Companies have significant freedom to protect user privacy from government access while still complying with the law. They can implement technical policies like minimal data retention, transport encryption, and storage encryption without handling user encryption keys. They can also adopt legal policies like refusing voluntary disclosure, charging the government reasonable costs, applying the Theofel standard nationwide, publishing statistics on requests, and donating money charged to charity. Saying no to government requests and protecting user privacy is good for business and public relations.

1. Saying no to the government Christopher Soghoian Indiana University Presented at LSI Cloud Computing Seminar

2. About me and my work PhD Candidate at Indiana University Privacy activist Some of my previous work includes: TSA / No Fly List activism TACO Behavioral Advertising add-on for Firefox Open letter to Google Re: SSL for Gmail These opinions are my own.

3. A problem for Internet companies Consumers care about their privacy, and are particularly concerned about government access. The government routinely compels Internet and telecom companies to disclose their customers’ data. When the firms do disclose (as required by law), they are criticized, blamed and shamed by privacy activists.

4. Saying “no” to the Feds is great PR Qwest and the NSA (2001). Gonzales v. Google (2006). Kramerbooks and Kenneth Starr (1998). Tattered Cover v. City of Thornton (Colo. 2002). In re Application of U.S. (D. Col. 2010)

5. Saying yes to the feds brings bad press Jetblue sharing passenger data with DoD (2004). AT&T and Verizon providing “sneak peeks” to the FBI (DOJ OIG report, 2010). Yahoo and Chinese dissidents (2003). What about the legal costs?

7. Companies can be compelled to violate their end user’s privacy In re the U.S. for an Order Auth. the Roving Interception of Oral Commc’n, 349 F.3d 1132, 1134 (9th Cir. 2003).

8. How can you protect your customer’s data from government access, yet still comply with the law?

9. Companies have significant freedom Technical Policies: Minimal data retention Transport encryption Storage encryption Don’t ever handle user’s encryption keys. Legal policies: No voluntary disclosure of data in emergencies. Charge the government. Theofel standard, no matter where the request comes from. Publish stats on government requests.

10. Data Retention If you don’t log it, you can’t be compelled to disclose it. Examples include Indymedia.us (2009). The Tor anonymous browsing network. Sprint Nextel (static IPs retained for 2 years) vs. T-Mobile & Cricket (no logging of IP info).

11. Swedish ISPs An anti-piracy law enacted April 1, 2009, forcing ISPs to disclose identities of accused P2P infringers.

12. Transport Encryption Not all cloud computing providers provide the same degree of security. You wouldn’t use a bank that doesn’t offer SSL – why do you trust a cloud based provider that doesn’t offer SSL (and enable it by default).

14. Storage Encryption Several services now offer cloud based storage of user data, with an encryption key only known to the user. If the government compels disclosure of data, they have nothing useful to deliver. Do NOT handle the user’s encryption keys, even for a second or two.

15. Pro-privacy ECPA positions Yes, ECPA strictly regulates when the government can compel the disclosure of customer information. However, companies can adopt extremely strong pro-privacy positions, and still comply with ECPA.

16. Voluntary Disclosure and ECPA 18 USC 2702 regulates the voluntary disclosure of data to the government in emergencies. There is no emergency obligation to disclose. Rule 41 (d)(3)(A) states: “A magistrate judge may issue a warrant based on information communicated by telephone or other reliable electronic means.” Companies can and should adopt a policy of “no valid legal process, no data.”

17. Charge the government 18 USC 2706: permits you to charge the government reasonable costs for compliance with requests. The problem with free: No reason not to ask. Charging just $1 changes the equation.

18. Don’t keep the money “Selling” your users’ data to the government looks really bad. Solution: Charge the government, and then donate the money to charity.

19. Theofelv. Farey-Jones DOJ’s position: Once an email has been opened, it can be obtained with a subpoena. Ninth circuit disagrees. Some ISPs have argued that since their HQ is in 9th circuit, Theofel applies no matter where the request comes from. Others have simply argued that Theofel is the correct interpretation of the law. DOJ isn’t happy – Good. Make them fight it out in court.

20. Publish Stats!

21. Further reading (my work) An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government, Forthcoming. Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era,Journal on Telecommunications and High Technology Law, Vol. 8, No. 2, 2010. More info and other work available at: http://www.dubfire.net Email me: csoghoian@gmail.com