By now practically everyone has heard about the “PRISM Program” run by the NSA and the volume of discussions among lawyers, reporters, bloggers, academics and others about whether Internet companies can be forced by the government to access and disclose data which is stored by its customers in their cloud or dedicated hosted environments.
This written statement is intended to explain DigiTar’s view of the program, and our approach to the issue.
DigiTar has been in the SaaS & hosting services business since 2004. Therefore, in preparation for possible law enforcement requests for customer data, we have established policies for dealing with such possible requests for customer-owned content stored in the cloud at DigiTar.
Our primary guiding principle for such requests from U.S. law enforcement agencies (“LEA”) is the Fourth Amendment to the United States Constitution which states that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, except:
- upon probable cause,
- supported by Oath or affirmation, and
- particularly describing the place to be searched, and the persons or things to be seized.
Further, we evaluated the Electronic Communications Privacy Act (“ECPA”) which controls how stored data is treated by providers. Based on our interpretation of the Fourth Amendment and ECPA, we are of the view that DigiTar is prohibited from accessing and turning over customer data stored on a DigiTar host system or other storage device in a U.S. data center without a properly issued, lawful request (e.g. search warrants, court orders, Foreign Intelligence Surveillance Orders) from a U.S. court with appropriate jurisdiction over DigiTar systems and the data sought.
This view applies to all LEA requests, including those under the PATRIOT Act. DigiTar’s interpretation of the law is based on the specific relationship that DigiTar has with its customers. By contract and in practice, DigiTar’s customers have full control over their information and any data that may be stored on DigiTar’s SaaS Systems.
By agreement, our customers own the data they store on DigiTar systems. This includes allowing them full control of the resources, and control of passwords used to access their data. Because of this, we take the view that, in legal terms, DigiTar has no “possession” over customer stored data; and that we are legally prohibited from accessing that data on our own.
It is also our position that we can’t give any customer data to third parties other than in compliance with a proper warrant. We believe this position holds great merit and gives us a confidence in our position and approach.
In reference to the NSA PRISM program, please be advised that DigiTar has never been served with a blanket warrant that requires us to give data owned by multiple customers to third parties. If we were served with such a warrant, we would fight it because it would be, by its very nature, overreaching and, given our and cloud architecture business model, nearly impossible to comply with.
A blanket warrant covering thousands of customers cannot possibly comply with the Fourth Amendment. Maybe that’s why we have never seen one. All legal warrants must be detailed, precise, directed at a particular, identifiable customer environment, and very clearly based on probable cause.
We reject the wholesale collection of data, because we think this action unconstitutional according to the Fourth Amendment. We hope that the U.S. Congress will take an in-depth look at what has happened and how data is collected to ensure that hereafter all constitutional rights are protected.