When the US Department of Justice and its allies shut down Megaupload, they affected many kinds of users and many kinds of files. Many of those files are legal. Artists, writers and other content creators used Megaupload for storing, managing, distributing and publishing their original work.
It is unknown precisely what law enforcement has done with the legal files stored in the Megaupload platform.
Privacy Protection Act
US law enforcement must be mindful of Privacy Protection Act ("PPA"), 42 U.S.C. § 2000aa:
“[I]t shall be unlawful for a government officer or employee, in connection with the investigation or prosecution of a criminal offense, to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication...”
Essentially, the purpose of the law is protect First Amendment free speech, free press materials.
Law Enforcement
Courts interpret PPA to allow police to seize a computer containing PPA-protected material, if there is good reason to believe they are commingled with illegal data.
What is less clear is what police may or must do with PPA-related material after they have lawfully seized it. In Steve Jackson Games, Inc. v. Secret Service, a district court penalized the government for not returning PPA-protected materials promptly after learning they were protected.
Asset Forfeiture Law
Another relevant law is the 2000 Civil Asset Forfeiture Reform Act, which is intended to make it easier for innocent parties to recover their property when seized by the US government. A public-interest expert in holding government to this law is the Institute for Justice. The Institute for Justice should consider taking up the case for innocent Megaupload users.
As it becomes more common for law enforcement to raid online facilities like Megaupload, it is incumbent
on law enforcement to respond to the needs of innocent users.
A few days ago law enforcement, led by the US Dept of Justice, seized the domain for Megaupload.com,
Domain Redirect
causing traffic to that site to be redirected to a government notice saying the domain had been seized under court order.
Economic Hardship to Bystanders
Megaupload is a very popular service, with many millions of customers worldwide. It is a cyberlocker that allows users to store and share files. Some of those files, perhaps many of them, may violate copyright and other laws. But a great many of those files are not illegal. Users rely on those files for many purposes, including running their law-abiding businesses and lawfully earning a living.
By shutting down the site, law enforcement has caused substantial economic hardship. Instead of showing concern about the interests of innocent users, the Department of Justice emphasized that Megaupload had warned its users they could lose data.
Precedence: Liquid Motors Case
US law has previously provided relief to an online service provider's users who are not under investigation.
In Spring 2009, FBI seized servers run by Core IP Networks. Some of the data processed on those servers belonged to Liquid Motors, an innocent company that helps large auto dealerships manage their inventory and Internet marketing. The raid had severely degraded Liquid Motor’s service to its law-abiding customers.
Liquid Motors promptly petitioned a federal court for relief. Although the court believed FBI’s raid was justified, it acknowledged the economic impact on innocent parties. Significantly, the court compelled FBI to work over the weekend to provide Liquid Motors copies of its data and to return a server to Liquid Motors as soon as possible.
Over-Zealous Police Undermine Public Trust
Yes, law enforcement needs to shut down cyber criminals and collect evidence so they can be prosecuted. But law enforcement undermines the community’s trust when it damages innocent bystanders.
Moreover, principles of due process, human rights and property rights call for law enforcement to take proactive measures to minimize collateral damage.
Before executing a raid, law enforcement should evaluate whether its mission truly requires it to take services offline. It should develop techniques for surgically getting what it needs, while avoiding disruption of anything else.
What’s more, law enforcement should develop and execute a plan for returning disrupted services, or returning confiscated data, as soon as possible.
Police Should Strive for Transparency
Law enforcement further should strive for transparency and accountability. It should engage intensively with the community, disclosing as much as it can, as soon as it can. In the case of Megaupload, the vacuum created by law enforcement’s relative silence has lent credence of malicious phishing sites that appear to enable worried users to retrieve their files.
The Department of Justice and its colleagues should be commended undertaking the hard work to responsibly police the Internet. And, I grant you that, for law enforcement to heed the needs of bystanders requires much time and effort. But this is what democracy and rule of law expect of 21st Century law enforcement.
Update: In coordination with one of the hosting services that supported Megaupload, the Electronic Frontier Foundation is investigating whether users can now retrieve their files. See Megaretrieval
Mr. Wright teaches the law of data security and investigations at the SANS Institute.
