Outsourcing: The Legal Implications   Leave a comment

Overheard on die.net’s jabber server: “It basically says that since Gmail et al are in “possession” of your e-mail, a warrant only needs to be served on them, and it can include a provision that they aren’t allowed to notify the owner.”  (‘it’ being this decision, blogged about here and here)

From the decision:

Thus subscribers are, or should be, aware that their personal information and the contents of their online communications are accessible to the ISP and its employees and can be shared with the government under the appropriate circumstances. Much of the reluctance to apply traditional notions of third party disclosure to the e-mail context seems to stem from a fundamental misunderstanding of the lack of privacy we all have in our e-mails. Some people seem to think that they are as private as letters, phone calls, or journal entries. The blunt fact is, they are not.

District Judge Mosman seems to be making an interesting conflation that I find… odd… for a judge to make: “because things technically are a certain way, people should know that they are that way, but… regardless of whether they know it or not, we should treat them that way.”  Why should people know that they are that way?  We expect people to understand the full implications of Internet RFCs and how they interact?  Why should we assume that?  Even if we could assume that, there’s lots of other technical implications that can lead to abuse of legal authority, and those are curtailed on different rationales, why should we treat email differently?

There are a number of inconvenient blunt facts, Judge Mosman.  It’s a blunt fact that your cell phone tracks your whereabouts.  It’s a blunt fact that many people’s cars track their whereabouts.  It’s a blunt fact that I can stand up a laser and a few other bits of technology that are commercially available in the United States, point them at my neighbor’s curtains, and get a nice full blown real audio copy of their conversations (this one’s pricey, but here just for reference that I’m not making that last statement up).

What prevents misuse of these technologies is the mechanism of legal warrant: if someone wants access to this sort of data, they’re required to convince a judge that this information is pertinent to a legal action, get said warrant written, and execute it.  Now, *physical* searches are different from wiretaps; this has long been recognized by courts.  One can argue that monitoring someone’s email is monitoring communications, and thus should be treated more like a wiretap than a physical search.  When you go to court to get permission to wiretap a target, all you have to do is exectute that court order on the telecommunications company, you don’t have to inform the target.  You can also get a warrant for someone’s telephone records, but you don’t have to inform the target.  In that light, it doesn’t seem entirely different from the issue of email, right?

But email *is* different from telephone communications, because you’re not just getting someone’s *current* communications, you’re getting someone’s data store.  This isn’t like someone’s phone records, which is just a call log, this is like having retroactive access to everyone’s phone conversations, backwards in time.

There’s a quantifiable and quantifiable difference here.  Certainly, the question of whether or not the government should be able to execute a warrant on someone’s email store is an outstanding legal question, but “well, it can be done and people should know that it can be done so they can’t expect privacy” seems like a really weak sauce position here…

… and coincidentally, here’s a case where the ruling was found to be precisely the reverse…

In an interesting side note, a federal judge ruled yesterday that jurors in the Bear Stearns case (in which Cioffi and Tannin are accused of making their portfolios sound much healthier than they were) will not be permitted to hear about one email, in which Tannin wrote, “I became very worried very quickly. Credit is only deteriorating. I was worried that this would all end badly and that I would have to look for work.”

Judge Frederic Block ruled that the government’s search warrant filed with Google to obtain access to the e-mail was unconstitutionally broad and “did not comply with the Warrants Clause of the Fourth Amendment.”

What’s the moral of the story?  Well, it’s certainly the case that outsourcing providers have a bunch of your data.  It’s also certainly the case that it’s not currently stated in law what the legal obligations are of such an outsourcing provider vis-a-vis protecting your data from nefariousness, let alone government subpoenas or warrants (nor is there a suitable body of case law).  Heck, many outsourcing providers aren’t even in this country, so there’s no guarantee that even *if* legislation is drawn up (or case law reaches some preponderance of decisions) that you’re going to have U.S. legal protections over your data.

It just means that you ought to keep this sort of thing in mind, when you’re deciding whether or not to outsource…

Advertisements

Posted November 2, 2009 by padraic2112 in law, outsourcing, security, tech

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: