Wednesday, October 24, 2012

Did the SC Supreme Court legalize industrial espionage on the cloud?

As reported in Ars Technica, the South Carolina (SC) Supreme Court iruled that gaining access to someone else's email does not violate any laws, specifically the Stored Communications Act. In the case, Jennings vs Jennings, the husband (M. Lee Jennings) was suing his ex-wife's (Gail M. Jennings) daughter-in-law, Holly Broome, (from a previous marriage) for unauthorized access to his personal email account. Holly had guessed the correct answers to the secret questions and gained accessed to his email accounts. She had been asked by her mother-in-law to look at M. Lee Jennings's email because he admitted to her that he was having an affair and had exchanged email correspondences with this woman. Holly printed the emails and provided it to Gail and her defense team, who used it against ML Jennings during their divorce trial.

The Supreme court found that the hacking was not in violation of the Stored Communications Act (SCA) because cloud-based email does not meet the "definition of "electronic storage" within the SCA [which] requires that it must be both temporary and intermediate storage incident to transmission of the communication and storage for the purposes of backup protection".  It should be noted that, as pointed out by William Shapiro on this episode of This Week in Enterprise Tech (it's the first segment so you don't have to listen to the whole episode), that this judgment is only limited to South Carolina.

Wow. In these few small sentences, the SC Supreme Court has allowed unauthorized access to anything that is stored on the cloud. In the last few posts on the UWCISA blog, I have commented on industrial espionage and Microsoft's move of Office to the cloud. On my entry on cloud I noted that the cloud pretty much gives access to law enforcement:
"In terms of privacy, the way the privacy rules works is that if the provider tells you in the ToS that they will hand over things to law enforcement then they are covered from a privacy compliance perspective. (See the Privacy Commissioner's handling of the complaints against CIBC). Furthermore, as noted in this article both American and Canadian law enforcement and other agencies can access what you put on Office 365 and they don't need to do tell you about it. "

On my entry on industrial espionage, I highlighted that, in addition to the risks highlighted by US government officials on using Chinese hardware manufacturers, "it is important to recognize that other factors are at play on the specific issue of ZTE and Huawei and that the risk of Chinese hacks should not be overstated. After all, non-Chinese companies do conduct industrial espionage against one another. For example, SAP had to pay $120 million to Oracle for such activity, which occurred in 2007. But if you raised the threat of German firms hacking to get into American companies, people would think you are not well. So although this threat is real, it is not new and it's not just coming from the Chinese."

Furthmore, I have been immersed in the last few week's in Kevin Mitnick's (wiki, his site) Ghost in the Wires, which details how he hacked into Motorola, Sun, and other major companies.Once you read his story, you will quickly realize how this ruling by the SC Supreme Court makes it open season on any corporation that uses the cloud as means to outsource processing. If an average person, like Holly Broome can access confidential email - imagine what a determined hacker like Mitnick could do!  For example, if you use Google Docs or the soon to be released Microsoft Office 365, then a competitor can gain access without violating the SCA and use that information. Will this judgement spur hackers to relocate to South Carolina and access all types of confidential information stored on the cloud? Of course they can't take patented or copyright information, but what about companies that likely don't have such information patented, trademarked etc or protected by other laws (e.g. privacy legislation, theft of credit cards, etc)?

It's interesting how vulnerable cloud, and technology in general, is to the inability of law makers and judges to see into the future. Common sense would dedicate that a person that buys or uses a service and keeps it secret via a password, expects that the information to be confidential to them. But I am not a lawyer, just an accountant in tech. That being said, it is unlikely that Google, Microsoft, Amazon, and the other tech giants will take this ruling lying down. One can expect that they will use their dollars and influence to allay fears that their services are safe from "legal industrial espionage".

No comments: