Managed services providers can find themselves navigating sticky privacy issues, balancing their duty to cooperate with law enforcement and their responsibility to safeguard customers’ data.

Aldrin Brown, Editor-in-Chief

March 15, 2016

4 Min Read
MSPs Not Immune When Authorities Demand Client Data

Executives at Stonehill Technical Solutions won’t soon forget the day about six years ago when an FBI agent contacted the Laguna Hills, Calif., managed services provider and asked them to turn over the login credentials for a client whose business had – for undisclosed reasons – drawn the scrutiny of federal authorities.

At CEO David Bryden’s request, the agent sent over some documentation and a phone number to an FBI office, proof that the people on the phone were who they said they were.

When Bryden called the the FBI back to inform them he would have to notify the client, the agent told him they had already gained access to the information they were seeking and no longer needed Stonehill’s assistance.

“We didn’t have to divulge (the) information,” Bryden recalled.

Experts say warrants and subpoenas for electronic information are typically served upon internet service providers (ISPs) or other entities that actually store data.

But the Stonehill experience illustrates how even managed services providers can find themselves navigating sticky privacy issues as they try to balance their duty to cooperate with law enforcement against their responsibility to safeguard customers’ data.

“We do put in our contracts that the data, all the intellectual property and even the security, is owned and controlled by the client themselves,” Bryden said of Stonehill’s approach.

“We’re using best practices to manage it and secure it,” he said. “The ultimate buck stops with them. In the event the FBI says ‘we need it,’ that would be a pickle that we haven’t had to face yet.”

Requests for electronic data — like emails, social media accounts and other electronic records — are governed by the Stored Communications Act, a 1986 federal statute that grants law enforcement broad powers to serve warrants or subpoenas and obtain digital information that could help solve or prevent crimes or national security emergencies.

The law is at the heart of a current dispute between Apple and the FBI. Federal authorities are trying to compel the tech giant to write a piece of code that would allow investigators to access information on an iPhone used by Islamic radicals who opened fire last December on a gathering of county employees in San Bernardino, killing 14.

The relevant portion of the statute says: “A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant …”

After 180 days, the entity that possesses the data can choose to release it without a warrant.

“The Stored Communications Act gives the judge the power to say, ‘I’ve heard your arguments, (now) open the phone,’” said Jack Russo, an attorney at the Palo Alto, Calif., firm, Computerlaw Group, LLP., which specializes in issues affecting the technology industry. “At the end of the day, the Stored Communications Act has a judicial exception to everything that could be asserted.”

In Russo’s opinion, Apple’s chances of ultimately beating the government in court are slim. Still, he said, the tech company’s decision to fight the Justice Department might be good business.

“Apple is asserting their objections so they can’t be sued by people who complain that (Apple) didn’t protect their privacy rights,” Russo said.

Should such a lawsuit be filed, Apple would be in position “to defend against claims that they gave up the information too readily,” Russo said.  

In another closely watched legal battle involving the Stored Communications Act, Microsoft is appealing a 2013 federal court order in a drug case that required the company to turn over data kept on a server located in Dublin, Ireland.

Microsoft’s lawyers have argued that U.S. authorities should not have the power to demand information stored in another country, anymore than they should be allowed to search a home located in a foreign land.

The stakes surrounding the outcomes of the court cases are high.

Authorities worry adverse legal rulings could hamper their ability to solve criminal cases and keep the public safe from acts of terrorism. Meanwhile, much of the tech industry and civil liberties advocates fear that giving the government greater access to the growing volume of personal electronic information represents a profound erosion of privacy rights and could increase the public’s vulnerability to cyber-attacks.

Over the years, several customers of managed services firm Clare Computer Solutions received legal requests for electronic information, said Bruce Campbell, vice president of marketing at the San Ramon, Calif., company.

In those cases, Clare officials helped clients search the digital infrastructure and produce responsive information, he said.

Then about two years ago, the managed services provider was approached directly by FBI investigators seeking information about a customer, Campbell said.

In that case, the agents did not have a warrant or subpoena, but asked Clare to cooperate, nonetheless.

“The FBI is really intimidating, even without a warrant,” Campbell said.

“They just wanted to talk,” he said. “It was all very exciting, but nothing came of it.”

Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like