As we approach the Internet of things, more and more things are keeping tabs on me. My toaster is watching me, and the blender is looking at me funny.
Increasingly companies that collect data will have to have robust privacy policies about what they collect and store, who they share it with, and what each of these entities will do with the information. But companies should also disclose what they will do when they receive a subpoena, demand, request or other process for the production of information about you. And most companies simply say that they will “comply” with lawful orders. What is missing from these policies is a discussion of how, when, where and the extent to which they will “comply” and whether or not they will provide you with notice of the subpoena so you can object to the compliance.
So the cops want to know what you are doing. They go to Yahoo!, Facebook, Google, Instagram, Comcast, Twitter and a dozen other Internet based companies and serve them with a grand jury subpoena for information about your activities. You know, what you post, what you read, your activity logs, your email header and tracking information, your IP addresses, as well as the contents of communications sent and received. And they have a grand jury subpoena or other legal process. So what happens now?
Every privacy policy has either an express or implied provision that the entity holding the data will comply with lawful subpoenas or demands for information. It doesn’t matter if they wrote it in their policies, they have to comply. As the Grateful Dead pointed out, “If you’ve got a warrant, I guess you’re going to come in…” The policies relate to “lawful” subpoenas and demands, including emergency demands based on exigent circumstances.
But here’s the problem.
When your ISP, provider, social networking site, or whatever gets the subpoena or demand (whether from law enforcement, intelligence, administrative or regulatory agencies, or from your ex wife’s no good rotten shyster lawyer) what do they do?
Most policies don’t say.
Google’s policy notes:
“Respect for the privacy and security of data you store with Google underpins our approach to complying with these legal requests. When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and Google’s policies. Generally speaking, for us to comply, the request must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law. If we believe a request is overly broad, we’ll seek to narrow it. We notify users about legal demands when appropriate, unless prohibited by law or court order.”
Comcast’s policy notes:
“Typically, upon receipt of a properly and timely (within 6 months) submitted valid and statutorily authorized legal request, Comcast can supply the subscriber’s name, address, telephone number, email accounts, Comcast account number and current account status.”
The policies of various phone companies (including mobile providers) discuss how to format and serve demands, and note that things like:
“The AT&T Wireless (AW) National Subpoena and Court Order Compliance Center (NSCC) is a team of specialized, wireless subpoena and court order compliance professionals focused on providing law enforcement, officers of the court, Public Safety Answering Points and other legal contacts with the best possible customer service in the wireless industry. The NSCC … currently responds to all AWS subpoena, search warrant and court ordered requests nationwide for customer records. The goal of this team is to comply with civil and criminal process and provide assistance to federal, state and local law enforcement agencies, attorneys, and customers pursuant to that process. At the same time, the team must ensure that they adhere to all applicable state and federal laws and that they protect the privacy of AW’s customers.”
What is missing is an indication of whether and when you will be notified of the demand. This is critically important because you cannot know whether your privacy has been or is about to be invaded unless you know that a demand for information about you has been made. In general, you should have the right to know (and to object) if someone has demanded your information. The default position should be that you get notified BEFORE the information is produced. This is true because the information sought may be protected from disclosure by privilege or other legal protection, because the information may be protected because of a trade secret, nondisclosure or confidentiality agreement, because the organization seeking the information may have a bias or jurisdictional issue that renders the order or demand improper or illegal, or simply because, well, it’s YOUR information.
Companies like Twitter make disclosure to the customer the default position. Their law enforcement guide states simply:
“Will Twitter Notify Users of Requests for Account Information?
“Yes. Twitter’s policy is to notify users of requests for their information prior to disclosure unless we are prohibited from doing so by statute or court order (e.g., an order under 18 U.S.C. § 2705(b)).”
That’s pretty straightforward. But it could go further. If the government seeks and obtains a sealing order preventing disclosure, the ISP or other entity should challenge the sealing order unless the government can demonstrate to the party holding the information that there is a good reason (more than just, hey – if they knew we were investigating it would be bad for the cops) to keep the fact that data was requested from the customer.
Federal rules relating to search warrants require the cops to notify the subject that a search has occurred and to provide an inventory of what has been seized – even if the search is conducted electronically. There are specific rules for delaying the notification in particular cases, but the default position is, if the cops search your data, you should know about it.
Unfortunately, with massive amounts of data in the cloud and in the hands of third parties, not only don’t consumers know if data about them is safe, they don’t know if it has been ponied over to others. That needs to change. You should know when anyone – and that includes cops and spies – access or use your data. Unless there is a very good reason to keep it secret, and even then, only for a limited period of time. And that protects both the cops and the consumers.