At Cisco, we have long advocated that “data and communications stored in the cloud should receive equivalent protections against unreasonable government search and seizure just like documents stored on premises or in paper files.” I was, therefore, pleased to see new guidance from my former colleagues in the US Department of Justice’s Computer Crime and Intellectual Property Section supporting this view.
The newly released advice is aimed at federal prosecutors and asserts that wherever practical, evidence sought in the course of an investigation should be obtained from an enterprise customer rather than from a third-party cloud service provider.
The newly released advice is aimed at federal prosecutors and asserts that wherever practical, evidence sought in the course of an investigation should be obtained from an enterprise customer rather than from a third-party cloud service provider. Specifically, the guidance states that: “prosecutors should seek data directly from the enterprise, if practical, and if doing so will not compromise the investigation. Therefore, before seeking data from a provider, the prosecutor, working with agents, should determine whether the enterprise or the provider is the better source for the data being sought.”
Even in those instances where the enterprise itself is actually the subject of the investigation, there are mechanisms in the law empowering the government to require the provider to preserve information while the parties argue over its production. In offering this advice, the Department shows a recognition that the cloud service provider is a third party with no real interest in the investigation. As such, the provider is not well-positioned to ensure the governments demands for information are properly limited to the scope of the investigation. In addition, the provider is not able to seek privileges that could be effectively raised by a party in interest. The document correctly observes that: “[t]his approach also gives the counsel the opportunity to interpose privilege and other objections to disclosure for appropriate resolution, and parallels the approach that would be employed if the enterprise maintained data on its own servers, rather than in the cloud.”
The memo appears to be advisory rather than binding. And there are a number of exceptions spelled out that would justify making demands directly to the provider. However, overall, the new guidance directing prosecutors to avoid demanding enterprise customer data from third-party cloud service providers is a step in the right direction.