Government Using Cloud Computing To Steal Your Data

Yesterday, EFF, on behalf of its client Kyle Goodwin, filed a brief proposing a process for the Court in the Megaupload case to hold the government accountable for the actions it took (and failed to take) when it shut down Megaupload’s service and denied third parties like Mr. Goodwin access to their property. The government also filed a brief of its own, calling for a long, drawn-out process that would require third parties—often individuals or small companies—to travel to courts far away and engage in multiple hearings, just to get their own property back.

Even worse, the government admitted that it has accessed Mr. Goodwin’s Megaupload account and reviewed the content of his files. By doing so, the government has taken a significant and frightening step. It apparently searched through the data it seized for one purpose when its target was Megaupload in order to use it against Mr. Goodwin, someone who was hurt by its actions but who is plainly not the target of any criminal investigation, much less the one against Megaupload.  This is, of course, a bald attempt to shift the focus to Mr. Goodwin, trying to distract both the press and the Court from the government’s failure to take any steps, much less the reasonable steps required by law, to protect the property rights of third parties either before a warrant was executed or afterward.  And of course, if the government is so well positioned that it can search through Mr. Goodwin’s files and opine on their content—and it is not at all clear that this second search was authorized—presumably it can also find a way to return them. 

But in addition, the government’s approach should terrify any user of cloud computer services—not to mention the providers.  The government maintains that Mr. Goodwin lost his property rights in his data by storing it on a cloud computing service.  Specifically, the government argues that both the contract between Megaupload and Mr. Goodwin (a standard cloud computing contract) and the contract between Megaupload and the server host, Carpathia (also a standard agreement), “likely limit any property interest he may have” in his data.  (Page 4). If the government is right, no provider can both protect itself against sudden losses (like those due to a hurricane) and also promise its customers that their property rights will be maintained when they use the service. Nor can they promise that their property might not suddenly disappear, with no reasonable way to get it back if the government comes in with a warrant. Apparently your property rights “become severely limited” if you allow someone else to host your data under standard cloud computing arrangements. This argument isn’t limited in any way to Megaupload — it would apply if the third party host was Amazon’s S3 or Google pps or or Apple iCloud.