MSPs Not Immune When Authorities Demand Client Data

Executives at Stonehill Technical Solutions won’t soon forget the day about six years ago when an FBI agent contacted the Laguna Hills, Calif., managed services provider and asked them to turn over the login credentials for a client whose business had – for undisclosed reasons – drawn the scrutiny of federal authorities.

At CEO David Bryden’s request, the agent sent over some documentation and a phone number to an FBI office, proof that the people on the phone were who they said they were.

When Bryden called the the FBI back to inform them he would have to notify the client, the agent told him they had already gained access to the information they were seeking and no longer needed Stonehill’s assistance.

“We didn’t have to divulge (the) information,” Bryden recalled.

Experts say warrants and subpoenas for electronic information are typically served upon internet service providers (ISPs) or other entities that actually store data.

But the Stonehill experience illustrates how even managed services providers can find themselves navigating sticky privacy issues as they try to balance their duty to cooperate with law enforcement against their responsibility to safeguard customers’ data.

“We do put in our contracts that the data, all the intellectual property and even the security, is owned and controlled by the client themselves,” Bryden said of Stonehill’s approach.

“We’re using best practices to manage it and secure it,” he said. “The ultimate buck stops with them. In the event the FBI says ‘we need it,’ that would be a pickle that we haven’t had to face yet.”

Requests for electronic data — like emails, social media accounts and other electronic records — are governed by the Stored Communications Act, a 1986 federal statute that grants law enforcement broad powers to serve warrants or subpoenas and obtain digital information that could help solve or prevent crimes or national security emergencies.

The law is at the heart of a current dispute between Apple and the FBI. Federal authorities are trying to compel the tech giant to write a piece of code that would allow investigators to access information on an iPhone used by Islamic radicals who opened fire last December on a gathering of county employees in San Bernardino, killing 14.

The relevant portion of the statute says: “A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant …”

After 180 days, the entity that possesses the data can choose to release it without a warrant.

“The Stored Communications Act gives the judge the power to say, ‘I’ve heard your arguments, (now) open the phone,’” said Jack Russo, an attorney at the Palo Alto, Calif., firm, Computerlaw Group, LLP., which specializes in issues affecting the technology industry. “At the end of the day, the Stored Communications Act has a judicial exception to everything that could be asserted.”

In Russo’s opinion, Apple’s chances of ultimately beating the government in court are slim. Still, he said, the tech company’s decision to fight the Justice Department might be good business.

“Apple is asserting their objections so they can’t be sued by people who complain that (Apple) didn’t protect their privacy rights,” Russo said.

Should such a lawsuit be filed, Apple would be in position “to defend against claims that they gave up the information too readily,” Russo said.  

In another closely watched legal battle involving the Stored Communications Act, Microsoft is appealing a 2013 federal court order in a drug case that required the company to turn over data kept on a server located in Dublin, Ireland.

Microsoft’s lawyers have argued that U.S. authorities should not have the power to demand information stored in another country, anymore than they should be allowed to search a home located in a foreign land.

The stakes surrounding the outcomes of the court cases are high.

Authorities worry adverse legal rulings could hamper their ability to solve criminal cases and keep the public safe from acts of terrorism. Meanwhile, much of the tech industry and civil liberties advocates fear that giving the government greater access to the growing volume of personal electronic information represents a profound erosion of privacy rights and could increase the public’s vulnerability to cyber-attacks.

Over the years, several customers of managed services firm Clare Computer Solutions received legal requests for electronic information, said Bruce Campbell, vice president of marketing at the San Ramon, Calif., company.

In those cases, Clare officials helped clients search the digital infrastructure and produce responsive information, he said.

Then about two years ago, the managed services provider was approached directly by FBI investigators seeking information about a customer, Campbell said.

In that case, the agents did not have a warrant or subpoena, but asked Clare to cooperate, nonetheless.

“The FBI is really intimidating, even without a warrant,” Campbell said.

“They just wanted to talk,” he said. “It was all very exciting, but nothing came of it.”

Send tips and news to [email protected].