Security

Cloud-service contracts and data protection: Unintended consequences

There are things your cloud-service (Facebook, Amazon, Google, Dropbox, etc.) contracts aren't telling you. Michael P. Kassner interviews an attorney concerned about what's not being said.

"If it's not private, it's not protected."

When I heard Tyler Pitchford mention the above quote in his ShmooCon 2013 talk: "The Cloud, Storms on the Horizon," I thought he was stating the obvious. I mean duh, if it's public; of course, it's not protected. Fortunately for me, I kept watching the video, eventually learning that's not what Tyler was trying to say.

What's more, by the end of the video it became apparent that I needed to rethink how and why I use cloud services. Using cloud services could lead to significant legal implications, and ultimately, financial hardships.

If you're thinking this is yet more chastising to get everyone to read End User's License Agreements (EULA), it's not. I'm taking aim at what's not being said in EULAs and privacy policies.

First things first: who is this guy Tyler Pitchford? And, why does an attorney know so much about IT, especially software? Well, Tyler followed a different drummer prior to seeing the judicial light. He graduated with a B.A. in Software Systems Design. After which, Tyler put his expertise to use. If you ever used the file-sharing protocol BitTorrent, you are probably familiar with his BitTorrent client -- Azureus.

I don't know what more a "non-legalese speaking" guy writing about the legal implications of cloud services could ask for.

The cloud legally is?

Like all good attorneys, Tyler first defined the terms under discussion, in this case -- the cloud:

The cloud is loosely defined as services (think Google, Facebook, Amazon, LinkedIn, and a whole host of others) delivered over a network. For our purposes: market-speak for resource and cost sharing.

Tyler added one caveat:

The cloud is an excellent way to maximize your resources, but filled with potential legal pitfalls. The larger your operation, the more hassles you'll face.

Third-party legal issues

Now to the crux of what I wanted to talk about. It may not be correct legalese, but I call it third-party legal issues -- something unfortunate happens that is outside our control. In the legal realm, third party refers to:

An individual or group who does not have a direct connection with a legal action, but is affected by it.

Third-party legal issues are particularly important to those of us who use or provide cloud services. Third-party eDiscovery can affect our personal or company's ability to function. Tyler provided two real-world examples to explain how serious it can be.

First example: A small web-hosting service rented space to a business for its website. The business came under government investigation. The web-hosting service received a third-party subpoena even though it was not under investigation. The web-hosting service had to hire an attorney, produce documents, and shut down servers for eDiscovery, ultimately spending 50,000 dollars to meet the conditions of the subpoena. Second example: A mid-sized business located its servers at a colocation facility. The government began investigating the owners of the colocation facility, issuing warrants, seizing everything in the building, including the servers of the mid-sized business even though the owners were not part of the investigation. The exact figure is unknown, but minimally, the mid-sized business was unable to function until the government returned their servers.

As you can see, through no fault of our own, we can suffer some serious digital and financial trauma. Tyler had several suggestions to reduce the fallout from being an innocent participant in a third-party legal action:

  • Encrypt, encrypt, encrypt!
  • Implement data-retention policies, and follow them religiously.
  • Delete redundant copies.
  • Quarantine data as much as possible.

Each bullet helps isolate your data or your company's data from other third-party data stored on the cloud service, lowering the interest level of the civil, criminal, or governmental entity investigating the cloud service or another third party using the same cloud service.

Now that we are up to legalese speed, let's get to some questions.

Kassner: Everyone mentions we should retain an attorney if we do not understand contracts related to cloud services. What kind of attorney is that? What is your specialty? Pitchford: Sadly, like all things legal, it depends. Generally, you should be able to talk to any good business litigation or contract attorney to handle a general review of cloud-service contracts. If you're worried about a specific question (privacy, intellectual-property rights, etc.) then you'd want to speak to a specialist.

As for me, I'm an appellate attorney, which means I deal with cases spanning the entire legal field. That said, the areas where I focus most of my time are mass-torts, complex commercial litigation, constitutional law, cyber law, and intellectual property.

Kassner: If you were tasked with setting up a cloud service for a company, what specifically would you want in the agreement? Pitchford: I'd want the venue, forum-selection, and choice-of-law provisions (clauses that determine the location of the suit, the forum of the suit, court vs. arbitration; and what laws the court will apply) to match the location of the company headquarters, the main location of their legal offices, or anywhere I know that has laws favorable to the company's expected battles. Depending on the company's resources, and various other factors, I'd also consider an arbitration clause.

Specifically related to cloud computing, I'd want a guaranteed uptime with a defined penalty provision even though damages resulting from an outage can be difficult to quantify. I would also want some assurance as to whom I'd be sharing servers with.

Kassner: In your talk, you emphasize the need for companies to create a "data-retention policy." What is it? And, why is it important? Pitchford: A data-retention policy defines how long an entity stores data. For example, a company might issue a policy stating employees are only to keep emails for 180 days, or back-up servers should only retain two weeks' worth of information.

A proper policy needs to balance how much of a data archive the corporation really requires to function versus the risk of a complete failure and an inability to recoup the data. The policy must keep the company functional, but should prevent data hoarding. And here's why: the more data you have, the more data you'll have to protect and search through if you're ever involved in litigation.

A retention policy becomes even more important when you realize that you can be required to provide information as part of a lawsuit against a third party.

Kassner: That's interesting, Tyler. I was under the assumption that a business or person being served a subpoena would be in trouble if they did not have the asked-for data? Pitchford: As with all things legal, there's a catch, and it varies by jurisdiction. The general rule is if you're aware that litigation is likely, you must preserve relevant information within your control. Put simply, you can't intentionally delete information relevant to a lawsuit against the company directly, or as the result of a third party, it's illegal. But if there is no threat of litigation, eliminate the data; then there's nothing to hand over.

It's less expensive to explain that all potentially relevant information has been destroyed as part of the company's retention policy, than it is to sort through umpteen years' worth of archives.

Kassner: You talked about something rather scary, "plain-view doctrine." If I understand correctly, the government can charge a person based solely on evidence found while looking for something else. Is that right? Pitchford: That's correct. Coolidge v. New Hampshire, 403 U.S. 443 (1971), established the parameters of the plain-view doctrine, but they have since been massaged by the more recent Horton v. California, 496 U.S. 128 (1990).

A common example is the traffic stop; where during the stop the officer notices drugs sitting on the passenger seat. The doctrine, however, is also applicable to electronic information. If an officer were to lawfully seize and search a server as part of a raid on a cloud-service provider, immediately incriminating data located while executing the warrant would, arguably, be subject to the plain-view doctrine.

I should note there's a split between the jurisdictions on exactly what the limits of the doctrine are as they apply to electronic search, but a full explanation would require an article all itself.

Kassner: Could the government take on a whole service like Dropbox, using a third-party subpoena, and then gather evidence using the plain-view doctrine? Pitchford: Well, no. If a party turned over information by subpoena than the plain-view doctrine wouldn't apply because the information was handed over voluntarily, and they could do as they pleased with it.

If, however, we tweak your question a little to seizing an entire cloud service by warrant (think Megaupload), then it's possible the government could utilize the plain-view doctrine to justify locating any incriminating information seized outside the scope of the warrant. But there are certainly limits.

Waiving privacy

Remember, "If it's not private, it's not protected."

I thought I had better explain what Tyler was trying to get at. Most cloud-service contracts are agreements made between a person or company and a third-party service provider. What's interesting is they can include clauses which define and or waive any expectation of privacy.

When the agreements contain these types of clauses, data residing on a cloud-service provider’s servers is neither considered private, nor protected under the Fourth Amendment. And even if the agreement contains no explicit waivers, the government can still argue a waiver of privacy simply because you have provided your data to a third party.

The government has used these arguments successfully to get data turned over if a warrant could not be obtained; so, those private comments on Facebook -- not so private. Now you also understand why Tyler earlier emphasized "encrypt, encrypt, encrypt." It is the only way data stored in the cloud is truly private.

Final thoughts

It's been a long, challenging piece. I'll end by asking Tyler for his "big picture" view.

I think cloud services are valuable tools, but they're not the answer to everyone's problems. When a company is deciding whether to adopt cloud services or not, it's important they evaluate the full picture, not just how much money it can save by slashing IT budgets. And while there are plenty of discussions about the danger of service outages, there simply aren't enough discussions going on about the possible legal ramifications.

I definitely wanted to thank Tyler, and his mother for allowing me time today -- Mother's Day -- to ask a few last-minute questions. As an extra bonus, here are a few "bits of legal wisdom" from Tyler:

Reasonable Searches
  • Ideal: Probable cause required, vetted by the courts, and limited in scope to only what's required.
  • Reality: Government will get the benefit of the doubt, and they'll take everything. If you balk, they may give some back.
Due Process
  • Ideal: You'll be given equal footing in court to present your case; if the government deprives you of property; you'll be paid.
  • Reality: Courts will typically defer to the government, and there are many exceptions to takings.
Statutes
  • Ideal: To strike a balance between your rights, and the ability for the civil and criminal systems to function in a meaningful manner.
  • Reality: The laws are outdated, and don't offer much protection. If you have the means, you may be able to put up a fight, but by that point you'll already have suffered major loses.

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");

document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));

// -->

try {

var pageTracker = _gat._getTracker("UA-9822996-4");

pageTracker._trackPageview();

} catch(err) {}

// -->

About

Information is my field...Writing is my passion...Coupling the two is my mission.

36 comments
clipperbird
clipperbird

I work in industry in IT support for Clinical and Practice Management packages in Australia. We do not support Cloud hosting for the very reasons so well illustrated by Hal, Mike, Tyler and C. Taylor etc. The other nightmare is data theft from a cloud host, as you can imagine the grief it would cause to patients if their personal medical records were misappropriated from a cloud host. No doubt there will have to be a lot more thought given to the legal ramifications of cloud hosting and its consequences. Clipperbird

jsowell42
jsowell42

VERY interesting article! Thanks for that!

simonschilder
simonschilder

It didn't happen to us, but as a non-US company, what could I do if in a case like MegaUpload the feds shut down MegaUpload and my fully legal data would become inaccessible? We are not US-based, MegaUpload was in New Zealand(?) my data is completely my own, and I depend on it. Do I have ANY say in the procedings?

philswift
philswift

If you are in the FSA stay out of Cloud solutions unless you have 'fine-tooth combed' the legals and T&C's. Anyone who has committed to Cloud has been fooled at some point to some degree. Why did you not think for yourself? Security and function first; form and fashion second; always. Just because someone tries to sell you cloud and it's 'all the fashion' does not mean you should go Cloud. You are paid as a professional to champion data retention and legal policy satisfaction. You are not paid to be fashionable and keep seniors happy. Have you actually read and understood the legals and T&C's? Have you understood them? Have the guts to revoke.

simonschilder
simonschilder

But what if you are using a cloudservice like office365 or Exchange online? Your own company can force users to delte mails older than180 days or so, but I assume (!) that Microsoft (or Google or whomever) makes backups of their servers as well. How long do THEY keep their backups. I have no say in their data retention policy? Or is this a different discussion?

ahanse
ahanse

The cloud as we know it today has been dumped into the IT quagmire which has away to go before it can sit comfortable in our society and a global one at that. Being relatively young IT needs to experience the ups and downs before maturity. The comments that bring history into the mix is a fair thing but too much of it can muddle the waters because emotional responses will not fix any problem. Governments have been goaded, pushed and prodded to take action of some sort by the influential big boys and other nitwits for awhile now and governments respond in the only way they know: with a big stick because that is what they have done in the past. Slowly over time this will change as innocent people react to such draconian measures and wield a stick of their own. This article is an example of what is needed to help businesses to transition to the cloud in a way that benefits them and not become a statistic in history. We just need a few more like it. **....... emphasized “encrypt, encrypt, encrypt.” It is the only way data stored in the cloud is truly private.** If your encrypted data was seized by the government then they surely could request the key as well?? I could imagine they would not need it anyway.

minstrelmike
minstrelmike

We had an issue here in town with an auto mechanic business. An irate ex-employee claimed they were selling meth. DEA shut down the business for investigation and kept it shut for weeks. If your car was there for repairs, it stayed. If it had been a web-hosting operation, it's hard to say what would happen. I suspect if you complained vociferously, you might get access to your data quicker. Or you might just get a subpoena of your own.

HAL 9000
HAL 9000

So all I can say is MegaUpload anyone? That is a perfect example of a Cloud Provider being held responsible for what some of their users did at the expense of everyone. At this point in time we are not even sure that the DoJ action against them has any basis in US Law let alone any Law at all, and is a perfect example of a Government Department riding Roughshod over smaller companies. It is however a perfect example of why Cloud Services should never be considered for anything but processes that are quite acceptable to loose permanently with no possibility to backup or recover lost data. Today it was MegaUpload but the reality is that any company who offers a Cloud Service could be next in line for action like that instigated by the US DoJ though without the long lag to save things that where offered in this case. So it's quite conceivable that companies like Microsoft could be involved and their Cloud Services like Hotmail be simply closed down overnight and data taken by a Government Agency. Though before something like that was to happen I would seriously expect the MegaUpload case to be settled in the DoJ's favor and then several smaller Cloud Providers/Services get taken down before they start on the Big Players. Col

Michael Kassner
Michael Kassner

Learn what happens if you or your company are considered a third party in a cloud-services legal issue. This includes services like Facebook and Amazon.

Michael Kassner
Michael Kassner

You bring up some apt points that hopefully will be addressed.

Michael Kassner
Michael Kassner

It was indeed interesting, and Tyler was great to work with.

tylerpitchford
tylerpitchford

Essentially you can petition for the return of the data, if possible. The battles are going on right now (Megaupload being a prime example), so where it'll all fall is still up in the air but it looks like the best case scenario (assuming you didn't have redundant providers): you're down for a few days to a week, worse-case: you lose everything with no hope of return.

HAL 9000
HAL 9000

If you put your data in the cloud you have given it away freely and the instances like the DoJ seizing Megaupload and closing things down is part of the risk that you accepted when you when Cloud. However having said that the DoJ in that case at least gave everyone world wide a long lead time to get a copy of their data off Megaupload. I'm not so sure it was honestly to help those who where legally using Megaupload or to gather evidence against those Sharing Protected Data like Movies or Music. However having said that there was numerous Media Reports about the immanent closing of Megaupload and lots of warnings put out. I believe that the DoJ actually sent users of Megaupload notifications that they where closing the system and if people chose to ignore that message or the Media Reports then they got what they deserved. But regardless at best those people/companies who where holding Sensitive Data on Megaupload would have been at best only able to copy their Data from Megaupload as I'm sure any attempt to remove it would have triggered alarms and raised the level of looking at the data to see what it was. I believe that in that particular case no data was removed from the Megaupload Servers till the DoJ disposed of the Servers. Even then I'm not sure that the Data was erased it's entirely possible that the servers where auctioned off As Is complete with the various companies/people's data still intact on them. Col

Michael Kassner
Michael Kassner

Tyler had two real-world examples of what you asked about. Imagine if you ran a co-located ERP server and the government seized it, your company would be down completely. You could confront the agency in charge, but to my knowledge, they do what they want.

Michael Kassner
Michael Kassner

What is the acronym FAS stand for? Also, It is hard to get security to trump convenience.

tylerpitchford
tylerpitchford

Just like Michael stated, it may be contained in the Terms of Service or the EULA. That said, if they're the ones maintaining the back-ups and you have no control over the data then it wouldn't be your responsibility to produce the data -- it would be the cloud providers.

Michael Kassner
Michael Kassner

If you check the EULA and privacy documents, I'm betting you waive all rights and MS or Google can do what they want with the data.

JCitizen
JCitizen

between those who still believe in the 1st and 4rh Amendments, and this sometimes ridiculous Homeland Security paranoia leading to erosion of our rights. I've never felt a lot of the surveillance was needed to be a good cop - just more better smarts! Confrontation is good in a free world.

ctaylor
ctaylor

We all agree that if law enforcement were legitimately looking at the encrypted disk they would not be able to read any of it without taking extra effort to decrypt. As I read the article, it does not matter if law enforcement were to obtain the dencryption key through warrant or tools. They have a court granted authority via warrant or subpoena to view the contents of the disk and whatever measures are necessary to view the contents would be considered reasonable. Anything seen after decrypting the disk would therefore make it subject to plain-view in the case of a warrant. If individual files on the disk were encrypted, but files requested by the warrant/subpoena were in plain text, law enforcement would still have the right to read decrypted content of the irrelevant files to make sure that they do not relate to the warrant and would subject the content to the "doctrine of plain view" despite the encryption. If this were a car stop for a defective headlight, "plain-view" would not allow law enforcement to unzip a suitcase in the trunk and search for contraband without seeing something else first, but if this was a computer I read the article to suggest that searching the trunk and suitcase would be fully compliant with "plain-view" even if no evidence relevant to the original warrant were obtained. Is there some fine point I'm missing?

Michael Kassner
Michael Kassner

Tyler had a unique answer. They can ask for the key, and force you to give it to them if it is written down or on a flash drive. If you have it memorized, it is considered privileged information. I'll ask Tyler to explain it better.

Michael Kassner
Michael Kassner

I am starting to see this is not just related to online activities. Appreciate your sharing.

ctaylor
ctaylor

http://www.thewhir.com/web-hosting-news/alpha-red-bankruptcy-filing-spotted When Alpha Red failed the bankruptcy court shut off power to their data center and held all servers that had been operating in their data center. None of Alpha Red's customers were allowed to recover any of their data servers until after the bankruptcy court had held a hearing to appoint a trustee. Once the Trustee was appointed, they needed to inventory all of the assets, review requests from Alpha Red customers, and carefully evaluate whether these servers were genuinely assets of Alpha Red or customer boxes hosted in Alpha Red's data center. The trustee needed to submit filings and wait for yet another court data to present the case to a bankruptcy court judge that not all servers stored Alpha Red's data center were assets of Alpha Red, then wait for the bankruptcy court judge to issue a decision as to whether these servers could be returned to their owners without jeopardizing Alpha Red's creditors claims. All in all Alpha Red's customers, despite a lack of responsibility for Alpha Red's business mistakes, were denied access to their production data servers, log files, and backup tapes for a period of many many months. There was additional squabbling among Alpha Red's customers as to who owned which servers. Can anyone say "cloud based nightmare?"

Michael Kassner
Michael Kassner

Tyler talked extensively about MegaUpload. And, one person in particular, who could not get needed backups because everything was seized.

JCitizen
JCitizen

Yep - they have tight IT standards over there, but anything in the gubbamint is prolly barely secure. I don' t have much confidence in USDA or any other .gov entity in the security field.

tylerpitchford
tylerpitchford

Once decrypted, the data would fall under the same plain-view doctine analysis as decrypted data (note: the courts are struggling of how to apply plaint-view involving data-storage devices). Encryption is really just a first line defense. That said, in the context of the article the reference to encryption is mainly to indicate an interest in privacy while residing on a cloud server in order to protect a corporations trade secrets, client confidentiality, etc. If an entity were to subpoena or seize data of another party, the encryption is meant to prevent access to your innocently attached data. So, for example, when the government raided Megaupload, if you had client files stored on their site, if encrypted, you wouldn't have a data breach. If they weren't, well, that's an entirely different story.

tylerpitchford
tylerpitchford

The quick answer is exactly as Michael described: the government can compel the production of physical evidence -- a key to a lock, for example -- but the 5th Amendment protects you from disclosing information stored within your mind -- the combination to a safe or a password to an encrypted drive. But, yet again, the law is a many-splendored thing. There is an exception known as use immunity that essentially allows the government to avoid the 5th amendment. The general gist is that the government offers you immunity to the limited extent that they won't use the fact that you've disclosed your password against you, so through some twists in the law, the 5th amendment is no longer applicable. This is most common in cases where the government can show control of the data, safe, or other materials by other means -- boarder crossings where the Defendant is stopped with his laptop in store, a safe stored in a house owned by the Defendant, where they video of the defendant opening the safe, or cases where they already know the contents of the safe, drive, etc. but can no longer access it. I should add that in regards to encrypted data, the courts are struggling with the extent of the immunity grants right now so the law is in flux with the main debate being whether use immunity is enough or whether the prosecution must also offer derivative-use immunity. Or in non-legalese, whether the government has to give you immunity for not only producing the key but also for anything derived from the disclosure too.

HAL 9000
HAL 9000

OK first things first I'm not saying that this will happen or in any way have any inside information but. The Capitan of the ISS Chris Hadfield released a Cover of the song Space Oddity originally performed by David Bowie in 1969 and is undoubtedly still covered by Copyright. Now legally the current Copyright Owners of the song could very well demand that U Tube pay them Royalties and failing that go to Court and start Legal Proceedings against U Tube for loss of income and them allowing to be shared a Volition of the Copyrighted Material that they currently own. I would imagine that in a case like that they would seek an Injunction and ask the Court to take U Tube off the Net to prevent further breach of their Copyright Material. If the current case against MegaUpload had of been finalized in the favor of the DoJ they would have Precedent on their side and quite likely get what they want which would mean the immediate withdrawal of U Tube from the Internet and the seizure of their equipment including any correspondence that they hold to prove the extent of the Breach of the Copyright Act. As this would be a Civil Action they are likely to get in the short term at least what they ask for and let another court higher up the Legal Chain work out the mess that has been created. Yep I know not worth thinking about and that honestly is nothing more than a Minor Incident. Col

HAL 9000
HAL 9000

Not specifically allowed by the Copyright Owner and can apply to anything. ;) Col

TRgscratch
TRgscratch

of copyrighted songs on YouTube (most are even advertised as being a cover), and have been long before the recent Chris Hatfield. - is your scenario relevant to all them? or has this been decided previously?

HAL 9000
HAL 9000

And it's why I used that case. ;) Col ]:)

JCitizen
JCitizen

Copywrite(right) not withstanding; it was a lot more emotional to watch that video than the original song performed by David Bowie. I nearly cried! If You-Tube got busted - it would be the most unpopular case in recent history!

tylerpitchford
tylerpitchford

TL;DR - Copyright law is a mess, be weary what you do. That's a tricky topic you bring up. US Copyright law is an extremely complex area and cover songs are a special quirk. Throw in a music video, the DMCA, and Youtube and it really gets mind boggling. It really is a mess. To make a cover song the artist can either directly acquire a license from the parties or they can rely upon a statutory mechanical license. Mechanical licenses are easily obtained and cannot be denied, so this is a standard route. Sadly, a mechanical license only gets you the right to cover the song--it does not include the ability to synchronize the song with a video. For that you'll need a separate "synch" license and those can be a little more troublesome to obtain. Beyond that, I noticed that Commander Hadfield has changed the lyrics and may have been ineligible for a mechanical license since 17 USC 115(a)(2)[2] states: "A compulsory license includes the privilege of making a musical arrangement of the work to the extent necessary to conform it to the style or manner of interpretation of the performance involved, but the arrangement shall not change the basic melody or fundamental character of the work ..." Or in layman's terms, you can't change the song in a drastic manner. Arguably the changes Commander Hadfield were minor and didn't "change the basic melody or fundamental character of the work" but that's a grey area (aka. something that requires litigation) so the safer route would be getting a direct license from the rights holders. As for Youtube, assuming that Youtube doesn't have a prior agreement with the publishers (they usually do however), the website isn't subject to any liability as long as they comply with the terms of the DMCA should they receive a takedown notice from the rights holders. The general gist is: 1) The copyright holder files a DMCA take down with Youtube; 2) Youtube informs the uploader of the take down request; 3) The uploader can contest the request if it's mistake; and 4) Absent a response Youtube pulls the video and is immune from liability under the safe-harbor provisions. If Youtube were to fail to comply with the DMCA, or as you suggest, the government felt like pulling a "Megaupload" on them then the entire situation changes rather rapidly. Arguably the DMCA should protect them but it certainly didn't save Megaupload now did it? Though, to be fair it's my understanding that the allegations against Megaupload alleged a failure to comply with the DMCA. I take no stance on whether that's a justified statement and if all you have to do to take down an entire cloud provide is allege non-compliance that's scary in its own right. Of course, the DMCA doesn't protect the uploader from liability for failing to obtain the proper licenses. Obviously the rights holders are private companies not government entities so the 4th and 5th amendment aren't going to comply. However if the government decided to seize all of Youtube's servers and go sorting through them then there are some serious privacy concerns. Anyway, if I had to guess I'd think that CSA went to the right's holders directly and worked a deal, but I also have no inside information. The video looks well produced and I'm guessing it went through CSA's media department where I'd like to think they're up to speed on these types of issues. And even if this was a completely unauthorized work, I'd really like to think that Mr. Bowie would give his consent just because he seems like a decent person. I have no basis for that, but it's a great video, great publicity for the ISS, and, of course, great publicity for Mr. Bowie's excellent song.

Michael Kassner
Michael Kassner

That can play out if the government believes when we waive privacy with a company we waive it with the government as well.