Wednesday, May 15, 2013

Cloud-service contracts and data protection: Unintended consequences

May 13, 2013, 11:52 AM PDT
Takeaway: There are things your cloud-service (Facebook, Amazon, Google, Dropbox, etc.) contracts aren’t telling you. Michael P. Kassner interviews an attorney concerned about what’s not being said.
“If it’s not private, it’s not protected.”
When I heard Tyler Pitchford mention the above quote in his ShmooCon 2013 talk: “The Cloud, Storms on the Horizon,” I thought he was stating the obvious. I mean duh, if it’s public; of course, it’s not protected. Fortunately for me, I kept watching the video, eventually learning that’s not what Tyler was trying to say.
What’s more, by the end of the video it became apparent that I needed to rethink how and why I use cloud services. Using cloud services could lead to significant legal implications, and ultimately, financial hardships.
If you’re thinking this is yet more chastising to get everyone to read End User’s License Agreements (EULA), it’s not. I’m taking aim at what’s not being said in EULAs and privacy policies.
First things first: who is this guy Tyler Pitchford? And, why does an attorney know so much about IT, especially software? Well, Tyler followed a different drummer prior to seeing the judicial light. He graduated with a B.A. in Software Systems Design. After which, Tyler put his expertise to use. If you ever used the file-sharing protocol BitTorrent, you are probably familiar with his BitTorrent client — Azureus.
I don’t know what more a “non-legalese speaking” guy writing about the legal implications of cloud services could ask for.

The cloud legally is?

Like all good attorneys, Tyler first defined the terms under discussion, in this case — the cloud:
The cloud is loosely defined as services (think Google, Facebook, Amazon, LinkedIn, and a whole host of others) delivered over a network. For our purposes: market-speak for resource and cost sharing.
Tyler added one caveat:
The cloud is an excellent way to maximize your resources, but filled with potential legal pitfalls. The larger your operation, the more hassles you’ll face.

Third-party legal issues

Now to the crux of what I wanted to talk about. It may not be correct legalese, but I call it third-party legal issues — something unfortunate happens that is outside our control. In the legal realm, third party refers to:
An individual or group who does not have a direct connection with a legal action, but is affected by it.
Third-party legal issues are particularly important to those of us who use or provide cloud services. Third-party eDiscovery can affect our personal or company’s ability to function. Tyler provided two real-world examples to explain how serious it can be.
First example: A small web-hosting service rented space to a business for its website. The business came under government investigation. The web-hosting service received a third-party subpoena even though it was not under investigation. The web-hosting service had to hire an attorney, produce documents, and shut down servers for eDiscovery, ultimately spending 50,000 dollars to meet the conditions of the subpoena.
Second example: A mid-sized business located its servers at a colocation facility. The government began investigating the owners of the colocation facility, issuing warrants, seizing everything in the building, including the servers of the mid-sized business even though the owners were not part of the investigation. The exact figure is unknown, but minimally, the mid-sized business was unable to function until the government returned their servers.
As you can see, through no fault of our own, we can suffer some serious digital and financial trauma. Tyler had several suggestions to reduce the fallout from being an innocent participant in a third-party legal action:
  • Encrypt, encrypt, encrypt!
  • Implement data-retention policies, and follow them religiously.
  • Delete redundant copies.
  • Quarantine data as much as possible.
Each bullet helps isolate your data or your company’s data from other third-party data stored on the cloud service, lowering the interest level of the civil, criminal, or governmental entity investigating the cloud service or another third party using the same cloud service.
Now that we are up to legalese speed, let’s get to some questions.
Kassner: Everyone mentions we should retain an attorney if we do not understand contracts related to cloud services. What kind of attorney is that? What is your specialty?

Pitchford: Sadly, like all things legal, it depends. Generally, you should be able to talk to any good business litigation or contract attorney to handle a general review of cloud-service contracts. If you’re worried about a specific question (privacy, intellectual-property rights, etc.) then you’d want to speak to a specialist.
As for me, I’m an appellate attorney, which means I deal with cases spanning the entire legal field. That said, the areas where I focus most of my time are mass-torts, complex commercial litigation, constitutional law, cyber law, and intellectual property.

Kassner: If you were tasked with setting up a cloud service for a company, what specifically would you want in the agreement?

Pitchford: I’d want the venue, forum-selection, and choice-of-law provisions (clauses that determine the location of the suit, the forum of the suit, court vs. arbitration; and what laws the court will apply) to match the location of the company headquarters, the main location of their legal offices, or anywhere I know that has laws favorable to the company’s expected battles. Depending on the company’s resources, and various other factors, I’d also consider an arbitration clause.
Specifically related to cloud computing, I’d want a guaranteed uptime with a defined penalty provision even though damages resulting from an outage can be difficult to quantify. I would also want some assurance as to whom I’d be sharing servers with.

Kassner: In your talk, you emphasize the need for companies to create a “data-retention policy.” What is it? And, why is it important?

Pitchford: A data-retention policy defines how long an entity stores data. For example, a company might issue a policy stating employees are only to keep emails for 180 days, or back-up servers should only retain two weeks’ worth of information.
A proper policy needs to balance how much of a data archive the corporation really requires to function versus the risk of a complete failure and an inability to recoup the data. The policy must keep the company functional, but should prevent data hoarding. And here’s why: the more data you have, the more data you’ll have to protect and search through if you’re ever involved in litigation.
A retention policy becomes even more important when you realize that you can be required to provide information as part of a lawsuit against a third party.
Kassner: That’s interesting, Tyler. I was under the assumption that a business or person being served a subpoena would be in trouble if they did not have the asked-for data?

Pitchford: As with all things legal, there’s a catch, and it varies by jurisdiction. The general rule is if you’re aware that litigation is likely, you must preserve relevant information within your control. Put simply, you can’t intentionally delete information relevant to a lawsuit against the company directly, or as the result of a third party, it’s illegal. But if there is no threat of litigation, eliminate the data; then there’s nothing to hand over.
It’s less expensive to explain that all potentially relevant information has been destroyed as part of the company’s retention policy, than it is to sort through umpteen years’ worth of archives.
Kassner: You talked about something rather scary, “plain-view doctrine.” If I understand correctly, the government can charge a person based solely on evidence found while looking for something else. Is that right?

Pitchford: That’s correct. Coolidge v. New Hampshire, 403 U.S. 443 (1971), established the parameters of the plain-view doctrine, but they have since been massaged by the more recent Horton v. California, 496 U.S. 128 (1990).
A common example is the traffic stop; where during the stop the officer notices drugs sitting on the passenger seat. The doctrine, however, is also applicable to electronic information. If an officer were to lawfully seize and search a server as part of a raid on a cloud-service provider, immediately incriminating data located while executing the warrant would, arguably, be subject to the plain-view doctrine.
I should note there’s a split between the jurisdictions on exactly what the limits of the doctrine are as they apply to electronic search, but a full explanation would require an article all itself.

Kassner: Could the government take on a whole service like Dropbox, using a third-party subpoena, and then gather evidence using the plain-view doctrine?

Pitchford: Well, no. If a party turned over information by subpoena than the plain-view doctrine wouldn’t apply because the information was handed over voluntarily, and they could do as they pleased with it.
If, however, we tweak your question a little to seizing an entire cloud service by warrant (think Megaupload), then it’s possible the government could utilize the plain-view doctrine to justify locating any incriminating information seized outside the scope of the warrant. But there are certainly limits.

Waiving privacy


Remember, “If it’s not private, it’s not protected.”
I thought I had better explain what Tyler was trying to get at. Most cloud-service contracts are agreements made between a person or company and a third-party service provider. What’s interesting is they can include clauses which define and or waive any expectation of privacy.
When the agreements contain these types of clauses, data residing on a cloud-service provider’s servers is neither considered private, nor protected under the Fourth Amendment. And even if the agreement contains no explicit waivers, the government can still argue a waiver of privacy simply because you have provided your data to a third party.
The government has used these arguments successfully to get data turned over if a warrant could not be obtained; so, those private comments on Facebook — not so private. Now you also understand why Tyler earlier emphasized “encrypt, encrypt, encrypt.” It is the only way data stored in the cloud is truly private.

Final thoughts

It’s been a long, challenging piece. I’ll end by asking Tyler for his “big picture” view.
I think cloud services are valuable tools, but they’re not the answer to everyone’s problems. When a company is deciding whether to adopt cloud services or not, it’s important they evaluate the full picture, not just how much money it can save by slashing IT budgets. And while there are plenty of discussions about the danger of service outages, there simply aren’t enough discussions going on about the possible legal ramifications.
I definitely wanted to thank Tyler, and his mother for allowing me time today — Mother’s Day — to ask a few last-minute questions. As an extra bonus, here are a few “bits of legal wisdom” from Tyler:
Reasonable Searches
  • Ideal: Probable cause required, vetted by the courts, and limited in scope to only what’s required.
  • Reality: Government will get the benefit of the doubt, and they’ll take everything. If you balk, they may give some back.
Due Process
  • Ideal: You’ll be given equal footing in court to present your case; if the government deprives you of property; you’ll be paid.
  • Reality: Courts will typically defer to the government, and there are many exceptions to takings.
Statutes

  • Ideal: To strike a balance between your rights, and the ability for the civil and criminal systems to function in a meaningful manner.
  • Reality: The laws are outdated, and don’t offer much protection. If you have the means, you may be able to put up a fight, but by that point you’ll already have suffered major loses.

No comments:

Post a Comment