The recent revelations that Verizon and most likely others shared the entire contents of their customer databases with the U.S. National Security Agency raises a question for retailers and payment processors. How much data should I share with the government, particularly when it has a subpoena, and how much effort should I expend fighting government demands for information?
Any time you create "big data," you run the risk of big headaches. Remember, the government has something called "sovereign immunity," meaning that, for the most part, it cannot be sued. That leaves the data collector, retailer or payment processor with the responsibilities. If a retailer provides information to a government agency – even in the face of a demand or subpoena – the retailer, and not the government, can face liability if it is later determined that the demand or subpoena was not "lawful."
Here’s the problem. Most retailers have privacy policies that say they will turn over data (or even databases) in response to "lawful" government demands or requests. But if it turns out that the demand or request is overbroad, unreasonable, not supported by probable cause, done for an improper purpose, or simply that the government did not follow the proper procedure in obtaining the subpoena or warrant, or in otherwise requesting the information, the demand may not be lawful.
And voila! The retailer will have violated its own privacy policies. What’s worse, it will have opened itself up for liability not only to its customers, but also to the government that demanded the information in the first place. Finally, even statutes that appear to provide the entity with immunity for complying may not protect the chain.
The NSA "PRISM" program was actually only part of the NSA’s data-gathering efforts. PRISM was the NSA’s effort to collect "content" information over the Internet – that is to read people’s e-mails, snoop on their Skype calls, capture video conferencing information, and read private SMS messages, tweets and Facebook postings. In addition, the NSA had a program, codenamed NUCLEON, to capture so-called "metadata" from the Internet; the header information from emails (whom customers are writing to, when they are writing, from where they are writing), which websites people are visiting and from where, and other theoretically "non-content" information. For telephone companies, the NSA has similar programs; codename MARINA for content information (listening in on phone calls) and codename MAINWAY for telephone metadata.
We know little about these programs except that they were theoretically approved by a super-secret court called the Foreign Intelligence Surveillance Court (FISC) and that they were targeting the communications of "non-U.S. persons." Other revelations in the past about programs like ESCHELON indicate that the U.S. government had an understanding with other friendly governments. Since we couldn’t spy on U.S. citizens in the U.S. (without a warrant), they would spy on our citizens for us, and we would spy on theirs for them. All perfectly legal. Well, not perfectly.
The Internet and telephone databases are only a few of the many databases created by commercial entities as a consequence of providing services to their customers. Retailers and payment processors create databases of their own. Every time a payment card is used, a record is created of the exact date, time and location of the card use – down to the tenth of a second. This database, and the dicing and slicing of this database, is useful to retailers and card brands themselves to determine patterns of usage and to prevent or detect fraud, and particularly when linked to things like loyalty cards, which allows the retailer to determine the purchasing behavior of specific individuals over time. Databases are a powerful tool for retailers, processors and, of course, governments.
It has been reported over many years that the NSA has also infiltrated myriad other databases. This includes the credit card processing and clearing databases, financial systems’ databases, funds transfer network databases, and many more. Although the details remain few, the database access may run from the mundane (the government issues a subpoena to a party for a specific set of records for a specific individual or small number or individuals) to the sublime (the government gets a pipe into the entire database and searches for and retrieves what it wants.)
Here’s where retailers and database managers can get into legal hot water. What do you do when the government requests or demands information in, or access to a database you have or control? Multiple choice…
(A) Turn over the documents without question – hey, they have a warrant or court order, right? (B) Turn over the documents, but tell your customer that you are doing so and let them fight the government. (C) Force the government to get a motion to compel production, and then comply. (D) Fight the demand to the death no matter how much it costs! You are the defender of your customers’ privacy. (E) It depends on who asks for it, what kind of information it is, why the government wants it, how much it will cost to comply, and whether you can practically inform your customer. (F) All of the above.
I have taken enough multiple-choice exams to know that the answer is always all of the above (unless it is none of the above). Deciding whether or how to comply with government demands for information is a complicated issue. Remember though, YOU are the custodian of your customer’s data. They gave it to you for you to fulfill an order or provide goods or services. Not for you to be the agent of some government to use that data to spy on your customers. Your first duty and loyalty is to your customers. No matter how patriotic you are, remember that, but for your express or implied promises of privacy, the data you are being asked to reveal would not exist if the consumer knew that it was invariably going to be shared with the government.
This is where it gets legally dicey.
If the cost of compliance with a subpoena or demand by the government is very high, the government may offer to pay for such compliance – particularly where, as in PRISM, the government may pay to install a pipe into your data stream. Retrieving records about your customers may become a profit center for you. This would be dangerous from a privacy perspective.
For most people, the answer will be (C). But for a few, it may be the litigation route. When Verizon turned over its entire database to the government (albeit with a court order) one could reasonably ask whether this was a "reasonable" and "narrow" warrant. Ditto for banking, credit and merchant records. If you want to know whether a search or demand for records is reasonable, ask a simple question – if this demand was made by the Staasi, or the North Korean regime, you might have a different answer.
So ask yourself the question – do your customers REALLY know what you are doing with their data? I mean your data. I mean your data about them. Probably not. If you get a subpoena or demand for their data, I mean your data, do you tell your customers about it and give them an opportunity to challenge the demand? Do you resist the demand yourself to protect your customers’ privacy? Or do you just give the documents to any shyster with a subpoena?
But I Have Immunity, Right? I Was Only Following Orders
In response to the lawsuits, Congress passed a law that gives companies immunity for making "good faith" disclosures of information to the NSA under a warrant. That’s fine if the government demands a small number of records. But where, as in the case of Verizon, the government gets a court order for a database (and not just a record) it’s not clear whether, in good faith, you can or should comply. If the warrant is overbroad or calls for constitutionally protected information (say what customers are reading – Amazon) the warrant may be facially invalid, and you can’t rely on the fact that someone with a robe who is appointed for life by the president signed it. In other words, it’s complicated.
What’s A Merchant To Do?
If the government has a search warrant, and cops with guns, well then step back, get out of the way, and call your lawyers. If they serve a merchant with a court order, demand, subpoena, whatever, well then, step back, get out of the way, and call your lawyers. Just remember that the data sought is YOUR data AND your customers’ data. You are a fiduciary of their interests as much as you are of your own. The essence of privacy is that you collect data for a particular purpose and USE it for that purpose. Once the data is used for another purpose, you break your promise (express or implied) with the data subject. And breaking promises can lead to litigation, and not in a good way.
If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.