[Infowarrior] - Privacy & E-Discovery: Don't Be Evil

[Richard Forno]

 Don't Be Evil
Mark Rasch

http://www.securityfocus.com/columnists/447?ref=rss

A series of developments raise the specter that remotely stored or created
documents may be subject to subpoena or discovery all without the knowledge
or consent of the document's creators.

I have been playing around recently with Google's Documents and
Spreadsheets. What Google documents and spreadsheets allows you to do is to
create documents or spreadsheets (and soon probably presentations)
completely online using no software other than a browser and an internet
connection. No Microsoft Word, no WordPerfect, no Excel, nothing. All well
and good. AFTER you create the document, however, you are supposed to store
it on a Google server. Indeed, with virtually unlimited storage, a company
could theoretically store all of its documents on Google's servers - all
with nothing more than a GMail user ID and password for security. What is
even better, all of your documents and spreadsheets would be automatically
indexed using Google'software, making it easy for you to locate your
documents no matter where you are - as long as you have an Internet
connection and can remember your GMail password. Very convenient, but would
you do it?

Put aside the security aspects of remote storage of documents. Remember,
irrespective of the amount of physical and logical security on the Google
servers, ultimately your documents are going to be only as secure as your
GMail password - and if you store your password somewhere, maybe not even
that secure. I am not even sure that you can encrypt the documents you
create on Google documents and spreadsheets - at least not with the software
provided by Google - and encryption kind of defeats the purpose of indexing
and quickly finding relevant documents.

Add to the security issues the host of legal issues raised by remote storage
generally. Whenever records or other evidence is housed with a third party,
you have not only increased the likelihood of data access, you have created
a new entity with physical or logical possession of your records. Who "owns"
your records? Who has a right to access them? Who has "possession" of them?
Who has "control" over them? Who must produce them if there is a subpoena,
search warrant or other court order? Suffice it to say, when you lose
"possession" of the documents, you lose control over what happens to them.

Possession, Custody and Control

One of the biggest problems in the area of computer security is the fact
that the law doesn't really distinguish between physical property and
intellectual property. The same law which relates to, for example the
possession of the murder weapon, also relates to the possession of
information about the murderer. Intellectual property is just property. If
you "have" it, you can be compelled - through various legal processes - to
give it up, both in civil litigation, criminal investigations,
administrative hearings, internal reviews, etc. Thus, the same law that
allows law enforcement agents to get information about you with a court
order or subpoena would allow a husband or wife to get the same information
in divorce litigation. Unless the information is privileged (and in many
cases even if it is) the entity that "holds" the information must pony it
up. The law recognizes that an entity has a legal obligation to produce any
materials within its "possession, custody or control." Such possession,
custody or control can be physical possession (the gun in the footlocker),
legal authority to produce, or in this case, "virtual" possession.

So whenever you entrust your information to some third party, you give up
control over the information, and give up to some extent "possession" of
that information. For some kinds of records this loss of control is
inevitable. When you surf the web, you must transmit information about
yourself through your browser to the web. When you send or receive e-mail,
the information necessarily travels through some Internet Service Provider
somewhere. Sure you can encrypt some information - you can use anonymizers
to try to hide what you are doing, but in any event the information
necessarily travels outside of your control. The anonymizer or "holder" of
the information can be compelled to give up the information in the face of a
subpoena or court order.

There is nothing fundamentally new about any of this. What is new is the
fact that there is so much information about us held in the hands of third
parties which never existed before. I am not talking about weblogs or
Myspace postings that I voluntarily put out. Every book I read online, every
song I download, every video or radio show I stream, every article I peruse
creates a third party record which can be discovered.

What makes the Google documents and spreadsheets even more insidious is the
fact that the stored records are not Google's records. You can at least make
a plausible argument that my browsing activity, like my bank records, my
phone records, my college transcripts, etc., are records of a third party
(my bank, my phone company, my college) about me. That doesn't mean these
records are personal, private or sensitive. Indeed, in the United States
some of these records are entitled to some measure of legal protection from
compelled disclosure. My medical records are actually the hospital or
physician's records about me, but I have a privacy interest in them. On the
other hand, the hospital is required to turn them over if, for example I
have extremely drug resistant Tuberculosis What is worse, if the hospital
commits a crime or fraud (say, overbills the insurer for my treatment) the
government can mandate that the hospital turn over my psychiatric records to
be introduced into some court somewhere. What is worse, there is no
requirement that the holder of these records about me be compelled to even
tell me that they have been asked for or been compelled to produce these
records unless they fall within a class of records that has separate legal
protection.

By Google Documents is different. These aren't Google's documents about me.
They are MY records stored on Google's server. They can be personal like
diary entries, they can be privileged attorney-client communications or
research. They can be anything, but they are clearly mine. My intellectual
property,.my copyright, my thoughts or musings - not Google's. The same is
true for my e-mails, voicemails, or the contents of my VOIP calls.

So what happens when Google gets a subpoena or court order for my documents
and spreadsheets - whether in a civil or a criminal case? As noted, the law
generally requires an entity to produce any "evidence" - including documents
and records - within its possession, custody or control. So my records are
in the "possession" of Google in the same way that, if I left a smoking gun
in your living room, the cops could either search your house for the gun, or
get a subpoena compelling you to give up the gun.

Physical Location

But wait. These are personal records. They are "locked" in the sense that
they are password protected, and only you have the key. Does the physical
location of the virtual information that the documents represent really
matter? It seems to. If your records are physically with a third party, they
probably have "possession" of them for legal purposes, and therefore can be
compelled to produce them, despite the fact that the records are virtual.
The concept of location remains important in the law, but not so much in
technology. Thus, when a Cablevision, a US cable TV company allowed its
customers to digitally record shows for later playback, the court found it
critically important that the recorded programs were stored remotely on a
hard drive on Cablevision's servers (a copyright infringement) as opposed to
being stored locally on a Cablevision hard drive at the customer's home.

Just because the records are personal doesn't necessarily mean that the
temporary custodian can't be compelled to produce them. The law has long
recognized that by giving up the records to someone else, you are taking the
risk that they will be turned over. Thus, the U.S. Supreme Court found that
things like cancelled checks and other records can be subpoenaed from a bank
without notice to the customer because "the issuance of a subpoena to a
third party to obtain the records of that party does not violate the rights
of a defendant." Similarly, testing the contents of a package damaged by a
private freight company for drugs didn't violate the package owner's rights,
because he took the risk that the freight carrier would disclose information
to the government. The Supreme Court has also made it clear that the subject
or target of an investigation is not required to be notified when their
records are subpoenaed or otherwise demanded from a third party, noting that
"When a person communicates information to a third party even on the
understanding that the communication is confidential, he cannot object if
the third party conveys that information or records thereof to law
enforcement authorities."

Now let's make it even more complicated. We already have the issues of
physical location, virtual location, ownership, and privacy interests to
deal with. To this we can add "ability and authority to access." Is the mere
"ability" to access a document or record enough to mean that you have
"possession, custody or control" of the record for the purposes of being
compelled to produce that record? If I have your Gmail account ID and
password, can I be compelled to produce your records? What if I regularly
access your GMail documents and spreadsheets account? What if I have the
authority to do so? At what point do I take possession of these records? On
the other side, if you store your records remotely through Google Documents
and Spreadsheets, can you avoid having to produce them pursuant to a
subpoena or court order merely be claiming (correctly) that you don't
"possess" them inasmuch as they are somewhere else? I don't think so. The
issue isn't "ownership" either, as you can be compelled to produce ANY
records or objects in your possession custody or control - not just ones you
own. Confused? Wait... there's more.

Add to this mix the issues related to sovereignty, jurisdiction and venue.
Different countries have different privacy laws, and different laws related
to compelled production of information or documents in both civil and
criminal cases. Can a US court order the production of records of a foreign
company merely because they are stored on a server in Menlo Park,
California? Can they reach over to compel production of records in a foreign
country merely because a terminal in the U.S. can be used to "log in" to get
them? Can an affiliate be compelled to produce records of a foreign
domiciled affiliate merely because it has the ability to obtain those
records? While the cases are going to be fact dependent, the general rule
the U.S. courts are likely to follow will be, if you can produce, you must
produce.

What is the big deal if Google has to give up records you store remotely? I
mean, after all, its just a matter of whether the subpoena goes to Google or
goes to you. After all, if YOU were subpoenaed for the same records (whether
stored at Google or elsewhere) you would have to produce them. In the end,
its all the same, no? Not exactly.

You see, increasingly not only are YOUR documents and records (or documents
and records about you) being compelled to be produced, but - at least in
criminal cases - the government is more or less routinely demanding of ISP's
or other third party custodians that they not tell the person whose records
are being sought that the records are being produced. And there is little in
the law that mandates that the third party tell you that they are ponying up
your records.

In the case of "traditional" document storage facilities - you know, the
kind where you box everything up and they store them - you have a contract
with the storage facility that says that they will tell you if they get a
subpoena. But then again, you are paying them every month for the storage.
And they want to keep you happy. Even then, if a court orders that they NOT
tell you, the court order trumps the contract.

In the case of Google documents and spreadsheets, there is, as far as I can
tell, no similar requirement. Sure, they have Terms of Service and a Privacy
Policy, but the privacy policy specifically says that they can turn over
records (doesn't say whose) if there is a court order or other legal
process. While they want to keep their customers happy, lets face it, you
aren't writing them a check every month.

A case coming out of Cincinnati, Ohio on June 18, 2007 is illustrative. The
federal government wanted to read the Yahoo! and NuVox (an ISP) e-mails sent
and received by Stephen Warshak, the owner and operator of a company that
sold nutritional supplements. The government was investigating Warshak for
allegations of fraud.

The government got a court order under the Stored Communications Act, 18
U.S.C. § 2703, requiring the ISP's to pony up the contents of Warshak's
emails, and further prohibiting the ISP from "disclos[ing] the existence of
the Application or this Order of the Court, or the existence of this
investigation, to the listed customer or to any person unless and until
authorized to do so by the Court." The magistrate further ordered that "the
notification by the government otherwise required under 18 U.S.C. §
2703(b)(1)(B) be delayed for ninety days." A year later, Warshak learned
about the fact that the government had been reading his emails, and applied
for a court order to prevent any future reading of his emails without at
least letting him know.

The government argued that Washak had no standing or ability to challenge
the subpoena, since it called for records that were not HIS, but rather
those of the ISP. By "giving" his records to the ISP, he had, according to
the government, forfeited his privacy rights. The court disagreed. It
properly noted that, while a mere subpoena could be used to get access to
non-personal records like billing records or usage records, a search warrant
would be required to get the contents of communications from the ISP. While
a mere subpoena might reach the contents of the records if, for example, you
subpoenaed a party to the communication, the ISP merely was a "holder" of
the records, and therefore a search warrant was required to access the
records. The court stated:

    . . . the government could not get around the privacy interest attached
to a private letter by simply subpoenaing the postal service with no showing
of probable cause, because . . . postal workers would not be expected to
read the letter in the normal course of business. . . . Similarly, a bank
customer maintains an expectation of privacy in a safe deposit box to which
the bank lacks access (as opposed to bank records, like checks or account
statements) and the government could not compel disclosure of the contents
of the safe deposit box only by subpoenaing the bank.

The court went on to address the privacy interests of the users of
commercial ISP's noting that:

    . . . individuals maintain a reasonable expectation of privacy in
e-mails that are stored with, or sent or received through, a commercial ISP.
The content of e-mail is something that the user "seeks to preserve as
private," and therefore "may be constitutionally protected." . . . It goes
without saying that like the telephone earlier in our history, e-mail is an
ever-increasing mode of private communication, and protecting shared
communications through this medium is as important to Fourth Amendment
principles today as protecting telephone conversations has been in the past.

The government also argued that, since the ISP's Terms of Use give it the
right to read e-mails for certain purposes, (such as to comply with court
orders or screen for malicious code) the user could not possibly have
expected their email to be private - an argument the court soundly rejected.

In the end, the Warshak court effectively told the government that it could
not merely subpoena the ISP - a third party custodian - for the personal and
private records of its customer (communications) except under certain
circumstances. It could get the records: (1) if the government obtains a
search warrant under the Fourth Amendment, based on probable cause and in
compliance with the particularity requirement; (2) if the government
provides notice to the account holder in seeking an SCA order, according him
the same judicial review he would be allowed were he to be subpoenaed; or
(3) if the government can show specific, articulable facts, demonstrating
that an ISP or other entity has complete access to the e-mails in question
and that it actually relies on and utilizes this access in the normal course
of business, sufficient to establish that the user has waived his
expectation of privacy with respect to that entity, in which case compelled
disclosure may occur if that entity is afforded notice and an opportunity to
be heard.

In effect, the Court said that the ISP was standing in Warshak's shoes, and
therefore Warshak had to be given a chance to object to the subpoena. Good
idea. But remember, if the government gets a SEARCH WARRANT (as opposed to a
subpoena) it can search for and seize your Google Documents and
Spreadsheets, and can likewise get a court order that the ISP not tell you
about it. In fact, the rules of criminal procedure in the United States,
Federal Rules of Criminal Procedure 41(f)(1)(C) merely require that an
inventory of what has been seized be left with the "person from whom, or
from whose premises, the property was taken" - the ISP, not the person whose
records were taken. Again, physical presence trumps privacy interests.

What we need to do is establish rules similar to those established by the
Court in Warshak. While location of records, and the nature of records is
important, we need to look at the privacy interests involved. By storing my
documents at Google instead of at my own server, have I really intended to
give up privacy interests? Should we not create the concept of a "temporary
custodian" someone who holds OUR personal information FOR US for a brief
period of time, but who has to notify US if there is a demand for OUR
records? I think a good hard look at substance over form is in order here.