Cloud Provider FBI Raid

As it becomes more common for law enforcement to raid online facilities like Megaupload, it is incumbent
on law enforcement to respond to the needs of innocent users.

A few days ago law enforcement, led by the US Dept of Justice, seized the domain for,
Domain Redirect
causing traffic to that site to be redirected to a government notice saying the domain had been seized under court order.

Economic Hardship to Bystanders

Megaupload is a very popular service, with many millions of customers worldwide.  It is a cyberlocker that allows users to store and share files.  Some of those files, perhaps many of them, may violate copyright and other laws.  But a great many of those files are not illegal.  Users rely on those files for many purposes, including running their law-abiding businesses and lawfully earning a living.

By shutting down the site, law enforcement has caused substantial economic hardship.  Instead of showing concern about the interests of innocent users, the Department of Justice emphasized that Megaupload had warned its users they could lose data.

Precedence:  Liquid Motors Case

US law has previously provided relief to an online service provider's users who are not under investigation.

In Spring 2009, FBI seized servers run by Core IP Networks.  Some of the data processed on those servers belonged to Liquid Motors, an innocent company that helps large auto dealerships manage their inventory and Internet marketing. The raid had severely degraded Liquid Motor’s service to its law-abiding customers.

Liquid Motors promptly petitioned a federal court for relief.  Although the court believed FBI’s raid was justified, it acknowledged the economic impact on innocent parties.  Significantly, the court compelled FBI to work over the weekend to provide Liquid Motors copies of its data and to return a server to Liquid Motors as soon as possible.

Over-Zealous Police Undermine Public Trust

Yes, law enforcement needs to shut down cyber criminals and collect evidence so they can be prosecuted.  But law enforcement undermines the community’s trust when it damages innocent bystanders.

Moreover, principles of due process, human rights and property rights call for law enforcement to take proactive measures to minimize collateral damage.

Before executing a raid, law enforcement should evaluate whether its mission truly requires it to take services offline.  It should develop techniques for surgically getting what it needs, while avoiding disruption of anything else.

What’s more, law enforcement should develop and execute a plan for returning disrupted services, or returning confiscated data, as soon as possible.

Police Should Strive for Transparency

Law enforcement further should strive for transparency and accountability.  It should engage intensively with the community, disclosing as much as it can, as soon as it can.  In the case of Megaupload, the vacuum created by law enforcement’s relative silence has lent credence of malicious phishing sites that appear to enable worried users to retrieve their files.

The Department of Justice and its colleagues should be commended undertaking the hard work to responsibly police the Internet.  And, I grant you that, for law enforcement to heed the needs of bystanders requires much time and effort. But this is what democracy and rule of law expect of 21st Century law enforcement.


Update:  In coordination with one of the hosting services that supported Megaupload, the Electronic Frontier Foundation is investigating whether users can now retrieve their files.  See Megaretrieval

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related:  Theories for Relief to Blameless Megaupload Customers

1 comment: