Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Your Space, My Space, Everybody's Space
Mark Rasch, 2007-05-23

Story continued from Page 1

Unhappy Prosecutors

When MySpace insisted on some legal process to provide subscriber or identity information about people they had already kicked off the service, the Attorney Generals cried foul and went to the press. North Carolina Attorney General Roy Cooper sent out an e-mail exclaiming "MySpace admitted they've found thousands of sex offenders on their site, but they have refused to provide information so law enforcement and parents can do something about it." Cooper included both law enforcement and parents in the proposed list of people who would have access to the MySpace data. Essentially, Cooper was insisting that MySpace turn over information to the cops, and that the cops would then make it public – after MySpace had already deleted the accounts. Again, not necessarily a bad idea but where is the subpoena? It appears that the NC AG decided to get a civil investigative demand – essentially a subpoena without any court involvement to get around the provisions of NC § 15A 623(e) which provides "Grand jury proceedings are secret and. . . all persons present during its sessions shall keep its secrets and refrain from disclosing anything which transpires during any of its sessions" including presumably what documents are produced pursuant to a grand jury subpoena.

Cooper went on to note, "It's outrageous that MySpace chooses to protect the privacy of predators over the safety of children." Um, I think he meant the privacy of MySpace subscribers. Indeed, in the case of Freedman v. Am. Online, Inc., 325 F. Supp. 2d 638 (D. Va. 2004) AOL was successfully sued for giving out subscriber information without an effective warrant (the warrant was signed by one of the cops and not by a judge). In another case, United States v. Hambrick, 55 F. Supp. 2d 504 (D. Va. 1999), the Court refused to suppress the subscriber information delivered to the cops when a Justice of the Peace who was also a police officer signed off on an invalid warrant. In both Freedman and Hambrick, the ISP gave subscriber data to the cops without an effective warrant, and in both cases the courts found that the ISP could be held civilly liable for it. Cooper continued, “We will take action to require MySpace to give law enforcement and parents the information we need to protect our kids." Bully! That’s EXACTLY what he should do – take action to get the information, not waste time complaining to the press that MySpace wasn’t doing HIS job. Connecticut Attorney General Richard Blumenthal said that he was “deeply disappointed by MySpace's disingenuous refusal to provide information about convicted sex offenders with profiles on its site" He forgot to add, "without a subpoena or other legal process, or a demonstration of some exigency He also forgot to note that in the Freedman case, not only was AOL sued under the ECPA, but also under the Connecticut Unfair Trade Practices Act ("CUTPA"), Conn. Gen. St. § 42-110a et seq, a statute that Blumenthal himself is charged with enforcing.…"

This is not the first time that law enforcement agents have used public perception of a crisis to try to convince private entities to waive privacy policies and pony up information to the government without legal process. In the wake of September 11, the government used the threat of terrorism to get various airlines to pony up passenger information without any legal process. In both the United States and the UK, law enforcement officers have used examples of sexual assault to convince thousands of ordinary citizens to give DNA samples (cheek swabs) to clear them of any suspicion. There is nothing to prevent the cops from publishing the names of people who refuse to consent to giving a "voluntary" DNA sample in order to shame or pressure them into consenting – creating in the public the impression that they must be guilty of the sexual assault or they would be willing to give the DNA sample in much the same way that the Attorneys General in the MySpace case are attempting to pressure MySpace into "consenting" to provide the subscriber information without a subpoena. Indeed, in the DNA cases, once having obtained the DNA by "consent" there is no legal restriction on its use – the cops can retain the DNA samples obtained from innocent "volunteers" for years and compare them in every criminal or even civil cases. Such is the nature of "privacy."

Among the information requested by the AG’s from MySpace was information such as the number of registered sex offenders with MySpace profiles. The Connecticut AG noted "No subpoena is needed for much of the information we requested, such as the number of registered sex offenders with MySpace profiles. MySpace's failure to give us this essential data is inexplicable and inexcusable." He neglected to mention that the demand also called for the names of the registered sex offenders on MySpace, and the states in which they reside. He added that legally MySpace can and must provide this information without a subpoena, noting "The vague reference by MySpace to federal privacy laws certainly failed to justify a complete refusal to cooperate -- or insistence on a subpoena for all information." MySpace didn’t “completely refuse to cooperate," they just asked that the AG’s comply with the law – or more accurately not force MySpace to break the law.

There is no doubt that, if there was a threat of imminent harm and releasing the records of the NUMBER of registered sex offenders would prevent that harm, MySpace could release that information without a subpoena, both under its privacy policy and under the ECPA. Indeed, if there was evidence of criminal activity, MySpace could release the data, at least under its privacy policy. The aggregated data (e.g., the number of registered sex offenders on the site) may not be protected under the exact terms of the ECPA. Does this mean that the AG’s have a RIGHT to the data? Not really.

Privacy is about protecting data when somebody wants it for some purpose. It is easy to protect data that nobody wants. If State Attorney’s General ask for the information just because they want to know, why can’t other groups ask for the same, or similar information? Do I have the right to demand that Yahoo business scan posters for felony fraud convictions and provide ME (an investor) with the data? To what extent are we demanding that ISP’s, website operators, communications service providers not only act as law enforcement agents, but also waive both privacy AND legal restrictions in doing so? Clearly the AG’s argument that there was an imminent threat from the people removed from the service was what was disingenuous. Moreover, if the information was SO important, what kept the AG from getting a subpoena? Apparently nothing. Instead, the law enforcement agents responsible for enforcing privacy laws and policies were hoist by their own petard – they found the privacy laws as applied inconvenient, so they attacked the service provider. Indeed, they insinuated that not only was MySpace PERMITTED to turn over subscriber or other data to the cops, but that they were legally obligated to do so, just because the cops wanted it.

Sex Offender Crimes

The Attorney Generals appear to insinuate that there is some law that precludes all sex offenders from using online social networking services, noting that they have "no business" being there. Certainly sexual predation, and using computers in furtherance of sexual predation is a crime. For example, according to the National Conference of State Legislatures, a 2006 Colorado statute prohibits an unrelated person from using a computer network to communicate with a child under age 15 without consent of the child's parent if the person is at least four years older. Measures in Kansas and Oklahoma establish the crime of "electronic solicitation" as a felony, while a Virginia law made it a felony to pay for any online sexually explicit material that includes children. A Hawaii legislative proposal Hawaii H 1763 (2005) would have made it a crime to use a computer while impersonating another for the purpose of committing a sexual offense against a minor under the age of 16. North Carolina proposal S. 472 (2005) would have made it an offense to use a computer to solicit a child under the age of 16 for a sexual offense.

But the AG’s didn’t ask for the information in furtherance of the investigation of a particular crime. Rather, the Connecticut AG argued that "Many of these sex offenders may have violated their parole or probation by contacting or soliciting children on MySpace." But the AG’s didn’t demand the records of those who had such parole or probation restrictions. They didn’t present any evidence to MySpace of probation violations. They never explained how the information would prevent a crime, or empower parents, or more importantly why drafting a subpoena was an excessive burden. Indeed, it apparently wasn’t, as the AG’s eventually got them.

Clearly there will be cases where there are exigent circumstances or serious crimes where companies will simply turn information over to the cops because it’s the right thing to do to prevent imminent harm. What the AG’s seem to insinuate is that whenever they believe a crime MIGHT be committed, Internet companies have a legal duty to produce records to law enforcement without anything more than a demand. We could do away with subpoenas entirely. If the cops want it, they must have a good reason. And all internet companies become the agent of the cops. And that would be a dangerous thing. Almost as dangerous as the public relations nightmare that might befall you if you have the audacity to say no to the cops in the first place.

Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Comments Mode:


 

Privacy Statement
Copyright 2010, SecurityFocus