This article was originally published by Security Boulevard (https://securityboulevard.com/2023/02/hunter-bidens-laptop-revisited-what-it-means-for-cloud-storage/).
On February 1, 2023, lawyers for first son Hunter Biden took a new approach to the fact that the contents of a laptop he took for repairs and then failed to pick up were leaked to the press. Hunter’s attorneys alleged that the computer repairman and others were violating U.S. and Delaware computer crime laws by exceeding the scope of their authorization to access Hunter’s computer, and that the dissemination of the contents of his laptop was a violation of Hunter’s privacy and other rights. The lawyers asked – nay, demanded – that these entities “cease and desist” from making any further use of the contents of the computer.
I have written repeatedly about issues related to Hunter Biden’s laptop and the fact that, under the contract between Hunter and the repair shop, if Hunter failed to pick up the computer within a specified time period, or if he failed to pay for the repairs, the laptop would be considered “abandoned.” That’s pretty consistent with the law of bailment, and is similar to what happens if you don’t pay for your U-Haul storage unit—next thing you know, bidders on some reality TV show are cutting the deadbolt to your locker and squabbling over your old James Taylor CDs and a painting of dogs playing poker on velvet.
So, on a simple and basic level, the first son’s laptop is abandoned property. The data can be wiped, the laptop resold. But the real questions here are whether data generally, and personal data in particular is, in any legally meaningful way, different from hardware and whether it should be treated differently. Certainly data is, and can be “property.” But it is a different kettle of fish, both in terms of questions of ownership (copyright) and privacy. So, on this level, Hunter may have a point.
Third Parties
The computer repairman is, under the law, a third-party bailee with duties and obligations to the property owner for as long as the agreement says that these obligations continue.
But corporations and individuals entrust their data, files, pictures, communications, messages and other sensitive data to third parties all the time. Our phone calls and text messages travel through multiple third-party’s servers on their way to the intended recipients. Communications sent through apps (including DMs) are not only transmitted but stored by those third parties. Photos are stored on Google Cloud or iCloud, or elsewhere—including, as we learned during the “fappening,” naked pictures of celebrities. Corporate email is stored on the cloud. Zoom meetings are stored on Zoom servers. AWS, Google, Microsoft and others store sensitive corporate data on their cloud servers—for a fee. In a real sense, these third-party entities are, like the Delaware repairman, bailees of the data with specific duties and obligations under the law and under the contract. Thus, for example, electronic communications providers may not disclose the contents of communications in transmission without a court order or warrant and may not disclose the contents of communications in storage without appropriate legal process (being deliberately vague here).
But what happens if you fail to pay your storage bill? If you fail to pay your storage bill at a U-Haul or U-stor facility, you abandon the property and the facility can destroy the contents (wipe), sell them or keep them. If they see something illegal in there (drugs, child porn, dead bodies) they can (and should) call the cops and the search would be legal—provided that the contract clearly permitted the search. More difficult, though, is data imbued with privacy. Let’s say data with the previous owner’s social security number, birthdate, credit card numbers, etc. is found in the storage locker. Could the U-Haul facility sell this information? Could they sell it to cybercriminals? Could they use it themselves? Could they simply publish it online with impunity? Is the data abandoned property? Same for things like family photos or intimate photos. The storage guys can throw that stuff out, but do they really “own” that? Can medical records, psychiatric reports, drug counseling records and other files simply be sold to the highest bidder? And does it matter whose psychiatric records they are? Is there a “public interest” exception to privacy? Would it matter if Donald Trump’s tax records were found in a storage locker in West Palm Beach, Florida? Or photos with Stormy Daniels? Can the contents of Hunter Biden’s half sister’s diary—similarly “abandoned” when she left her apartment—be legally published? Magic eight ball says, “Situation cloudy; ask again later.”
But if we extend this “breach the contract and the data is mine” attitude to the cloud, we have huge problems. The good news (for now) is that most cloud contracts are silent on the question of data ownership post-contract breach. If you don’t pay your storage fees, they typically have the right to kick you off (after some period of time) and to delete or wipe your data. Nobody wants responsibility for protecting large data caches when they aren’t being paid for it. For example, AWS states:
“AWS retains the policy data for the account for 90 days from the effective date of the administrator account closure. At the end of the 90 day period, AWS permanently deletes all policy data for the account.”
Cloud contracts generally state that the data stored belongs to the “owner” of that data. But, that is true for as long as the contract is in effect. In theory, there is nothing that would prevent cloud providers (and other SaaS providers) from including language in their contacts similar to that in Hunter Biden’s computer repair contract—pay your bill on time, or we will release your data to the public! That would sure encourage prompt bill payment. It’s also extortionate.
The law regarding the duties of third parties with respect to the data of others is, in a word, unsettled. While there are duties to protect the confidentiality of some data and not to release or disclose data without appropriate court orders, most of the rights and responsibilities of third-party repositories are dictated by the clickwrap contracts that few read and even fewer can negotiate. Data privacy laws that restrict the use and disclosure of personal information might impose duties on third-party data processors (including the computer repair guy), but there is no comprehensive data privacy law in the U.S., and none in Delaware.
Until then, the rule remains the same. Read your third-party contracts. Have your lawyer read them. And pay your bills. Oh, and keep everything encrypted. And hey, let’s be careful out there.
Read the original article, as published by Security Boulevard, here.