What privacy rights do people have for data in the cloud – and more importantly, how can they assert them?
A recent case out of New York answers that question as “very little” and “you can’t.”
That’s bad for the Cloud, bad for social networking sites, bad for business, and bad for privacy. In the long run, it’s bad for society as a whole.
The case in point arose from an extensive fraud investigation conducted by the New York DA’s office that got 381 search warrants to seize all of the information in these individuals’ Facebook accounts.
The warrants were not served on the individuals whose accounts were to be seized, but rather on Facebook itself, as the custodian, or as the court described them, the “digital landlord” for the accounts. OK, that’s pretty commonplace.
But the government went on. They got an order that Facebook could not tell their customers that the government was searching for and seizing all of their digital content. Telling the target would hinder the investigation you see.
So, Facebook, on behalf of their customers challenged the authority, legitimacy and scope of the warrants. After all, it was Facebook which was being ordered to produce records.
Part of the search warrant challenge surrounded the fact that, while the investigation related to specific allegations of fraud, the warrant called for production of the entirety of the Facebook account – every “like,” every “poke,” every friend request, every high school reunion attended or refused, every picture of a mac and cheese at a restaurant, every Mets game attended.
The Fourth Amendment requires that a warrant describe with “particularity” the place to be searched and the thing to be seized. Within reason, there must be probable cause for the seizure of each thing to be seized.
If you get a warrant to search my house for tax records, you can’t take my photo albums, silverware set, or dining room table unless you can either show some connection to tax records, or if you can show that the dining room table cannot be separated from the tax records.
And in the latter case, having seized items because they are essentially “bound records” you have to engage in minimization procedures to ensure that the cops only look at the materials for which the court has found “probable cause” to believe is evidence of a crime. This is to avoid what the courts have called “general warrants.”
So the warrants issued called for the production of the entirety of these 381 subscriber’s accounts. Facebook challenged the scope and authority of the warrants.
But the Court refused to even hear Facebook’s challenge. The court found that Facebook lacked “standing” or legal injury sufficient to challenge the warrants on behalf of their customers. They were a mere repository of the customer’s data. A digital landlord. What’s worse, the customer had little privacy rights because of Facebook’s own terms of service which grants the California company the right and ability to examine customer accounts.
OK, so Facebook can’t challenge the warrant. But neither can the customer. You see the government got an order telling Facebook that it can’t tell its customers about the search. So the customer has standing, but doesn’t know about the search so can’t challenge it. Facebook knows about the search but has no standing to challenge it. A perfect situation for the government.
The Court found that one of the reasons Facebook couldn’t challenge the warrant was, as a mere “landlord” or custodian of the customers’ records, Facebook had no “legitimate expectation of privacy” in the customer or client’s records.
The same could be said for any third party custodian. Amazon. Google. Your dry cleaners. It’s not wrong – it’s just simplistic. The big problem with the “custodian’s expectation of privacy” analysis is that current Fourth Amendment jurisprudence mandates that a search warrant only protects you if there is a reasonable expectation of privacy.
So if the third party custodian, to whom you have entrusted your records has no expectation of privacy in them, not only do they lack standing to challenge the warrant, but as a practical matter, no warrant is needed at all. No privacy = no warrant.
Sure, YOU still have privacy rights, but the government will then argue that by turning your records over to a third party with knowledge that they might turn them over to some litigant, you have abandoned your expectation of privacy. Pretty neat for the government. For you, the cloud provider and the cloud generally, not so much.
Oh, we can’t just limit this to search warrants. The government or a third party could get a subpoena to a cloud provider or other third party custodian (or social networking site) compelling production of the documents or records. The recipient of the subpoena would lack standing to challenge its scope, and the person whose data is being compelled might never know about the subpoena.
This is fundamentally different from the government or someone else trying to get your bank records, telephone toll records, or other “third party” transactional records.
The courts have generally held that records of your phone calls (not content) are the phone company’s records about you. Surprisingly, if the government were to subpoena Google for records about your access to the servers, your use of the services, or other metadata, Google would have standing to challenge that search because those are their records about you, and they have an expectation of privacy in that.
But if they wanted to read your Gmails and documents stored, this ruling would say that Google could not challenge that search. The Facebook records are YOUR records stored on a remote server. Just like documents of Google Docs, files on Amazon’s cloud. They are your records. One way to look at the cloud is to say, “my stuff, your place.” Or, more accurately, “my stuff, everyplace.”
This disconnect between “ownership” and “possession” or ownership and location creates opportunities for people to get your documents without your knowledge. Legally.
If you keep your records in your house that you own, and the cops want them, they get a warrant (or subpoena you for them) and you have the chance to challenge the search.
In very very rare cases, the cops could get a warrant which did not require notice, but again this is infinitesimally rare, and Rule 41 of the Federal Rules of Criminal Procedure require the cops not only to announce the warrant, but to leave a copy of it and an inventory of what was taken.
Imagine the cops going to the bank that owns the mortgage on your house and serving the warrant on them as the “owner” of the house (in many jurisdictions, technically true.) But in the cloud, the cops, spooks, spies, hackers and just about any other litigant can compel the cloud provider to pony up records without your knowledge. Trusting that cloud now?
What’s worse, if the documents seized are privileged or otherwise protected from disclosure by law, it is the obligation of the party seeking to assert that privilege to raise and establish the privilege, or the privilege is waived. Guess what? They don’t know the records are seized, and therefore cannot raise or establish the privileged.
Even worse, the government and private litigants can and have gone beyond mere search and seizure in the cloud to “forfeiture” of the cloud. In the New York Facebook case, the government sought to seize 381 Facebook accounts in their entirety.
In other cases, the government has used the fact that a server was used by some users for unlawful purposes to seize the entire server, domain, domain name, email system, etc. Under the law of civil or criminal forfeiture, if something (say, Facebook) is used as a “means and instrumentality” of a crime – that is, it furthers the crime – the thing (the law calls it a “res” which is Latin for thing) is not only subject to seizure by the government, but technically title to the res vests in the government the instant the res is used unlawfully.
The forfeiture proceeding is a mere technicality. What’s worse; although federal law mandates that “innocent owners” be entitled to return of their “non-criminal” property, state law does not.
So if a husband takes a wife’s car to downtown Detroit to pick up a hooker, the government can seize the wife’s car as an “instrumentality” of the husband’s crime of soliciting prostitution (a crime which carries a $100 fine), sell the car, and not be required to give the wife anything.
In the Cloud environment, if Facebook (the res) is used as an instrumentality of a crime, the government can seize Facebook. It’s important because it’s not seizing the data for evidentiary purposes – that would come under the purview of the Fourth Amendment and would require probable cause.
No. The wife’s car wasn’t evidence. It furthered the crime, and now it belongs to the government. Facebook furthered the crime of fraud in New York, so now Facebook (together with your account, my account, and everyone else’s account) belongs to the government. Years ago the Scientologists were upset with an anti-Scientologist group called the Cult Awareness Network. They sued them, and obtained title to the domain, which they used to find other anti-Scientologists.
The government has used the forfeiture principle to seize email servers including massive amounts of email not covered by any warrant, and then later searched that email by serving a warrant on themselves.
Perhaps the cloud providers could change the result by adding language into their agreements or Terms of Service that say, “we reserve the right to challenge subpoenas, warrants or other demands for your data, and you grant us the right to do so.”
But I am not sure that they want that burden, and I am not sure that this language would be sufficient to grant the “digital landlord” the requisite “expectation of privacy” sufficient to challenge the search.
Oh, and it gets even worse. Typically, the government would at least have to tell the target of the investigation that they had searched for and seized their records if they ended up indicting them and wanted to use the evidence against them, right?
Not so fast kemosabe. What the government has done – and said they do “routinely” – is simply lie to the Court and the defendant.
When, for example the government learns of something from an NSA wiretap of a defendant, don’t want to disclose the fact of the wiretap, they simply tell the court (and write police reports that reflect this) that the source of the information was an “anonymous tip.”
Similarly, when police use electronic surveillance tools like “Stingray” devices to track people’s locations and phone calls, rather than tell the courts and defendants that they used the devices, and give the courts the opportunity to consider the legality of these tools, the cops not only simply report that the suspects’ location came from an “anonymous source” but also order other police departments to do the same.
It’s all about protecting sources and methods. So in the Facebook case, the government could get a warrant or subpoena to Facebook, examine all of the records, keep Facebook from challenging the search on “standing” grounds, and inform the court that they learned of the defendant’s activities not from a warrant for their Facebook activities, but from “anonymous sources.”
The defendant is none the wiser. And what works for the cops works for your average sleazy divorce lawyer, the IRS, and just about anyone else. This is what happens when you give up control over your information to third parties. At least what happens legally. Much of this information (like your Facebook stuff) cannot be effectively encrypted. That’s not what it’s there for.
And that’s the problem. The government serving the warrant on Facebook here is like the government serving a warrant on themselves. If Facebook can’t challenge the warrant, and the users don’t know about it, there is nobody watching the watchers. That’s bad for the society, and for business. Ultimately it will destroy the cloud.