It was big news last month when Dropbox, the popular cloud storage provider, announced that it was offering new multiuser business accounts at a competitive price. The business which initially launched as a consumer service announced that it woiuld now be offering its new service to small and medium size corporate clients. Corporate users would be able to create virtual disk folders on their computers which would be mirrored on the cloud and would be available anywhere.
The promotional information for the new service promoted its high level of security which includes password protection and user side encryption. What Dropbox did not easily disclose in its promotional materials was that the service does not meet the requirements of Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley law. Use of the service by a corporation subject to these acts could result in substantial fines and penalties.
Although many similar servies also do not meet these requirements, Dropbox’s new service is directed not at the home user but at corporate customers in industries likely to be governed by these regulations. Dropbox’s explanation for not emphasizing this shortcoming in its promotional literature was that its customers were more concerned with collaborative ease than with regulator compliance.
Ultimately, this is an example of the basic rule of all cloud computing – user beware. A corporation in a regulated industry needs to be proactive in confirming that a service which it intends to use fulfills its regulatory requirements. Furthermore, corporations need to create, promote and enforce internal guidelines to avoid use of cloud based services which could results in regulatory violations. For such guidelines to be effective, the company’s employees need to be educated to avoid using such services for company information without prior company approval.
The 9th Circuit has ruled in Suzion Energy Ltd v. Microsoft Corporation, that emails belonging to a non-US national which are hosted on US based servers by a US Cloud providers. The Electronic Communications Privacy Act of 1986 (ECPA) provides that “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communica- tion while in electronic storage by that service.”
In this case Suzlon sought emails under to use in a civil fraud proceeding pending against Rajogopalan Sridhar and others in the Federal Court of Australia (the “Australian Proceedings”). Although Sridhar is a citizen of India and is imprisoned abroad, the relevant emails are stored on a US server by a domestic corporation, Microsoft. The district court initially granted Suzlon’s petition for production of documents. In response, Microsoft filed objections that the district court deemed to be a motion to quash.
The Court construed the term person as defined in the Act to extend to “any person” regardless of nationality. Thereby the court expands the application of the ECPA to foreign nationals. This reading is consistent with other decisions that have interpreted similar laws such as the Freedom of Information Act.
On June 28, 2011, at the launch of Office 365, the new cloud based version of its well-known office tools, Microsoft stated that data that you store on the cloud is subject to scrutiny by the US government even when it is stored overseas. ZDNet reporter Zack Whittaker reported that, when asked if Microsoft could guarantee that data stored in the European Union would not leave the European Economic Area, Gordon Frazer, managing director of Microsoft UK, explained that it could not. Because Microsoft is a US based company it has to comply with US laws and would be forced to disclose data to the US government if required to do so under the Patriot Act. When asked if customers would be notified of a government ordered disclosure, he said that neither Microsoft nor any other company can provide such a guaranty. Gagging orders, injunctions and U.S. National Security Letters can prohibit disclosure of information requests to the owners of the information.
These public admissions are consistent with similar admissions previously made by Microsoft in a white paper detailing Office 365 security which states:
In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).
Accordingly, if a governmental entity approaches Microsoft Online Services directly for information hosted on behalf of our customers, [Microsoft] will try in the first instance to redirect the entity to the customer to afford it the opportunity to determine how to respond. …and will use commercially reasonable efforts to notify the enterprise customer in advance of any production unless legally prohibited.
In addition to the insecurity that this language creates for European users who, by using the service, may be exposed to US government scrutiny, it also brings into question the legality US run cloud services in the Europe. European data security directives prohibit removal of data from Europe without the data owner’s consent. Microsoft did not explain how it reconciles its obligations under US and European law.
Microsoft’s own white paper increases concern about the extra territorial transfer of data:
As a general rule, customer data will not be transferred to data-centers outside that region. There are, however, some limited circumstances where customer data might be accessed by Microsoft personnel or subcontractors from outside the specified region (e.g., for technical support, troubleshooting, or in response to a valid legal subpoena)
This language not only creates concerns for European customers of the Office 365 service but for US customers concerned with running afoul of export controls which might hold them strictly liable for foreign transfer of certain technical information.
While some readers may shrug off the disclosure requirement assuming that laws such as the Patriot Act are limited in use to terrorist investigations, it is important to understand that nothing restricts the scope of information obtained under the act or the transfer of information gained to other government agencies. In fact, the government has repeatedly refused to disclose how it feels that it can use the Patriot Act and where there has been disclosure, the interpretation has been expansive.
So what do these disclosures suggest for users of cloud services. For one thing, it is likely that European users will shy away from accessing cloud services provided by US companies. We are also likely to eventually see litigation reconciling European Union data rules against compelled disclosure under national security laws such as the Patriot Act. Finally, companies that are subject to export control compliance would be wise to shy away from cloud services and instead opt for restricted hosting services where they can assure no foreign access to their data.
Every month across the United States large media companies or business associations file dozens of lawsuits accusing individuals of copyright infringement based solely on claims that film or music files were downloaded to their IP-address. An IP-address is a unique number associated with a particular online account. Over the last few years tens of thousands of suits have been filed on similar grounds, many resulting in settlements of thousands of dollars. Often the individual defendants are forced into such settlements by fear of statutory damages and costs of litigation even where they feel that they were wrongly accused. As a result, many commentators have referred to these lawsuits as unfair and a legal a shakedown.
A new decision issued on April 29, 2011, by a judge in the Eastern District of Illinois brings into question the future of such suits. In VPR Internationale v. Does 1-1017, (2:2011-cv-02068) Judge Harold A. Baker denied a Canadian adult film company’s request to subpoena ISPs for the personal information connected to the IP-addresses of their subscribers. The court reasoned that since IP-addresses do not equal persons, no defendants had been identified in the suit and there was no adversarial process. Since, under federal rule of civil procedure rule 26(d)(1), no discovery may be conducted before the parties to the suit have conferred absent special leave from the court, the judge reasoned that VPR could not go on an ex-parte fishing expedition.
The Court’s concern clearly went beyond the mere procedural issue. Judge Baker cited a recent child porn case where the U.S. authorities raided the wrong people, because the real offenders were piggybacking on their Wi-Fi connections. The judge noted that, based on this example, defendants in VPR’s case may have nothing to do with the alleged offense either. “The infringer might be the subscriber, someone in the subscriber’s household, a visitor with her laptop, a neighbor, or someone parked on the street at any given moment.”
The fact that the suit involved the downloading of adult content was a significant factor in the case. Judge Baker noted that “the embarrassment of public exposure might be too great, the legal system too daunting and expensive, for some to ask whether the plaintiff VPR has competent evidence to prove its case.”
Baker concludes by citing another case for the proposition that until at least one defendant is served the Court lacks personal jurisdiction over anyone. The Court would not support a “fishing expedition” for subscriber information under the circumstances.
VPR responded to the initial denial of the subpoenas by asking for certification of the following question for interlocutory appeal:
Defendants’ identifies are unknown to the Plaintiff. Instead, each Defendant is associated with an Internet Protocol (IP) address. Internet Service Providers (ISPs) know identity and contact information associated with each IP address. Is the Plaintiff to entitled to discover this information by serving ISPs with subpoenas duces tecum under Fed. R. Civ. P. 45?
The Court refused to certify the question. We will have to wait to see if other courts follow this decision.
On Friday the Obama administration released the second draft version of the National Strategy for Trusted Identities in Cyberspace (“NSTIC”). The trusted ID plan is part of the Obama administrations Cyberspace Policy Review, released in May 2009. This new draft focuses the effort to create an online identification system on the private sector with the government serving in a coordinating capacity.
The press release emphasizes the importance of the Internet to commerce but also its “online fraud and identity theft, that harm consumers and cost billions of dollars each year.” By making online transactions trustworthy “we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation.”
Key elements of the trusted identification systems suggested by the strategy include the ability to opt into the system, different types of credential for different categories of access and preservation of an anonymous option. The strategy promises benefits such as faster transaction processing, age restriction for content, easier smartphone transactions and enhance public safety.
Much criticism of the strategy has come from privacy advocates. This latest draft emphasizes that identification systems will be optional and will not abolish anonymity. At the announcement of the latest draft Commerce Secretary Gary Locke dismissed such worries as conspiracy theories.
Your company may soon face more regulations in how it gathers and maintains customer data online. On Tuesday April 11, 2011, Sens. John Kerry (D) of Massachusetts and John McCain (R) of Arizona introduced a new bill titled the Commercial Privacy Bill of Rights Act of 2011. If passed the bill would impose new responsibilities on companies to disclose what data is collected from online visitors to their sites and would entitle users to opt out.
The bill seems to be explicitly directed at re-advertisers. It explicitly states that it will target companies that take information solely for the purpose of advertising, and will be more lenient towards companies that have “existing relationships with customers.” “The bill does not allow for the collection and sharing of private data by businesses that have no relationship to the consumer for purposes other than advertising and marketing,” McCain said in the joint statement with Kerry. “It is this practice that American consumers reject as an unreasonable invasion of privacy.”
An additional factor that is likely to be the object of scrutiny as the bill advances through congress is a requirement that data that is collected by adequately secured once it has been gathered. The FTC would be empowered to publish rules setting forth security requirements. This portion of the bill responds to growing consumer concerns at unauthorized personal information leaks in the news.
On Wednesday April 6, 2011, the Senate Judiciary Committee met to discuss overhauling the Electronic Communications Privacy Act of 1986 (“ECPA”). This law governs privacy related to data collection and electronic communications but is lacking in any provisions regarding new technologies and practices such as mobile phones, mobile hotspots, social networking and cloud computing.
At least one party opposed to changing the law is the Department of Justice. (“DOJ”) James A. Baker, associate deputy attorney general for the DOJ, told the committee that “the government’s ability to access, review, analyze, and act promptly upon the communications of criminals that we acquire lawfully, as well as data pertaining to such communications, is vital to our mission to protect the public from terrorists, spies, organized criminals, kidnappers, and other malicious actors.”
Mr. Baker tried to persuade the panel that great government access to our private and corporate information actually provides for a more private environment. “By authorizing law enforcement officers to obtain evidence from communications providers, ECPA enables the government to investigate and prosecute hackers, identity thieves, and other online criminals. Pursuant to ECPA, the government obtains evidence critical to prosecuting these privacy-related crimes.”
What solution does the DOJ offer? Well, for the moment none, however, Cameron F. Kerry, general counsel for the U.S. Department of Commerce, told the committee that the departments of Commerce and the DOJ “have been working together to develop a specific set of legislative proposals.” No suggested tie frame for these proposals was stated.
Senator Patrick Leahy, chairman of the committee, opening remarks at the hearing suggest that the committee might be deferential to the DOJ and DOC on these topics.