Megaupload and the Government's Attack on Cloud Computing
Yesterday, EFF, on behalf of its client Kyle Goodwin, filed a brief proposing a process for the Court in the Megaupload case to hold the government accountable for the actions it took (and failed to take) when it shut down Megaupload's service and denied third parties like Mr. Goodwin access to their property. The government also filed a brief of its own, calling for a long, drawn-out process that would require third parties—often individuals or small companies—to travel to courts far away and engage in multiple hearings, just to get their own property back.
Even worse, the government admitted that it has accessed Mr. Goodwin's Megaupload account and reviewed the content of his files. By doing so, the government has taken a significant and frightening step. It apparently searched through the data it seized for one purpose when its target was Megaupload in order to use it against Mr. Goodwin, someone who was hurt by its actions but who is plainly not the target of any criminal investigation, much less the one against Megaupload. This is, of course, a bald attempt to shift the focus to Mr. Goodwin, trying to distract both the press and the Court from the government's failure to take any steps, much less the reasonable steps required by law, to protect the property rights of third parties either before a warrant was executed or afterward. And of course, if the government is so well positioned that it can search through Mr. Goodwin's files and opine on their content—and it is not at all clear that this second search was authorized—presumably it can also find a way to return them.
But in addition, the government's approach should terrify any user of cloud computer services—not to mention the providers. The government maintains that Mr. Goodwin lost his property rights in his data by storing it on a cloud computing service. Specifically, the government argues that both the contract between Megaupload and Mr. Goodwin (a standard cloud computing contract) and the contract between Megaupload and the server host, Carpathia (also a standard agreement), "likely limit any property interest he may have" in his data. (Page 4). If the government is right, no provider can both protect itself against sudden losses (like those due to a hurricane) and also promise its customers that their property rights will be maintained when they use the service. Nor can they promise that their property might not suddenly disappear, with no reasonable way to get it back if the government comes in with a warrant. Apparently your property rights "become severely limited" if you allow someone else to host your data under standard cloud computing arrangements. This argument isn't limited in any way to Megaupload -- it would apply if the third party host was Amazon's S3 or Google Apps or or Apple iCloud.
The government's tactics here also demonstrate another chilling thing—if users do try to get their property back, the government won't hesitate to comb through their property to try to find an argument to use against them. The government also seeks to place a virtually insurmountable practical burden on users by asking the court to do a slow-walking, multi-step process that takes place in a far away court. Most third parties who use cloud computing services to store their business records or personal information are not in a position to attend even one court appearance in Virginia, much less the multiple ones the government envisions in its submission to the court.
Ultimately, if the government doesn't feel any obligation to respect the rights of Megaupload's customers—and it clearly doesn't—it's not going to suddenly feel differently if the target of its next investigation is a more mainstream service. The scope of its seizure here was breathtaking and they took no steps to engage in what the law calls "minimization," either before its searches and seizures or afterwards, by taking steps to return property to cloud computing users who it knew would be hurt. And now the government is trying to use standard contractual language to argue that any user of a cloud computing service has, at best, "severely limited" ownership rights in their property.
Those who have been watching on the sidelines thinking that the issues in this case are just about Megaupload should take heed.