I have had debates with friends before about 'Who owns your data?' I would like to think it out and document my own position here (in my blog). The position leads from the hypothetical situation wherein a user (you) uses a shared public infrastructure (the Internet) to communicate with an associate. The question is whether the government has the right to request that communication from the third party, whether or not they need a warrant to do so, and whether the third party has the right to release this information without your permission (or notification).
In the 'old' days, telephone companies were given something called common carrier status. Effectively, they were defined as an infrastructure that provides a common good to the governed populace, and with this definition, they received a limitation of liability for the information carried over their wires. In return, the good of the populace was protected by giving the government certain rights, including the right to judicially reviewed wiretaps. There's a lot more to the story, but one of the important tenets of this service was that the phone company disavowed any control over the communication being carried over their wires. Anyone would be permitted to call anyone else, and use that electrical connection to transmit anything they wanted as long as it fit into the provided capability of the phone line. In my opinion, the giving of common carrier status effectively made the information that was carried over the Public Telephone Network (PTN) 'community property'. With the way the wiretapping laws were configured, there was a judicial process for law enforcement to gain access to the community property in order to protect the common good. In the end, everybody wins.
In the old telephone networks (at least prior to Electronic Switching Systems [ESS]), when you were connected to the party to whom you were speaking, you had a direct connected wave channel from your equipment to their equipment. Analog switching gear channeled and/or amplified the energy waves created by your microphone and delivered it out the other end to a speaker on the other end of the transmission. Transmission of this energy wave was not stored to be forwarded later. Equipment in between had no memory of your communication and, unless your line was tapped, could not reproduce the transmission. ESS changed this by digitizing communications between parties so that it could be digitally multiplexed with time, but the 'store and forward' in ESS was effectively nanoseconds of storage. While this may have offered technical challenges or even eased the mechanism by which wiretapping was done, it wasn't enough of a difference to say that any line was crossed.
Enter 'the Internet' - The Internet is more than a 'series of tubes'. It is a complex inter-relationship between millions of pieces of computer equipment over publicly and privately funded switched networks. The very way in which these networks operate provide a fundamental difference in the way they connect from the old PTN. One of the most basic changes is that the communications between two endpoints is not 'immediate'. Packets are stored and forwarded all along the communications path for a variety of purposes, such as routing, multiplexing and even at layers above the individual sessions (news servers, email servers, etc) we store more than just packets. Where previously all communications took place in singular sessions between parties, now communications involve multiple channels of connectivity, and even more store and forward of whole sessions and data sets from multiple sessions. Obviously, the rules have to change to meet this new architecture.
Because users don't normally think about the difference between, say, email and a telephone conversation, it is easy enough for them to have an opinion that these should both be treated similarly. After all, they are both a 'private chat' with a colleague, right? While that opinion may be far flung, as a technical user I must disagree with it. The email systems that most people utilize involve a store and forward mechanism in which we place our private thoughts in electronic form, and then deliver them, along with some addressing information, to a third party - normally a for-profit business, but your email may vary depending on who you work for and how you get email services. The email is not (normally) wrapped in any encoding that would hide it from casual sight. If someone were to ask for an analogy, I would have to give it the analogy of a postcard, mailed through the USPS - with the exception that their Internet email service is not provided by a government agency sworn to secrecy.
Technically, any network maintenance operations that may be ongoing at your provider or troubleshooting of the system, could innocently run across your 'private communication'. And here's the rub. That email server that you've entrusted the communication to, is owned and operated by a party that has not yet been removed from liability. In fact, I believe it is legally plausible to think that if you were to transmit illegal materials over the wire (such as child pornography), the provider in question has a duty and liability requirement by law, to report the illegal materials. If they do not, they could be legally responsible for the consequences of continuing to store and deliver that material. Because of this liability, and until this liability is removed, it is my opinion that your 'private communication' is no longer private as soon as you entrust it to the provider for delivery.
Common Carrier status carried with it the lifting of liability from the telephone companies. Yet, that same status has NOT been granted to providers of electronic services, such as email, ftp, or web services. Information that is stored 'in the cloud' for any period of time to permit its transfer between two parties puts the ownership of that information clearly in the hands of the provider, and that ownership is tied to their liability for the information. But, can a company disavow liability and grant privacy to the user? Does it have to?
How much liability there is can be a grey area. Before 'the Internet', we had bulletin board systems, both corporate and private. Some famous corporate ones were Compuserve, Q-Link (later AOL), and a little company called Prodigy. Prodigy attempted to market itself as a 'family-friendly' service, and actively participated in the culling and monitoring of their bulletin board services. Each board had an active administrative staff who was responsible for monitoring and editing the content of the boards through deletion of articles they felt were not in line with their Terms of Service (TOS). This 'active participation' put the company directly in the line of fire in a libel case (Stratton Oakmont vs. Prodigy) when a user made libelous comments that were not removed by the provider. In two different cases (Cubby vs. Compuserve; Blumenthal vs. Drudge), the providers (Compuserve and AOL) were not held liable, with the main argument being that Compuserve and AOL do not actively cull content.
Does this mean that Compuserve would NOT be held liable if it found child pornography on its servers and failed to report and/or remove it? Certainly not. Active liability for all content is not the same as due care (or passive liability). Law is (or should be) based upon common sense, after all.
So this gets back to the original question - does the provider have the right to share your data with the government without your permission? With liability out of the way, let's discuss distribution rights. For store and forward communications such as email, you've delivered the content to the provider for delivery at a later time. (We should probably separate emails from packets/sessions where communication is intended to be party-party in a session [such as a web session or telnet session].) You have effectively granted your ISP some distribution rights, arguably distribution rights to the intended party, and through use of the communication channel, rights to view the communication in the course of that delivery, including standard operations and maintenance.
If the ISP is not an active participant or editing publisher (such as Prodigy or say, a republisher like The Huffington Post or Associated Press), then do you own the distribution rights or did you give those up when you transmitted the data to the ISP?
A distribution right is defined as "Exclusive right of a copyright owner to distribute copies of the original work (book, illustration, photograph, record, software, etc.) to the public by sale, lease, or rental." Let's examine your communication under the guise of copyright. According to bitlaw, distribution rights have a limitation called "first sale doctrine": "... However, the distribution right is limited by the "first sale doctrine", which states that after the first sale or distribution of a copy, the copyright holder can no longer control what happens to that copy..." When software came along, Congress had to limit this doctrine to allow the owner to control rental of computer software because of the nature of how software is used (In many cases, it involves copying the software onto the target computer for installation). Does distributing a copyrighted email to someone grant them the right to distribute however they please? If so, then without reproduction rights, they would have to ensure that the original copy of your email were deleted, and never delivered to the recipient, if it were to be delivered to, say, the government.
While I am not a lawyer, it certainly seems that there may be something to this argument that, at least by copyright laws, the provider has your permission only to deliver (AND THEN DELETE!) your email message. Of course, you entrust that they will deliver it to the intended party. However, by making secondary copies for delivery to other parties, they may be in breach of your reproductive rights under copyright. Those same rights probably extend to your 'Sent Items' folder, wherein you are the author, and copyright holder of those works. By enabling your sent items folder, you are agreeing to a single reproductive right for the limited purpose of delivery back to yourself.
So, in conclusion, I think it should be argued that while the providers have limited liability scope to report illegal activity when uncovered, they do not have the rights to distribute or copy your communications to be shared with law enforcement agencies. In fact, I might argue that a valid warrant would be necessary for them to do so without incurring responsibility and liability for damages to you. I would also argue that they do not have the rights to give up the information that is being seized without deleting their copies of the materials without being liable for reproductive rights of materials they do not own.
Interestingly, when I began this discussion with myself, I probably swung the other way in my opinion. I'd be very interested in arguments for and against this position. Feel free to share it (and link to it) with others.
1 comment:
Comment #1 from the peanut gallery:
"They have the right to seize your data and any system that it's on." - from Roy M.
I completely agree, Roy - but when they seize it, a) they will need to follow due process and b) it won't be stealthy. My message will be captured en-route, or my copies of the data in my mailbox will become unavailable. I merely argue that the provider has no right to make a copy and provide it to the government without a seizure warrant. In fact, I would even go so far now to argue that they must NOT copy it and provide a copy without deleting the originals from their system unless the warrant expressly gave them that right (which would then be topic for a lawsuit regarding the right of the gov't to seize reproduction/distribution rights without alerting the actual rights holder!)
Post a Comment