Original URL: http://www.theregister.co.uk/2008/08/20/cloud_computing_privacy/

Cloud computing lets Feds read your email

You have 'no expectation of privacy'

By Mark Rasch

Posted in Law, 20th August 2008 12:03 GMT

When the new iPhone 3G went on sale last week, I was sorely tempted to wait in line for one. (I didn't - no patience.)

One of the features of Apple's device that appeals to me is the new MobileMe service, where you can "access and manage your email, contacts, calendar, photos, and files at me.com," according to Apple. More companies, among them Microsoft and Google, already allow people to store information and use common services online - or "in the cloud" - leading analysts to refer to the entire trend as "cloud computing".

This iteration of "cloud computing" puts your personal data on an accessible server held by a third party, which you replicate on multiple machines and access from virtually anywhere. Putting aside the security, data storage, data retention, data destruction and other pesky issues associated with doing business in the cloud, one fundamental issue remains: Your data is being hosted, stored and transmitted through a third party. As far as the law is concerned then, that third party has control of your data and may therefore be subject to a subpoena for your data, often without your knowledge or ability to object.

On July 11, 2008, Steven Warshak, the president of a nutrition supplement company, learned the hard way (pdf) about the dangers of using web-based email. On May 6, 2005, the government got such an order for the contents of his emails.

Generally, the internet service provider (ISP) is required to give the subscriber notice of the subpoena, but the statute allows a delay of up to 90 days if the government just asks for the data and the court finds that "there is reason to believe that notification of the existence of the court order may have an adverse result", like endangering the life or physical safety of an individual, flight from prosecution, destruction of or tampering with evidence, intimidation of potential witnesses, or otherwise seriously jeopardizing an investigation or unduly delaying a trial. Using this provision the government got an order allowing it to delay telling Warshak of its access for 90 days, until early July 2006.

July came and went, as did August, September, October, November, December, January, February, March, April and May of 2007 before the government finally got around to telling Warshak that it had been reading his mail.

Warshak, like many others, used web-based or third-party provided email services like Yahoo! mail and NuVox communications. Thus, his inbox and outbox were literally out of his hands. If Warshak had used an internal email service that he controlled and the government wanted to get access to the contents of his email, they would have had to do it the old-fashioned way: Obtain a search warrant supported by probable cause, issued by a neutral and detached magistrate, specifying the place to be searched and the items to be seized. In fact, those are the precise words of the Fourth Amendment.

Now the government could have issued a grand jury subpoena to Warshak ordering him to pony up his emails. Warshak could then have challenged the scope and breadth of the subpoena, argued that it called for production of irrelevant or privileged materials, challenged the jurisdiction of the grand jury to issue the subpoena, or raised a series of other defenses to the subpoena itself.

But the government didn't want Warshak to know it was investigating him and his company. It wanted to be able to read his emails without him knowing about it. So it used a statute called the Stored Communications Act, which allows the government to require an ISP to hand over the contents of your emails that have been in storage for more than 180 days even without a warrant, as long as it has a court order showing "reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation".

Thus, in the case of email messages stored and sent in the cloud, the government doesn't need a warrant, doesn't need probable cause, and doesn't need to provide the "owner" of the communications with notice. At least, not right away. Indeed, the government can request that the ISP "preserve" future communications that haven't even been conceived of yet, so that the government may demand them if the situation warrants.

Contrast this procedure with that required by both the US Constitution and the rules implementing them. If the mail was, for example, stored not by an ISP, but rather on Warshak's own internal mail server (and putting aside subpoenas to the recipients of the emails), the government would need a warrant, supported by probable cause - not just "reasonable grounds to believe" - with an oath or affirmation to a neutral magistrate. Under the Fourth Amendment, the warrant would have to specify exactly what was to be searched for and seized, and the evidence seized would have to be supported by probable cause. The warrant would have to be narrowly tailored to seize only the evidence for which there was probable cause, and could not be what the law calls a "general warrant". Finally, the government would have to prepare an inventory of whatever was seized, and give a copy of the warrant and a receipt to the suspect.

Thus, as a general rule, if the cops take stuff from you with a warrant, you know it, and you know when and what they took. The law does permit the judge to delay notice.

So Warshak challenged the constitutionality of the Stored Communications Act, trying to get a court order preventing the government from further seizing his emails without an actual warrant with notice and everything. Just as if his mail was, well, his mail, and not simply some file residing in a server at Yahoo or NuVox. The trial court ruled that Warshak was right, and issued the injunction finding that the search without notice or probable cause violated the Fourth Amendment, that the government's refusal to say that it wouldn't do it to Warshak again, coupled with the fact that the government had a policy of getting these orders without search warrants meant that there was at least a likelihood that Warshak's privacy could be violated in the future.

The Court of Appeals agreed, at least initially.

Meanwhile the government used the NuVox emails at Warshak's criminal trial. When Warshak complained that they had been obtained in violation of the Constitution, the trial court held even if the statute was unconstitutional - and allowed for illegal searches and seizures - because the cops reasonably relied on it the seizure of the emails was OK. The court went on to say that because it was Warshak's emails that were seized, none of Warshak's co-defendants could complain even if the search was illegal.

That still left the original court order preventing the government from seizing Warshak's emails in the future. Last week the Court of Appeals reconsidered its original decision, and found that the issue was - much like a salmonella tomato - not "ripe". You see, now that Warshak was in jail, there was little chance that the government would want to read his email, or indeed that he would have access to email. Thus, the court found that even if the process was patently unconstitutional, you couldn't prevent it from happening because you can't prove they are going to take it in the future - and you cant do anything about it afterwards because the government can rely on a statute authorizing illegal conduct. Warshak's only recourse now would be to sue the FBI agents that subpoenaed his email, or his ISP.

Last week the Court of Appeals, not satisfied with finding that Warshak's claim was not "ripe" because he couldn't say where or when the government was going to seize his email, went further in a very dangerous manner. The Warshak court said that it had no idea if emails potentially seized by the government without a warrant would be subject to any expectation of privacy by Warshak. The Court noted that ISPs have all kinds of policies and practices regarding the privacy of their customers electronic communications, with some like AOL saying that the ISP "will not read or disclose subscribers' emails to anyone except authorized users," some like Juno saying they "will not intentionally monitor or disclose any private email message" but that it "reserves the right to do so in some cases" and some like Yahoo stating that they shall have the right to pre-screen content, or that content may be provided to the government on request.

The court for example relied on Google's Gmail service, which permits automated review of the contents of email (for advertising purposes), or statements by corporate employers eschewing an expectation of privacy by users of the system. The government urged the court to go even further, arguing that there is no constitutional protection of privacy in email where, for example, the ISP used malware scanners to look for malicious code in email or deep packet inspection of email.

Couple this with prior Supreme Court precedent in Smith v. Maryland, where the government sought to subpoena from a telephone company a subscriber's use data - information such as time of calls, who they called and how long the call lasted. Just as with Warshak, the defendant claimed that the government needed a search warrant, and the government claimed that Smith had no reasonable expectation of privacy in this "non-content" information. The Supreme Court agreed with the government, noting "we doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must "convey" phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills."

Applying that rationale to email, all (well, most) internet users realize that they must "convey" email content to the ISP, since it is through the ISP's routers that their emails are transferred. All (most) users realize that the ISP has facilities for making permanent records of the contents of their email - storing it - for they see a list of their emails when they log on.

The Smith court went further. It noted that the Court "consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties" and that:

When [Smith] used his phone, [he] voluntarily conveyed numerical information to the telephone company and "exposed" that information to its equipment in the ordinary course of business. In so doing, [he] assumed the risk that the company would reveal to police the numbers he dialed.

Thus, when you "voluntarily" turn stuff over to a third party - a bank, an accountant, the phone company, or presumably an ISP, you run the risk that they can turn it over to the cops, and therefore you have "no expectation of privacy".

More persuasive is Justices Brennan and Stewart's dissent in Smith where they note:

The Court today says that [Constitutional] safeguards do not extend to the numbers dialled from a private telephone, apparently because when a caller dials a number the digits may be recorded by the telephone company for billing purposes. But that observation no more than describes the basic nature of telephone calls. A telephone call simply cannot be made without the use of telephone company property and without payment to the company for the service. The telephone conversation itself must be electronically transmitted by telephone company equipment, and may be recorded or overheard by the use of other company equipment. Yet we have squarely held that the user of even a public telephone is entitled "to assume that the words he utters into the mouthpiece will not be broadcast to the world".

Justice Thurgood Marshall went further in Smith, noting:

Implicit in the concept of assumption of risk is some notion of choice. . . [U]nless a person is prepared to forgo use of what for many has become a personal or professional necessity [the telephone or the internet], he cannot help but accept the risk of surveillance. It is idle to speak of "assuming" risks in contexts where, as a practical matter, individuals have no realistic alternative. More fundamentally, to make risk analysis dispositive in assessing the reasonableness of privacy expectations would allow the government to define the scope of Fourth Amendment protections. For example, law enforcement officials, simply by announcing their intent to monitor the content of random samples of first-class mail or private phone conversations, could put the public on notice of the risks they would thereafter assume in such communications.

The same holds true for Warshak's email, Apple's MobileMe service, Google's GMail or Google Documents, or any remote storage facility. Almost by definition you have to use a third party to transmit this information, and almost by definition the third party has to make a "copy" of the communication. This is, in fact, the essential nature of "cloud" computing - the data resides somewhere else and you just "access" it.

The real problem with the Warshak Court's ruling - and here is where it gets dangerous - is that it essentially held that your expectation of privacy with respect to the government's seizure of your email is dictated by the terms of the contract with the ISP. These terms of use, which generally provide the ISP or storage facility a limited "right of entry" or "right of inspection" are intended to protect the ISP from liability, not to establish the balance of privacy vis a vis the government. Indeed, even if your employer said you had "no right of privacy" in your corporate email, this wouldn't necessarily mean that the cops could read the email without a warrant or a subpoena. It might mean that if the ISP or employer examined your email pursuant to their policy and then saw something and called the cops that this would be appropriate.

Privacy is not binary - it's not that you either have it or you don't. You may have an expectation of privacy vis a vis the FBI, and less with respect to your ISP. In fact, this is exactly the opposite of the position that the government took a few days later when it charged (pdf) a Philadelphia news anchor with reading his co-anchor's email, stating:

Our email is private, just like our telephone conversations and mail. Our expectation of privacy for email is even higher, due to the high level of security used in transmitting email messages.

The government went on to say "people expect that email in a password-protected, personal email account is private".

Sure. Unless, of course, the government wants to read it. In that case, according to both the government's brief and the court's opinion, you have no expectation of privacy.

This article originally appeared in Security Focus.

Copyright © 2008, SecurityFocus