Feb 13

Nat Torkington

Nat Torkington

Web Apps: Single Point of Subpoena

Reading Dion Hinchcliffe's blog, I found this interesting nugget buried away: [W]ith attention scarcer and scarcer, people are also less willing to spend time installing, upgrading, and patching all the instances of the productivity software, e-mail clients, and PIMs they use. I'd never seen the appeal of web apps in the attention light before, but it makes perfect sense. The dark side to this is that we have to hope that the web app provider is doing backups and is appropriately subpoena-proof.

Only it turns out there's no such thing as subpoena-proof. As the EFF pointed out when Google announced a version of Google Toolbar that would upload your documents to the Google servers "to enable searching from any of the user's computers", your data held by ISPs is subject to different laws than your data on your computers. Data on your PC needs a search warrant to be accessed, and so can't be roped into civil cases. Data on your ISP needs only a subpoena (a lower barrier), which civil cases may be able to get. And what is a web app but an ISP in the eyes of the law?

I like the EFF's approach: we web developers should be campaigning for a correction of the laws. The more data we put online in the hands of web apps, the more important this lag between law and tech becomes and the more public our private data becomes. David Brin may get his Transparent Society in an unexpected way!

tags: meme wars  | comments: 6   | Sphere It

Previous  |  Next

0 TrackBacks

TrackBack URL for this entry:

Comments: 6

  TAD [02.13.06 12:20 PM]

It seems to me though, that the proper way to have our files out on the net would be to have the files split into multiple pieces, encrypted and then stored redundandtly across many, many computers. In this case, only the original file owner would have the key to gain access to his file and the "ISP"s would never have access to an entire file.

Would that help?

  Roger [02.13.06 01:22 PM]

Another good idea is to find yourself an ISP that doesn't keep a lot of logs.

If it doesn't say so in their terms of service, ask until someone answers your question.

Every ISP has some sort of log retention policy, whether it's written down or not.

Not to wave my own flag, but our ISP ( keeps email logs for a week. That shows who sent mail to whom. We keep them for mail server troubleshooting purposes and then flush them.

We keep web server logs for a week as well, just in case we have to go back and recreate statistics for our stats server.

Dialup logs are flushed after a month so they can go through our billing system.

Obviously anyone who subpoenas us can get these limited records. We don't feel it's necessary to keep logs for anytime longer than this.

We don't keep any logs for broandband user connections. All I can tell you at any given time about any of our broadband users is the IP address they have today. Yesterday? It was probablyu different, and I can't tell you what it was.

  Paul Baclace [02.13.06 01:45 PM]

If a user is willing to share files with the world, then they are not very private documents anyway. But, if the files are just being archived for personal use, then it certainly makes a difference where files are really stored. Legal accessibility has a whole range for information located:

1. in your head

2. anywhere, but encrypted by a trusted device

3. plaintext on your desktop computer

4. plaintext on your portable computer

5. plaintext on an email system run by a third party

6. plaintext on a dedicated service that you lease

7. plaintext on a computer you own at a colocation facility

8. plaintext on a public website

I wonder what the legal distinctions are, if any, between 5, 6, 7.

  bryan [02.14.06 11:09 AM]

Hmm, but would it be a warrant if the data was specifically acknowledged as being owned by you and stored for you by the ISP?

Do you need a subpoena or search warrant to look in a storage shed?

What about if I own the Domain, and the computer the domain is on is managed by someone else?

Also what Paul said.

  J.T. Wenting [02.15.06 04:55 AM]

Roger, if you were operating in the EU you'd now be breaking the law.
Telcos (and ISPs are now considered Telcos in that regard) have to keep logs for 5 years, and that now includes a complete log of all online activity of your clients (every http request, every nttp message loaded, connection attempt to an IM client or IRC channel, etc. etc.).
Keeping a 5 year retention on any document that user uploads to your servers is a logical extension of that legislation...

  Nika [03.16.06 10:25 AM]

Data on your ISP needs only a subpoena (a lower barrier), which civil cases may be able to get.

Post A Comment:

 (please be patient, comments may take awhile to post)

Type the characters you see in the picture above.