Original URL: http://www.theregister.co.uk/2007/06/25/third_party_data_storage/

Don't be evil

Third party data dangers

By Mark Rasch

Posted in Security, 25th June 2007 10:56 GMT

A series of developments raise the specter that remotely stored or created documents may be subject to subpoena or discovery all without the knowledge or consent of the document's creators (pdf).

I have been playing around recently with Google's Documents and Spreadsheets. What Google documents and spreadsheets allows you to do is to create documents or spreadsheets (and soon probably presentations) completely online using no software other than a browser and an internet connection. No Microsoft Word, no WordPerfect, no Excel, nothing. All well and good. AFTER you create the document, however, you are supposed to store it on a Google server. Indeed, with virtually unlimited storage, a company could theoretically store all of its documents on Google's servers - all with nothing more than a GMail user ID and password for security. What is even better, all of your documents and spreadsheets would be automatically indexed using Google's software, making it easy for you to locate your documents no matter where you are - as long as you have an Internet connection and can remember your GMail password. Very convenient, but would you do it?

Put aside the security aspects of remote storage of documents. Remember, irrespective of the amount of physical and logical security on the Google servers, ultimately your documents are going to be only as secure as your GMail password - and if you store your password somewhere, maybe not even that secure. I am not even sure that you can encrypt the documents you create on Google documents and spreadsheets - at least not with the software provided by Google - and encryption kind of defeats the purpose of indexing and quickly finding relevant documents.

Add to the security issues the host of legal issues raised by remote storage generally. Whenever records or other evidence is housed with a third party, you have not only increased the likelihood of data access, you have created a new entity with physical or logical possession of your records. Who "owns" your records? Who has a right to access them? Who has "possession" of them? Who has "control" over them? Who must produce them if there is a subpoena, search warrant or other court order? Suffice it to say, when you lose "possession" of the documents, you lose control over what happens to them.

Possession, Custody and Control

One of the biggest problems in the area of computer security is the fact that the law doesn't really distinguish between physical property and intellectual property. The same law which relates to, for example the possession of the murder weapon, also relates to the possession of information about the murderer. Intellectual property is just property. If you "have" it, you can be compelled - through various legal processes - to give it up, both in civil litigation, criminal investigations, administrative hearings, internal reviews, etc. Thus, the same law that allows law enforcement agents to get information about you with a court order or subpoena would allow a husband or wife to get the same information in divorce litigation. Unless the information is privileged (and in many cases even if it is) the entity that "holds" the information must pony it up. The law recognizes that an entity has a legal obligation to produce any materials within its "possession, custody or control." Such possession, custody or control can be physical possession (the gun in the footlocker), legal authority to produce, or in this case, "virtual" possession.

So whenever you entrust your information to some third party, you give up control over the information, and give up to some extent "possession" of that information. For some kinds of records this loss of control is inevitable. When you surf the web, you must transmit information about yourself through your browser to the web. When you send or receive e-mail, the information necessarily travels through some Internet Service Provider somewhere. Sure you can encrypt some information - you can use anonymizers to try to hide what you are doing, but in any event the information necessarily travels outside of your control. The anonymizer or "holder" of the information can be compelled to give up the information in the face of a subpoena or court order.

There is nothing fundamentally new about any of this. What is new is the fact that there is so much information about us held in the hands of third parties which never existed before. I am not talking about weblogs or Myspace postings that I voluntarily put out. Every book I read online, every song I download, every video or radio show I stream, every article I peruse creates a third party record which can be discovered.

What makes the Google documents and spreadsheets even more insidious is the fact that the stored records are not Google's records. You can at least make a plausible argument that my browsing activity, like my bank records, my phone records, my college transcripts, etc., are records of a third party (my bank, my phone company, my college) about me. That doesn't mean these records are personal, private or sensitive. Indeed, in the United States some of these records are entitled to some measure of legal protection from compelled disclosure. My medical records are actually the hospital or physician's records about me, but I have a privacy interest in them. On the other hand, the hospital is required to turn them over if, for example I have extremely drug resistant tuberculosis. What is worse, if the hospital commits a crime or fraud (say, overbills the insurer for my treatment) the government can mandate that the hospital turn over my psychiatric records to be introduced into some court somewhere. Worse still, there is no requirement that the holder of these records about me be compelled to even tell me that they have been asked for or been compelled to produce these records unless they fall within a class of records that has separate legal protection.

But Google Documents is different. These aren't Google's documents about me. They are MY records stored on Google's server. They can be personal like diary entries, they can be privileged attorney-client communications or research. They can be anything, but they are clearly mine. My intellectual property,.my copyright, my thoughts or musings - not Google's. The same is true for my e-mails, voicemails, or the contents of my VOIP calls.

So what happens when Google gets a subpoena or court order for my documents and spreadsheets - whether in a civil or a criminal case? As noted, the law generally requires an entity to produce any "evidence" - including documents and records - within its possession, custody or control. So my records are in the "possession" of Google in the same way that, if I left a smoking gun in your living room, the cops could either search your house for the gun, or get a subpoena compelling you to give up the gun.

Physical Location

But wait. These are personal records. They are "locked" in the sense that they are password protected, and only you have the key. Does the physical location of the virtual information that the documents represent really matter? It seems to. If your records are physically with a third party, they probably have "possession" of them for legal purposes, and therefore can be compelled to produce them, despite the fact that the records are virtual. The concept of location remains important in the law, but not so much in technology. Thus, when a Cablevision, a US cable TV company allowed its customers to digitally record shows for later playback, the court found it critically important that the recorded programs were stored remotely on a hard drive on Cablevision's servers (a copyright infringement) as opposed to being stored locally on a Cablevision hard drive at the customer's home.

Just because the records are personal doesn't necessarily mean that the temporary custodian can't be compelled to produce them. The law has long recognized that by giving up the records to someone else, you are taking the risk that they will be turned over. Thus, the U.S. Supreme Court found that things like cancelled checks and other records can be subpoenaed from a bank without notice to the customer because "the issuance of a subpoena to a third party to obtain the records of that party does not violate the rights of a defendant." Similarly, testing the contents of a package damaged by a private freight company for drugs didn't violate the package owner's rights, because he took the risk that the freight carrier would disclose information to the government. The Supreme Court has also made it clear that the subject or target of an investigation is not required to be notified when their records are subpoenaed or otherwise demanded from a third party, noting that "When a person communicates information to a third party even on the understanding that the communication is confidential, he cannot object if the third party conveys that information or records thereof to law enforcement authorities."

Now let's make it even more complicated. We already have the issues of physical location, virtual location, ownership, and privacy interests to deal with. To this we can add "ability and authority to access." Is the mere "ability" to access a document or record enough to mean that you have "possession, custody or control" of the record for the purposes of being compelled to produce that record? If I have your Gmail account ID and password, can I be compelled to produce your records? What if I regularly access your GMail documents and spreadsheets account? What if I have the authority to do so? At what point do I take possession of these records? On the other side, if you store your records remotely through Google Documents and Spreadsheets, can you avoid having to produce them pursuant to a subpoena or court order merely be claiming (correctly) that you don't "possess" them inasmuch as they are somewhere else? I don't think so. The issue isn't "ownership" either, as you can be compelled to produce ANY records or objects in your possession custody or control - not just ones you own. Confused? Wait... there's more.

Add to this mix the issues related to sovereignty, jurisdiction and venue. Different countries have different privacy laws, and different laws related to compelled production of information or documents in both civil and criminal cases. Can a US court order the production of records of a foreign company merely because they are stored on a server in Menlo Park, California? Can they reach over to compel production of records in a foreign country merely because a terminal in the U.S. can be used to "log in" to get them? Can an affiliate be compelled to produce records of a foreign domiciled affiliate merely because it has the ability to obtain those records? While the cases are going to be fact dependent, the general rule the U.S. courts are likely to follow will be, if you can produce, you must produce.

What is the big deal if Google has to give up records you store remotely? I mean, after all, its just a matter of whether the subpoena goes to Google or goes to you. After all, if YOU were subpoenaed for the same records (whether stored at Google or elsewhere) you would have to produce them. In the end, its all the same, no? Not exactly.

You see, increasingly not only are YOUR documents and records (or documents and records about you) being compelled to be produced, but - at least in criminal cases - the government is more or less routinely demanding of ISP's or other third party custodians that they not tell the person whose records are being sought that the records are being produced. And there is little in the law that mandates that the third party tell you that they are ponying up your records.

In the case of "traditional" document storage facilities - you know, the kind where you box everything up and they store them - you have a contract with the storage facility that says that they will tell you if they get a subpoena. But then again, you are paying them every month for the storage. And they want to keep you happy. Even then, if a court orders that they NOT tell you, the court order trumps the contract.

In the case of Google documents and spreadsheets, there is, as far as I can tell, no similar requirement. Sure, they have Terms of Service and a Privacy Policy, but the privacy policy specifically says that they can turn over records (doesn't say whose) if there is a court order or other legal process. While they want to keep their customers happy, lets face it, you aren't writing them a check every month.

A case coming out of Cincinnati, Ohio on June 18, 2007 (pdf) is illustrative. The federal government wanted to read the Yahoo! and NuVox (an ISP) e-mails sent and received by Stephen Warshak, the owner and operator of a company that sold nutritional supplements. The government was investigating Warshak for allegations of fraud.

The government got a court order under the Stored Communications Act, 18 U.S.C. § 2703, requiring the ISP's to pony up the contents of Warshak's emails, and further prohibiting the ISP from "disclos[ing] the existence of the Application or this Order of the Court, or the existence of this investigation, to the listed customer or to any person unless and until authorized to do so by the Court." The magistrate further ordered that "the notification by the government otherwise required under 18 U.S.C. § 2703(b)(1)(B) be delayed for ninety days." A year later, Warshak learned about the fact that the government had been reading his emails, and applied for a court order to prevent any future reading of his emails without at least letting him know.

The government argued that Washak had no standing or ability to challenge the subpoena, since it called for records that were not HIS, but rather those of the ISP. By "giving" his records to the ISP, he had, according to the government, forfeited his privacy rights. The court disagreed. It properly noted that, while a mere subpoena could be used to get access to non-personal records like billing records or usage records, and might reach the contents of the records if, for example, you subpoenaed a party to the communication, the ISP merely was a "holder" of the records, and therefore a search warrant was required to access the records and contents of communications. The court stated:

. . . the government could not get around the privacy interest attached to a private letter by simply subpoenaing the postal service with no showing of probable cause, because . . . postal workers would not be expected to read the letter in the normal course of business. . . . Similarly, a bank customer maintains an expectation of privacy in a safe deposit box to which the bank lacks access (as opposed to bank records, like checks or account statements) and the government could not compel disclosure of the contents of the safe deposit box only by subpoenaing the bank.

The court went on to address the privacy interests of the users of commercial ISP's noting that:

. . . individuals maintain a reasonable expectation of privacy in e-mails that are stored with, or sent or received through, a commercial ISP. The content of e-mail is something that the user "seeks to preserve as private," and therefore "may be constitutionally protected." . . . It goes without saying that like the telephone earlier in our history, e-mail is an ever-increasing mode of private communication, and protecting shared communications through this medium is as important to Fourth Amendment principles today as protecting telephone conversations has been in the past.

The government also argued that, since the ISP's Terms of Use give it the right to read e-mails for certain purposes, (such as to comply with court orders or screen for malicious code) the user could not possibly have expected their email to be private - an argument the court soundly rejected.

In the end, the Warshak court effectively told the government that it could not merely subpoena the ISP - a third party custodian - for the personal and private records of its customer (communications) except under certain circumstances. It could get the records: (1) if the government obtains a search warrant under the Fourth Amendment, based on probable cause and in compliance with the particularity requirement; (2) if the government provides notice to the account holder in seeking an SCA order, according him the same judicial review he would be allowed were he to be subpoenaed; or (3) if the government can show specific, articulable facts, demonstrating that an ISP or other entity has complete access to the e-mails in question and that it actually relies on and utilizes this access in the normal course of business, sufficient to establish that the user has waived his expectation of privacy with respect to that entity, in which case compelled disclosure may occur if that entity is afforded notice and an opportunity to be heard.

In effect, the Court said that the ISP was standing in Warshak's shoes, and therefore Warshak had to be given a chance to object to the subpoena. Good idea. But remember, if the government gets a SEARCH WARRANT (as opposed to a subpoena) it can search for and seize your Google Documents and Spreadsheets, and can likewise get a court order that the ISP not tell you about it. In fact, the rules of criminal procedure in the United States, Federal Rules of Criminal Procedure 41(f)(1)(C) merely require that an inventory of what has been seized be left with the "person from whom, or from whose premises, the property was taken" - the ISP, not the person whose records were taken. Again, physical presence trumps privacy interests.

What we need to do is establish rules similar to those established by the Court in Warshak. While location of records, and the nature of records is important, we need to look at the privacy interests involved. By storing my documents at Google instead of at my own server, have I really intended to give up privacy interests? Should we not create the concept of a "temporary custodian" someone who holds OUR personal information FOR US for a brief period of time, but who has to notify US if there is a demand for OUR records? I think a good hard look at substance over form is in order here.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus