FBI seizures highlight law as cloud impediment

The good folks at Cloudiquity.com pointed me to a couple of Threat Level articles from last week that highlight yet another example of how public policy and the law are often at odds with running a business in the cloud.

The articles report that the FBI raided at least two Texas data centers last week, serving search-and-seizure warrants for computing equipment, including servers, routers and storage. The FBI was seeking equipment that may have been involved in fraudulent business practices by a handful of small VoIP vendors.

The problem is that they didn't just grab the systems belonging to the VoIP vendors, but also hundreds of servers that served a wide variety of businesses, the vast majority of which had never dealt with or even heard of the companies under investigation, according to Threat Level. Companies interviewed complained of losing millions of dollars in lost revenue and equipment with no warning whatsoever.

One company, auto vendor marketing and inventory management vendor Liquid Motors, filed suit in a U.S. district court seeking a restraining order against the FBI that would force the return of the company's servers.

In what has to be one of the most scary verdicts for cloud users everywhere, the district court sided with the FBI and supported its probable-cause argument for holding on to the servers. Although the FBI was kind enough to copy the disk drives for Liquid Motors (on drives Liquid Motors had to provide), the precedent set here sends a shiver down my spine.

The issue, I think, is one of how search and seizure laws are being interpreted for assets hosted in third-party facilities. If the court upholds that servers can be seized despite no direct warrants being served on the owners of those servers (or the owners of the software and data housed on those servers), then imagine what that means for hosting your business in a cloud shared by thousands or millions of other users.

As I noted in a blog post last fall, there are a series of legal issues that really need to be addressed before external cloud services can truly be trusted. Here is what I argue must happen:

• The law must respect digital assets in the same way that it respects physical assets. This means that search-and-seizure rules should apply to data and software run on third-party infrastructure (or wholly owned infrastructure run in third-party facilities) in the same way that they protect my home and personal property, if I rent an apartment in a building housing of hundreds of tenants. The fact that one tenant commits a crime is not enough for the civil liberties of all of the other tenants to be null and void. I argue the same goes for digital assets "renting" space in the cloud.

• The federal government should adopt a cloud-computing bill of rights. (Here is a rudimentary example.) Each state should as well. Declare loud and clear that you suffer little or no loss of rights if you choose to run your business in the cloud over running it within your own facilities. Repeal or revise the laws that make it impossible for foreign businesses and governments to allow communications and data to pass within U.S. borders (including relevant elements of the Patriot Act).

• It is time for our policy makers to step up and really understand the influence that the Internet and cloud computing will have on the future growth of this country. It is scary how little technical understanding most Congress and Senate members have. However, that alone is not an excuse for not grasping the policy gaps that are brought about as our commerce and society rely increasingly upon Internet-based services.

I don't want to spread unnecessary fear here, so let me temper my comments by noting that outsourcing and hosting are two industries that have thrived and survived just fine in the current legal climate. I still believe strongly that cloud computing is a next generation, disruptive technology that will change the face of business once more.

I should also say that I understand that the FBI has a job to do, and generally agree with Mark Burack, executive vice president for Liquid Motors, when he noted "Catching bad guys is important. We support them, and we know they have a tough job. And sometimes innocent people get hurt."

However, I will point out that our legal system allows us to change laws when our environment changes. This is especially true when we realize the innocent are being hurt, and we can take action to prevent that without harming the security or economic welfare of our nation. Search-and-seizure rights in the cloud are one example of this, in my opinion.

What do you think? Will the U.S. legal system be a hindrance to cloud-computing adoption, or will these types of events be rare enough--and justified enough--to have little effect. Are you comfortable running your business in the cloud, knowing that the infrastructure you rely on could be shut down and taken away with no notice?

[scottmace]

I can't say I'm surprised at law enforcement's overbearing actions in this case. But how easy do we make it for them to seize certain elements of a data center and not others? Law enforcement wants to act swiftly in these cases. Do they need to have a schematic of each data center ahead of time, much like fire departments have schematics of buildings? But handing data schematics over to police ahead of time is not only impractical, it carries vast privacy implications. This issue won't be solved overnight.

[umbrae]

This is why I do not do ANY "cloud" computing, and exactly why it will never be viable for enterprises. The FBI, RIAA, MPAA and others have been working together to control the ability to take down people. The people could be criminals or competitors or any other person they don't like. In the end, innocent people ALWAYS get hurt.

What you don't hear about? If a person who uses your ISP is involved in crime and investigated by the FBI they will monitor ALL traffic for the ISP. Haven't heard about Carnivore for a while, but its still out there in one form or another. I worked for an ISP and I can tell you that if you do not run your own mail server or encrypt your mail the FBI is probably collecting it and placing it into a searchable database.

[Web-JIVE]

Supposedly it was due to wire-fraud charges pending from the way the contract were setup between these companies and VZ/AT&T.

What scares me is the ability to sweep up companies servers with no connection to the injustice just because it's in the same building. The reasoning by the FBI was that these other servers could have been hosting some of that data. I own my servers and would know if someone else was hosting data on my server.

If that were truly the case, then every server in the US should be swept up because the internet is the cloud now and that data could have been seamlessly stored anywhere, not just in that room on another server.

If this happened to my business, it would have put me out of business even though we only host sites we develop for small clients. The question is, where does the good of the public start and the long arm of the law stop?

IMHO this was too broad of a stroke and the Dallas Judge should have said NO to the warrant since it didn't identify specific servers. Sometimes judges ability to understand technology enables law enforcement to take the easy approach instead of doing their homework before the raid.

I also subscribe to the "catch the bad guys" mentality but not when that many innocent businesses were affected.

[Dalkorian]

Isn't the road to hell always paved with good intentions?

[Viio]

A great piece that points out the issues without over painting the fear. This piece is now printed out and filed so I can reuse as an example during company conversations. Thanks.

[Pete Bardo]

'And sometimes innocent people get hurt." You know, that's just not right. We all have rights, and I'm not willing to give any of them in order to "catch the bad guys". The reason we have a Bill of Rights is to prevent (or at least try) the innocent from being hurt. When innocent people are hurt by law enforcement people, we need the ability to strike back at them. Infringe on my rights and go to jail--or at least on vacation, unpaid!