Wednesday, September 02, 2009

Vanishing Data (1)

You’ve probably see a news story about Vanish, the software developed by computer scientists at the University of Washington. The New York Times had an article on it several weeks ago; since then, articles have appeared in a variety of sources.

The premise behind Vanish is to protect the privacy of emails and other types of digital messages by having them self-destruct after a specified period of time. I won’t go into the details of the processes Vanish uses, other than noting two things: One is that it’s designed to deal with data stored online in a cloud; the other is that it exploits the cloud by using an encryption key that is held by none of the parties to a digital message but is, instead, scattered through a peer-to-peer file-sharing system.

Since none of those who were privy to the message when it was sent know the key, and since the key is scattered throughout a cloud, it becomes difficult, if not impossible, for a third party to discover the key or to recreate it. That difficulty is exacerbated by the fact that the life of Vanish-protected messages is brief; as I understand it, even the author of a Vanish-encrypted message won’t be able to read it 9 or more hours after the message was sent. (From what I’ve read, it is, or will be, possible to expand that time period.)

Some of the stories I read about Vanish noted that it’s likely to raise certain legal issues; the one the Times article cited is the possibility that the use of Vanish would violate laws that require corporations to retain emails and other message data. Under the Securities and Exchange Act of 1934, for example, companies engaged in securities trading must retain emails for a minimum of three years. See 17 Code of Federal Regulations §§ 249.0-17a-3 & 240.17a-4.

It looks to me like Vanish also raises other – far more difficult – legal issues. One goes to the privacy of emails. As I’ve noted in earlier posts, the 4th Amendment protects the privacy of our homes, persons, papers and effects from “unreasonable” law enforcement intrusions. As I explained, under the 4th Amendment officers must use a search warrant or an exception to the warrant requirement to “search” private property. A “search” violates a reasonable expectation of privacy under the Supreme Court’s decision in Katz v. U.S., 389 U.S. 347 (1967). To have a “reasonable” expectation of privacy in a place or thing, (i) I, subjectively, must believe the place or thing is private and (ii) society must agree with me, i.e., my subjective expectation must be objectively reasonable.

As I’ve explained in several posts, under the Supreme Court’s interpretation of the Katz standard, I probably don’t have a 4th Amendment reasonable expectation of privacy in emails I leave stored with my ISP. The Department of Justice has argued that we don’t have a 4th Amendment expectation of privacy in stored emails because by leaving them stored on the ISP’s server, we assume the risk that the ISP will (i) read the emails and/or (ii) turn them over to law enforcement (without law enforcement’s first obtaining a search warrant). As I explained, that argument is supported by a line of Supreme Court cases, cases I think were wrong when they were originally decided and have become, if such a thing is possible, even wrong-er as the years have passed and technology has advanced.

What, you ask, does that have to do with Vanish? It seems to me that if someone uses Vanish they’ve pretty much overcome the no-expectation-of-privacy-in-stored-emails argument because they’ve effectively insulated the contents of the emails beyond the reach of the ISP (or could computing service) with which they’re stored. In other words, I think using Vanish would defeat the assumption of risk argument, i.e., the by-storing-emails-you-effectively-share-their-content-with-the-entity-storing-them argument. If the ISP or cloud computing service can’t read the emails, I don’t see how you can be said to have assumed the risk of a loss of privacy; it seems to me that, as I argued in an earlier post, you’ve transformed the emails into the equivalent of a letter in the custody of the U.S. Postal Service.

That, I think, is the easy part. If we assume I’m right about all that, we then have to consider what the consequences are of this expectation of privacy in the contents of online communications. If using Vanish creates a 4th Amendment expectation of privacy in the contents of messages stored online, then the only way law enforcement can gain access to the contents of messages is to use a search warrant (or maybe an exception to the warrant requirement, but we’ll get to that later).

Let’s assume I use Vanish for the emails I send as part of my (hypothetical) criminal activities. Let’s also assume that FBI agents have developed probable cause to believe I am (hypothetically) engaged in these criminal activities and to believe that the contents of my emails are evidence of my (hypothetical) criminality. We’ll further assume that the FBI agents know I store my emails on the Nebulous Cloud Computing Service, which is conveniently located in the United States. And we’ll assume that the FBI agents use their probable cause (plus their knowledge of other relevant facts) to get a warrant that authorizes them to seize (copy, presumably) and then search the contents of the emails I have stored with NCCS.

Now what? The FBI agents contact NCCS, tell NCCS about the warrant and ask for copies of my emails (the ones that fall within whatever parameters are spelled out in the search warrant, such as the names of particular recipients, etc.). We’ll assume, for the purposes of analysis, that NCCS is able to locate and copy the emails. (As I understand it, Vanish doesn’t erase the messages themselves; instead, it makes them permanently unreadable after the basic window of time – the 9 or so hours – has passed.)

Now what? We’ll assume enough time has passed that the dynamic encryption key that was generated for the emails has self-destructed . . . which means no one can reach the contents of those emails. If that is true, then by using Vanish I’ve put the contents of the emails, as such, completely beyond the reach of law enforcement. The only way the FBI agents can “access” the contents of the emails is to get me and/or the recipient(s) of an email to describe its contents. They could do this by having a grand jury subpoena me and the email recipients; the subpoena would order us to show up before the grand jury and describe the contents of the email messages. As I explained in an earlier post, we could refuse to comply with the subpoena to the extent we could legitimately invoke the 55th Amendment privilege against self-incrimination. (I’ll do a follow up post on that, as it could be tricky.)

If I’m correct about all this, I can see two ways in which law enforcement officers – the FBI agents in this hypothetical – might have a shot at being able to access the contents of the emails. One is to use the exigent circumstances exception to the 4th Amendment warrant requirement.

As I noted in an earlier post, the exigent circumstances exception lets officers seize and search property without a warrant as long as (i) they have probable cause to believe evidence of a crime exists at the place where they’ll conduct the searching and seizing and (ii) the existence of some exigency – such as the imminent destruction of evidence – justifies not taking the time to get a search warrant. Here, the FBI agents could argue that the encryption key’s imminent self-destruction justifies their proceeding without a warrant . . . but that argument would only work as to emails for which the key hasn’t already self-destructed. So if the agents relied on this exception, they’d not only have to be monitoring my emails so they’d know how long they had before a key self-destructed (which might give them time to get a warrant) . . . they’d essentially be in a situation in which they’d have to proceed email by email, exigency by exigency.

Unless, of course, courts decided that the use of Vanish automatically gives rise to a continuing exigency, so that the FBI agents could simply contact NCCS and put in an order to copy every email I send as soon as it’s been sent and is stored on the NCCS system. (As I’ve noted in an earlier post, another set of laws protects emails while it’s actually being transmitted.) Or maybe courts would accept “Vanish warrants” – search warrants that issued when agents could show (i) probable cause that my future emails would contain evidence of a crime and (ii) that I use Vanish, so the window of time in which each of those emails is accessible creates a kind of canned exigency.

Even if they’re able to do all this, the FBI agents still have to be able to read the emails, which might be a factor that further supports the invocation of the exigent circumstances exception. As I understand it, when I use Vanish I will be able to read a message during the window in which the encryption key is still intact, and so will the intended recipient(s) of the message. If the FBI agents use the exigent circumstances exception, under any of the scenarios outlined above, they presumably will capture a copy of the email before the key self-destructs . . . which means the sender and recipient(s) can still read it.

That takes us back to a version of the grand jury scenario I outlined above. Now, instead of subpoenaing me and the recipients to describe the contents of the email, the grand jury could subpoena us and order us to access the email in the presence of FBI agents, who would then read (maybe photograph or print) the contents of the email. And that, again, takes us back to the 5th Amendment issue . . . which I’ll take up in a follow-up post.


Anonymous said...

The author should look up PGP. The important part is this: Person A can generate two numbers which are so large that guessing them would take a fast computer longer than the expected lifetime of the universe. Person A publishes one of them, which is called the public key, and keeps the other secret, which is called the private key.

Person B then takes Person A's public key and uses it to encrypt a message. Only someone with the corresponding private key can decrypt the message. Thus, Person A is the only one who can decrypt the message: No one else has the private key. Not the ISP, not law enforcement, just Person A. Person B could put the message on a billboard and only Person A could decipher it.

The point is, vanish doesn't allow anything interesting that hasn't been possible since at least 1991.

Anonymous said...

ed in texas

It would appear that an important point would be, "Does Vanish affect archived files?" Let's say that a file is transmitted though a service that regularly backs up to optical disc (i.e. dvd, etc). This is generally done in real life for security purposes, but I can see this throwing a major obstacle in the path of the Vanish process.

Susan Brenner said...

That's a very interesting point.

If the archived file, like the original one, is encrypted, then wouldn't the destruction of the Vanish-generated encryption key also make the archived version unreadable?