Monique Ferraro (Photographer:Daniel Brewer)
Google scans your emails, as well as all of the content you store on their servers. Google and all other Internet service providers’ (ISPs) that offer email services do this routinely. The recent arrest of a known sex offender in Texas for sending child abuse images via Gmail caused a media stir focusing on the fact that, indeed, our emails and internet content are not private.
The idea that the National Security Agency and foreign intelligence agencies routinely scan our communications seems remote and irrelevant to our business and our clients’ interests. After all, we don’t have anything we believe would be of interest to intelligence agencies or law enforcement and the necessities of life force us to assimilate into the Internet using mass. Yet, the fact remains that scanning routinely takes place.
For example, all of our content is scanned for child abuse images. A federal law directs all ISPs, which include web-based email services such as Google, Hotmail and Yahoo, to report child abuse images trafficked through or stored on their systems to the National Center for Missing and Exploited Children (NCMEC). Besides the federal law, if you look at the terms of service for Google or most any of the ISPs, or email and peer-to-peer services, your data is not necessarily private.
Why is all this important to you and your clients? First, the content that ISPs identify and report to the NCMEC does not always qualify as illegal child pornography. A good measure of what the ISPs report is constitutionally protected free speech. Second, if you go to lengths to secure your communications through encryption, that does not prevent ISPs from scanning the content. Third, scanning of internet-stored and transmitted content is not confined to communications and data of the unwashed masses. Scanning is conducted of almost all data—and that includes attorney-client communications and data stored in the cloud by attorneys, law firms and other business entities.
Let me explain a little more.
First, you should know how ISPs identify and classify images prior to sending them to the NCMEC. The ISPs scan the content they hold in search of child abuse images by running programs that flag “known” images. How do they know what “known” images are? That’s a good question. What they don’t use are images that have been adjudicated as child pornography as their “known” images. What they do use is a set of hash values, which are a boiled-down, mathematical representation of the image files, of images previously reported to the NCMEC as suspected child pornography.
Are those images all child pornography under federal or state laws? No, not all of them. The images are reported to NCMEC as suspected, not adjudicated child pornography. As such, at least some of those images that are used to search data, make matches and then report as suspected child pornography to law enforcement are constitutionally protected. It’s analogous to dry-cleaners who report any white substance they find on your clothes to law enforcement. The white substance could be tooth paste or it could be narcotics.
After flagging content, ISPs have personnel who further review the images and send the content on to the National Center for Missing and Exploited Children. Once the NCMEC receives that content, it has personnel review it and conduct preliminary investigative tasks, like identifying the appropriate law enforcement agency to report the images to, and searching a national database to determine if the internet service or email account holder who sent, received or stored the images was previously reported for similar behavior.
Second, you should know something about encryption. We may encrypt our files in order to ensure that they are secure. Encrypted files cannot be scanned — as long as they remain encrypted. However, you have to read those emails someday, don’t you? If you download the encrypted file and then open it on your machine, it remains immune from ISP scanning. But, if you unencrypt the file and store it on an ISP’s or an email services’ server, its contents will be scanned. That makes sense, but few take the analysis out that far. Encryption is good enough for most people.
Not that any lawyer would advise a client to encrypt child abuse images in order to evade detection. That isn’t the point. The larger point is that the content, whether it involves criminal activity or benign communication such as a merger agreement, is going to be scanned if it’s stored by an ISP.
A third important point is that all content is scanned, not just emails suspected of containing child abuse images or national security threats. The number of businesses and professionals who use applications like Dropbox, iCloud and Google Drive is substantial and growing. The files stored are all subject to scanning for content.
Google has said that any information turned over to a third party, including them, is not private — heralding back to the Smith v Maryland case in which the U.S. Supreme Court said the same thing. Their terms of service clearly state that Google may (and does) scan not only for illegal content but also for content that violates the terms of service agreement. Take a look at the service terms for all of the web-based applications, like email and ISPs that you use. What do they say about your data? What violates their terms of service agreement? What do they do if, in their opinion, a breach has occurred?
A lawyer thinking about this might ask whether or not such scanning of data constitutes a data or security breach under Connecticut state law. When we sign up for service and consent to the terms of service agreement, that’s a no-brainer. Your privacy is signed away. When it comes to client data, I suppose it depends on whether your client consents to the scanning of their personal, private data by your ISP or email provider.
Connecticut law defines data (or security) breach as the unauthorized access to electronic data containing personal information that has not been encrypted or otherwise rendered unusable. Personal information is the first initial or name of a person together with their last name and either their Social Security number, drivers’ license number or financial account number. Given those definitions, it’s easy to conclude that most law offices and other professional and business entities store personal information that can be the subject of a data breach. That being said, the issue is whether scanning of data by ISPs constitutes a breach and what your duties are as the holder of the data.
Can the data holder consent to the review of the information on behalf of the owner—for instance, can a lawyer holding data regarding a client consent to scanning by the ISP without the client’s knowledge or consent? (You might need to go back to your retainer agreement to see if it addresses what you will do with your clients’ personal data.)
Connecticut law requires the data holder to report any breach to the Attorney General’s Office as well as to the information owner. The really, really harsh part of the data breach law is that if you fail to make the proper notice in the event of a breach, it explicitly makes breach of data an unfair trade practice subject to the Connecticut Unfair Trade Practices Act.
As most of you know, the CUTPA provides for costs and attorney fees, damages and punitive damages. That’s why it’s powerful. It’s also why we should take notice of the scanning of data by ISPs and our other communications and data providers.
Attorney Monique Ferraro is the founder of Technology Forensics LLC in Waterbury and a frequent contributor to the Connecticut Law Tribune on legal technology issues.