoena, or raised a series of other defenses to the subpoena itself.

But the government didn't want Warshak to know it was investigating him and his company. It wanted to be able to read his emails without him knowing about it. So it used a statute called the Stored Communications Act, which allows the government to require an ISP to hand over the contents of your emails that have been in storage for more than 180 days even without a warrant, as long as it has a court order showing "reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation".

Security and trust: The backbone of doing business over the internet

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.