January 10, 2011; Source: New York Times | As more and more nonprofit business is conducted “on the cloud” more and more records are readily accessible to investigating government agencies. Long story short – do not expect to be protected by agencies you work with or online services you use. While you are at it, do not assume you will ever know that anyone has even been digging.
Recently the government obtained a secret subpoena from a federal court to gather Twitter account information for a number of people associated with WikiLeaks, including the founder Julian Assange.
The request isn’t exceptional. The government — in the course of conducting inquiries — can sift through this sort of information without the knowledge of the people being investigated and in the case of espionage or terrorism the government does not even need a court order.
But Twitter has pushed back. While it did not fight the secret subpoena from the federal court the social networking site was able to successfully protest a gag order that accompanied the subpoena that would have prevented Twitter from informing Assange and others that their business was under investigation.
The government sends more than 50,000 of these secret requests each year in the form of a security letters, a vehicle authorized by the U.S.A. Patriot Act . Most of the recipients accede to the demand for information and secrecy. After all, comments Valerie Caproni of the FBI, “Most of these N.S.L.’s are filed on large companies. Why would they want to disclose that? Most companies view it as good corporate citizenry.”
The law that guides such discovery is the 1986 Electronic Communications Privacy Act, which many believe is outdated. In the absence of an updated law, online communications are subject to a very different set of rules than other forms of discovery. For instance, law enforcement must get a court order to wiretap phones and a warrant to search a home but investigations of online communications more than 180 days old can be authorized by a prosecutor.
The first person to file a constitutional challenge to the use of the security letter was Nicholas Merrill, who founded Calyx Internet Access Corporation, an ISP. Calyx’s clients included “dozens of nonprofit organizations and alternative media outlets.” He received the security letter in 2004 and until August 2010 was not allowed even to acknowledge that it existed.
Even now he must consult a 6-page guide given to him by his lawyers to refresh himself on what he is and is not allowed to say about the “request.” Among the things he cannot talk about is the information that was being sought.
About Twitter’s refusal to remain quiet he says, “I commend Twitter’s policy of notifying their customers of government requests for their private data and for their challenging and subsequently removing the gag order. This is a great example of the government’s misuse of secrecy provisions and of exemplary privacy ethics on behalf of Twitter.”
Says Valerie Caproni of the F.B.I., “People at the A.C.L.U. and the press” think the letters are “a bigger deal than the companies.”
Of course, says Jameel Jaffer, one of the aforementioned A.C.L.U lawyers, the fact that all goes so smoothly between the government and the corporations being served the letter may not be such good news since the privacy being violated is not that of the companies holding the data so much as it is of people whose records are held by the companies.
“People used to be the custodians of their own records, their own diaries. Now third parties are custodians of all that,” Jaffer said. “Everything you do online is entrusted to someone else — unless you want to go completely off the grid, and I’m not even sure that is possible.”
Nonprofits should consider carefully, therefore, what they cast up into the cloud and the vendors that they choose.—Ruth McCambridge