Sunday, August 24, 2008

Get Off My Cloud





by Mark Rasch 2008-08-19
http://www.securityfocus.com/columnists/478

When the new iPhone 3G went for sale last week, I was sorely tempted to wait in line for one. (I didn't -- no patience.)

One of the features of Apple's device that appeals to me is the new MobileMe service, where you can "access and manage your email, contacts, calendar, photos, and files at me.com," according to Apple. More companies, among them Microsoft and Google, already allow people to store information and use common services online -- or "in the cloud" -- leading analysts to refer to the entire trend as "cloud computing."

This iteration of "cloud computing" puts your personal data on an accessible server held by a third party, which you replicate on multiple machines and access from virtually anywhere. Putting aside the security, data storage, data retention, data destruction and other pesky issues associated with doing business in the cloud, one fundamental issue remains: Your data is being hosted, stored and transmitted through a third party. As far as the law is concerned then, that third party has control of your data and may therefore be subject to a subpoena for your data, often without your knowledge or ability to object.

On July 11, 2008, Steven Warshak, the president of a nutrition supplement company, learned the hard way (pdf) about the dangers of using web-based e-mail. On May 6, 2005, the government got such an order for the contents of his e-mails.

Generally, the Internet service provider is required to give the subscriber notice of the subpoena, but the statute allows the government to delay such notification for 90 days if the government just asks for it and the court finds that "there is reason to believe that notification of the existence of the court order may have an adverse result" like endangering the life or physical safety of an individual; flight from prosecution; destruction of or tampering with evidence; intimidation of potential witnesses; or otherwise seriously jeopardizing an investigation or unduly delaying a trial. Using this provision the government got an order allowing it to delay telling Warshak of its access for 90 days, until early July, 2006.

July came and went, as did August, September, October, November, December, January, February, March, April and May of 2007 before the government finally got around to telling Warshak that it had been reading his mail.

Warshak, like many others, used web-based or third party provided e-mail services like Yahoo! mail and NuVox communications. Thus, his inbox and outbox were literally out of his hands. If Warshak had used an internal e-mail service that he controlled and the government wanted to get access to the contents of his e-mail, they would have had to do it the old-fashioned way: obtain a search warrant supported by probable cause, issued by a neutral and detached magistrate, specifying the place to be searched and the items to be seized. In fact, those are the precise words of the Fourth Amendment.

Now the government could have issued a grand jury subpoena to Warshak ordering him to pony up his e-mails Warshak then could have challenged the scope and breadth of the subpoena, argued that it called for production of irrelevant or privileged materials, challenged the jurisdiction of the grand jury to issue the subpoena, or raised a series of other defenses to the subpoena itself.

But the government didn't want Warshak to know it was investigating him and his company. They wanted to be able to read his e-mails without him knowing about it. So they used a statute called the Stored Communications Act, which allows the government to require an ISP to hand over the contents of your e-mails that have been in storage for more than 180 days even without a warrant, as long as it has a court order showing "reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation."

Thus, in the case of e-mail messages stored and sent in the cloud, the government doesn't need a warrant, doesn't need probable cause, and doesn't need to provide the "owner" of the communications with notice. At least, not right away. Indeed, the government can request that the ISP "preserve" future communications that haven't even been conceived of yet, so that the government may demand them if the situation warrants.

Contrast this procedure with that required by both the U.S. Constitution and the rules implementing them. If the mail was, for example, stored not by an ISP, but rather on Warshak's own internal mail server (and putting aside subpoenas to the recipients of the e-mails), the government would need a warrant, supported by probable cause, not just "reasonable grounds to believe," with an oath or affirmation to a neutral magistrate. Under the Fourth Amendment, the warrant would have to specify exactly what was to be searched for and seized, and the evidence seized would have to be supported by probable cause. The warrant would have to be narrowly tailored to seize only the evidence for which there was probable cause, and could not be what the law calls a "general warrant." Finally, the government would have to prepare an inventory of whatever was seized, and give a copy of the warrant and a receipt to the suspect.
Thus, as a general rule, if the cops take stuff from you with a warrant, you know it, you know when, and you know what they took. The law does permit the judge to delay notice.

So Warshak challenged the constitutionality of the Stored Communications Act, trying to get a court order preventing the government from further seizing his e-mails without an actual warrant with notice and everything. Just as if his mail was, well, his mail, and not simply some file residing in a server at Yahoo or NuVox. The trial court ruled that Warshak was right, and issued the injunction finding that the search without notice or probable cause violated the Fourth Amendment, that the government's refusal to say that it wouldn't do it to Warshak again, coupled with the fact that the government had a policy of getting these orders without search warrants meant that there was at least a likelihood that Warshak's privacy could be violated in the future.

The Court of Appeals agreed, at least initially.

Meanwhile the government used the NuVox e-mails at Warshak's criminal trial. When Warshak complained that they had been obtained in violation of the Constitution, the trial court held even if the statute was unconstitutional -- and allowed for illegal searches and seizures -- because the cops reasonably relied on it the seizure of the e-mails was OK. The court went on to say that because it was Warshak's e-mails that were seized, none of Warshak's co-defendants could complain even if the search was illegal.

That still left the original court order preventing the government from seizing Warshak's e-mails in the future. Last week the Court of Appeals reconsidered its original decision, and found that the issue was -- much like a Salmonella tomato -- not "ripe." You see, now that Warshak was in jail, there was little chance that the government would want to read his e-mail, or indeed that he would have access to e-mail. Thus, the court found that even if the process was patently unconstitutional, you couldn't prevent it from happening, because you can't prove they are going to take it in the future, and you cant do anything about it afterwards, because the government can rely on a statute authorizing illegal conduct. Warshak's only recourse now would be to sue the FBI agents that subpoenaed his e-mail, or his ISP.

The Court of Appeals last week, not satisfied with finding that Warshak's claim was not "ripe" because he couldn't say where or when the government was going to seize his e-mail, went further in a very dangerous manner. The Warshak court said that it had no idea if e-mails potentially seized by the government without a warrant would be subject to any expectation of privacy by Warshak. The Court noted that ISP's have all kinds of policies and practices regarding the privacy of their customers electronic communications, with some like AOL saying that the ISP "will not read or disclose subscriber's e-mails to anyone except authorized users," some like Juno saying they "will not intentionally monitor or disclose any private email message" but that it "reserves the right to do so in some cases" and some like Yahoo stating that it shall have the right to pre-screen content, or that content may be provided to the government on request.

The court, for example relied on Google's Gmail service, which permits automated review of the contents of e-mail (for advertising purposes), or statements by corporate employers eschewing an expectation of privacy by users of the system. The government urged the court to go even further, arguing that there is no constitutional protection of privacy in e-mail where, for example, the ISP used malware scanners to look for malicious code in e-mail or deep packet inspection of e-mail.

Couple this with prior Supreme Court precedent in Smith v. Maryland where the government sought to subpoena from a telephone company a subscriber's use data -- information such as time of calls, who they called, how long the call lasted. Just as with Warshak, the defendant claimed that the government needed a search warrant, and the government claimed that Smith had no reasonable expectation of privacy in this "non-content" information. The Supreme Court agreed with the government, noting "we doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must "convey" phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills."

Applying that rationale to e-mail, all (well, most) Internet users realize that they must "convey" e-mail content to the ISP, since it is through the ISP's routers that their e-mails are transferred. All -- well, most -- users realize that the ISP has facilities for making permanent records of the contents of their e-mail -- storing it -- for they see a list of their e-mails when they log on."
The Smith court went further. It noted that the Court "consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties and that:

When [Smith] used his phone, [he] voluntarily conveyed numerical information to the telephone company and "exposed" that information to its equipment in the ordinary course of business. In so doing, [he] assumed the risk that the company would reveal to police the numbers he dialed. Thus, when you "voluntarily" turn stuff over to a third party -- a bank, an accountant, the phone company, or presumably an ISP, you run the risk that they can turn it over to the cops, and therefore you have "no expectation of privacy."

More persuasive is Justices Brennan and Stewart's dissent in Smith where they note:
The Court today says that [Constitutional] safeguards do not extend to the numbers dialed from a private telephone, apparently because when a caller dials a number the digits may be recorded by the telephone company for billing purposes. But that observation no more than describes the basic nature of telephone calls. A telephone call simply cannot be made without the use of telephone company property and without payment to the company for the service. The telephone conversation itself must be electronically transmitted by telephone company equipment, and may be recorded or overheard by the use of other company equipment. Yet we have squarely held that the user of even a public telephone is entitled "to assume that the words he utters into the mouthpiece will not be broadcast to the world."

Justice Thurgood Marshall went further in Smith noting:
Implicit in the concept of assumption of risk is some notion of choice. . . [U]nless a person is prepared to forgo use of what for many has become a personal or professional necessity [the telephone or the Internet], he cannot help but accept the risk of surveillance. It is idle to speak of "assuming" risks in contexts where, as a practical matter, individuals have no realistic alternative. More fundamentally, to make risk analysis dispositive in assessing the reasonableness of privacy expectations would allow the government to define the scope of Fourth Amendment protections. For example, law enforcement officials, simply by announcing their intent to monitor the content of random samples of first-class mail or private phone conversations, could put the public on notice of the risks they would thereafter assume in such communications.

The same holds true for Warshak's e-mail, Apple's MobileMe service, Google's GMail or Google Documents, or any remote storage facility. Almost by definition you have to use a third party to transmit this information, and almost by definition the third party has to make a "copy" of the communication. This is, in fact, the essential nature of "cloud" computing -- the data resides somewhere else and you just "access" it.

The real problem with the Warshak Court's ruling -- and here is where it gets dangerous -- is that it essentially held that your expectation of privacy with respect to the government's seizure of your e-mail is dictated by the terms of the contract with the ISP. These terms of use, which generally may provide the ISP or storage facility a limited "right of entry" or "right of inspection" are intended to protect the ISP from liability, not to establish the balance of privacy vis a vis the government. Indeed, even if your employer said you had "no right of privacy" in your corporate e-mail, this wouldn't necessarily mean that the cops could read the e-mail without a warrant or a subpoena. It might mean that if the ISP or employer examined your email pursuant to their policy and then saw something and called the cops that this would be appropriate.

Privacy is not binary -- it's not that you either have it or you don't. You may have an xpectation of privacy vis a vis the FBI, and less with respect to your ISP. In fact, this is exactly the opposite of the position that the government took a few days later when it charged (pdf) a Philadelphia news anchor with reading his co-anchor's email, stating:

Our e-mail is private, just like our telephone conversations and mail. Our expectation of privacy for e-mail is even higher, due to the high level of security used in transmitting Email messages.
The government went on to say "people expect that e-mail in a password-protected, personal e-mail account is private."

Sure. Unless, of course, the government wants to read it. In that case, according to both the government's brief and the court's opinion, you have no expectation of privacy.

http://www.securityfocus.com/columnists/478
Copyright 2008, SecurityFocus
blog comments powered by Disqus

About CherryPal for Everyone (CP4Every1 or CPFE)

CP4Every1 is constantly crawling the web (on human hands and knees) to find unique information of value regarding green technology, cheap and reliable connectivity, personal, portable and sustainable industry developments, future and social/cultural transformative technology, political relevance and news that is NOT just another re-posting of the same press release pushed out by the industry.

Please note that all copyrights and links to original material are provided and respected. NO robots were used to post content.

Your comments are invited.


Enter your Email to receive CPFE Updates




Preview Powered by FeedBlitz

ENTER CODE CPP206

ENTER CODE CPP206
for $10 off purchase price
AEoogle

Search

Scroll to bottom for Google Custom Search Results

Search Results

Other CherryPal Brand Angel Blogs