Privacy, Breadcrumbs and Personally identifiable information (PII)

I am reading “Programming Windows Store Apps with HTML and CSS“ by Kraig Brockschmidt. It’s a good book and better still you can get the ebook/pdf version for free (http://blogs.msdn.com/b/microsoft_press/archive/2012/10/29/free-ebook-programming-windows-8-apps-with-html-css-and-javascript.aspx).

The author Kraig Brockschmidt has a section about adding code to a demo app (Here my AM!) to share a photo and a geo location.  I came onto the following text (“And if you still think I’ve given you coordinates to my house, the ones shown here will send you some miles down the road where you’ll make a fine acquaintance with the Tahoe National Forest.”). His newer version of the book he has his house coordinates blurred out so we can’t see them.

Let’s look at his remark and see how true it is from a privacy perspective. First is what do we actual know.

* His name Kraig Brockschmidt.
* A good guess is he works for Microsoft Software.
* We know he lives close to Tahoe National Forest.
* A quick look up in Google/Bing we see that the main address for Tahoe National Forest  is Lake Tahoe, CA 96140.
* We now know that another good guess is he lives in the state of California.

Now lets go back to our favorite search tool and see how difficult it is to learn what Kraig’s physical address is since he won’t give us his geo coordinates to his house. Maybe we want to borrow a cup of sugar and share some Microsoft love,

First we can just search for his name and state to see what we get.  Our first entry in our results list is a web site (http://www.kraigbrockschmidt.com) a quick look around and we know its Kraig’s web site. We can see references to California and his books.  On his about-page we see a reference to that he and his wife moved to Nevada City, CA in 2011. So now we know his state, and city.

Using his own web site, LinkedIn and O’Reilly we see that his current employer is Microsoft Software as a program manager.

So now we have his city, state and employer. We just need to get his physical house address. Not to worry a quick web search and we will be at his house in a few minutes to borrow that cup of sugar.

We can use http://www.zabasearch.com (zaba search can be totally free if you sign in using Facebook) or if we want we can use a paid service like http://www.intelius.com/. Now we have his physical house address and phone number.

I am not going to post his actual home address or his phone number in this blog post. I just look and I have enough sugar so I don’t need to borrow a cup.
Unfortunately what works to find Kraig’s home address also works to find my home address, I also check on a few friends living in Owasso, Depew Ok and I was quickly able to get their home addresses and phone numbers.

The issue here is a hard one to solve. We want to be connected to people. Easiest way is using the Internet.  We want and need the Internet to help with our own personal branding. We need and want to show our professional work. Some of us want to discuss our spiritual paths, political views, etc. with friends and others. That causes us grief since one web site may not give a view of who we are but we leave enough breadcrumbs for sites like ZABA Search and state and federal government web sites to collect data on us. Remember we don't want our physical address known to everyone on the Internet but we do want police, fire services to be able to quickly find us.

We find ourselves in an uncomfortable position of wanting to control what we can’t.

Not just our physical addresses are hard to keep private but other personal information is under attack as well. Researchers using Facebook found with remarkable accuracy( 93% to 95% ), based on what we mark as likes on Facebook that a wide variety of our personal attributes, from sexual orientation, race, age, political affiliation to intelligence can be predicted.

See (http://www.pnas.org/content/110/15/5802.full.pdf) and you can also go to (http://applymagicsauce.com/test.html) to become part of the study.

These new predictive algorithms are only going to improve in the future. Not just Facebook but also Google, Bing, Yahoo, Amazon and others are paying for predictive algorithm research so businesses can sell us more products and services.

So what is the solution? I don’t know. We want our information out there and businesses are finding more and more ways to get it and to use it. We ourselves give away information for perceived and real benefits like being able to search without paying for Bing or Google or getting good deal on products and services. By leaving breadcrumbs on the Internet and with public data we that we have already provided the ability for someone to build an accurate profile on us is real. 

My recommendation is to pay attention to what you are doing. One example is by default our likes on Facebook is public knowledge. You can in Facebook settings is make this information private. This makes you in charge of your own information. I am not going to kid you; this is not an easy task. You are on a slippery slope and no matter what you do some information on you is always going to be publicly available.

Additional information...
* http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
* https://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf
* http://itlaw.wikia.com/wiki/Personally_identifiable_information

Privacy

Here is a good definition of privacy...

An individuals’ ability to determine how much, to whom, and when / for how long Information about themselves is revealed.

Here is another definition...
The right to privacy is our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, property, thoughts, feelings, secrets and identity. The right to privacy gives us the ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose.

I think the first definition cuts to the heart of the matter a little quicker with a more simple and accessible definition.  

RSA, NSA, OWASP

Last week OWASP has had a vigorous debate on if OWASP should cancel planned secure code training at the RSA conference. I was (and still am) in favor of not canceling the secure code training. Debate surrounded the issue of RSA and its relationship with NSA. More specifically did RSA per request of NSA weaken its cryptology products to allow NSA better access to be able to unencrypted encrypted data encrypted with RSA products? These allegations came about because of documents leaked by Eric Snowden. At present time I know of no organization or individual who has confirmed if the allegations are true, partially true, false, or a government mandate that RSA had to fulfill.

I do know that OWASP’s main core value is to present unfretted security information to everyone.

What I don’t know is if OWASP had not cancelled its training would that have put a mark against OWASP as being able to continue its main core value of delivering unfretted security information to everyone and still be vendor impartial and have no ramifications to its brand name by co-marketing with RSA. I would have hoped the individuals attending the course could easily have made that distinction for themselves that OWASP and RSA are very different originations with each having its own values.

I think it’s sad that OWASP caved into media hype as to RSA and NSA relationship. I am also disappointed by RSA for not dealing the speaker cancellations in a positive way and for not being more open then they have been with their relationship with NSA. I do support OWASP and the speakers who cancelled their speaking engagements.

I think there is a larger discussion that was not raised completely. That discussion centers on our individual need for privacy and the real need by Law enforcement and governments to be able to gather information to make us secure and safe. This discussion is made harder by the fact that what is or is not privacy differs between individuals, cultures (American, European, Middle East, and Asian), and governments.

Current surveillance program being conducted by NSA is a direct response by Terrorist attack on 9/11 in New York. That attack 2,977 innocent people lost their lives. The mindset of this for need of surveillance was further embedded into American mindset by the Boston marathon attack where three spectators were killed and more than 200 people (men, women and children) were injured.

So this discussion needs to be kept in scope of what the NSA is doing is trying to do is prevent more deaths of our civilian population and reducing the fear of terrorism. Because of the secret nature of NSA we really will never know the results of these efforts to a large degree. That prevents us from having absolute confidence of the good and bad of organizations like NSA and its partners, governmental and others. This lack of confidence is not uncommon. We unfortunately we have a long history of individuals or groups within organizations abusing their power and we have just as long of uncovering the abuse. The difference here is our government has needs to keep part of its activities secret. While at the same time giving us the confidence that it has the oversight in place and abuse is not happening. Not a simple task.

One last thing, encryption; does encryption equal privacy? I have written a blog post talking about this every issue. American courts have upheld law enforcement request for suspects to give up encryption keys, etc. I want law enforcement and my government to be able to decrypt files by terrorist, pedophiles, and other bad guys/governments, however I also realize this can be very slippery slope.

Recap:
Unknowns… The benefits or fallout of OWASP doing or not doing secure code training at RSA conference is unknown. * The RSA and NSA relationship is largely unknown. We don’t know if RSA weaken its cryptology products per NSA request.

Facts… Secure training is very much needed. OWASP is a premier leader of making unfretted secure information open and available to anyone. With the Target data breach reaching over 70 million accounts the need for secure coding training needs to be at the forefront of all development teams.

Hopes… 

• I think OWASP if it has the bandwidth should offer free secure coding to any organizations that has had a large data breach. The organizations with the data breach will pay for trainers expense; travel cost and provides the venue for the training. That would be a win-win solution for everyone, OWASP, consumers, businesses.

• I would also like to see OWASP bring together, politicians, law enforcement, legal experts (defense, prosecuting, judicial), legal scholars on all levels (community, state and federal), for open panel discussions on privacy issues. OWASP has the opportunity to lead in the privacy arena giving everyone accurate information on privacy for individual’s, communities and discuss issues of NSA surveillance both positive and negative. This could be done here in America and in other countries. That would be very cool! Also it would be a win-win solution for everyone.

Resources:

• http://blogs.csoonline.com/security-industry/2914/owasp-terminates-marketing-agreement-rsa-conference-board-member-cancels-class-out-protest?source=CSONLE_nlt_salted_hash_2014-01-10
• http://voixsecurity.blogspot.com/2012/02/stored-communications-act.html
• http://voixsecurity.blogspot.com/2013/07/cost-of-data-breach.html

Mozilla Firefox Lightbeam

Lightbeam is a new add-on for Firefox. It provides a light (pun intended) on what third party companies you interact with when visiting web sites. Lightbeam works by recording all tracking cookies saved on your computer through the Firefox browser to see which advertisers or other third parties are connected to which cookies. Amazedly it can differentiate between “behavioral” tracking cookies (those which record specific actions on a site) and other tracking cookies. The data can be viewed visually and in text format.

I visited one the large brick-and-mortar companies that also has a decent e-commerce web site. Below is what I found out. I tried to organization the cookie data the best I could. Some of the companies are familiar to all of us like DoubleClick. But al lot of these companies I had no clue about most of these companies until I looked them up.

I would recommend that your turn on Lightbeam for a day and use Firefox exclusively. At the end of the day you will be amazed by how many companies are tracking you. Of course don’t be too surprise, the top companies in the tracking space bring in over 39 billion in revenue. This is big business. Don’t get me wrong I depend of these companies to profit by seeing what I do online. I don’t want to pay to use Google, Yahoo, or Bing to search the web. I like having services like Hotmail, Gmail for free. I want to have Amazon recommend books to me based on prior buys and searches. 

I also want to have a say into who is tracking me, what I do, how the information can be used and by who. The issue now is how big and powerful these business has gotten without anyone really realizing it. Now add that with powerful behavioral software and we are facing a monster. Like Pogo said, “we have met the enemy and he is us”. Privacy and the need for it are still valid in our connected world. How much of our privacy we keep is going to be decided on how much we are willing to get involved and learn what and who are behind the curtain. I would say right now we are facing an uphill battle.

Tag Management: 
* http://www.brighttag.com 
* http://www.google.com/tagmanager/

Brand Management/Protection 
* https://www.markmonitor.com

Ad content providers: 
* Tribalfusion.com Tribal Fusion is a global online advertising provider. 
* Amazon CloudFront is a content delivery web service. It integrates with other Amazon Web Services to give developers and businesses an easy way to distribute content to end-users with low latency; high data transfer speeds, and no commitments. 
* Tapad.com apad’s proprietary technologies, advertisers can now employ consistent ads across multiple platforms: home computers, tablets, smartphones, and now even smart televisions

Tracking Management. (Technologies used to track you, what you do and what you click on, as you go from site to site, surfing the Web.) 
* 2mdn.net is a domain used by Doubleclick. 
* Atwola.net is a domain used by AOL Advertising. 
* Mathtag.com is a domain used by MediaMath. 
* W55c.net s a domain used by Lotame. 
* Googlesyndication.com is a domain used by Google Adsense. 
* Fastclick.net s a domain used by ValueClick Media. 
* Specificlick.net is a domain used by SpecificClick. 
* ATDMT is a tracking cookie served by Microsoft subsidiary Atlas Solutions. 
* Doubleclick.net A Google Company.

SEO Services. 
* GoogleLeadServices (not connected with Google Inc.) provides SEO services.

Big Data/Market analytics. 
* monetate.com Ecommerce connecting customers to sales. 
* http://www.bluekai.com big data marketing platform. 
* Adnxs.com is run by AppNexus, a company that provides technology, data and analytics to help companies buy and sell online display advertising. 
* Turn.com market analytics.

Consumer profiling/preference/psychology software. 
* http://www.liveclicker.com/web/ Liveclicker is there to provide all the tools necessary to create one-of-kind interactive shopping experiences. 
* 247-inc.com Inventory check based on buying preferences on web site visitor. 
* Tumri, an interactive ad platform. With their new technology, ads dynamically change based on geography, demographics, psychographics, media type, sites, etc.


http://www.mozilla.org/en-US/lightbeam/ 

http://www.ted.com/talks/gary_kovacs_tracking_the_trackers.html

How unique are you? Your Zip code knows.

When I am out shopping and ready to checkout the clerk asks me for my Zip code. My family readily gives out such information and often apologizes to the clerk when I refuse to give out my Zip code. When I respond with that is personal information my reply is just eyes rolling with your just being grumpy. Of couse there is some truth in that. But still we have the question is how much information can they(retail store) get by knowing my Zip code? The answer is a lot.

Famed Harvard Professor Latanya Sweeney who has done pioneering work on data privacy has a web site where you can now test your uniqueness. Her site asks for your gender, birthdate and Zip Code. Remember the retail store has an advantage because they have your name and Zip code. Give it a try. You might find that you not as unique as you think you are and using your Zip code really can help identify you and in most cases with 100% accuracy.

http://aboutmyinfo.org

Dr. Sweeney explains that “365 days in a year x 100 years x 2 genders = 73,000 unique combinations, and because most postal code have fewer people, the surprise fades”.

Here is a sample output using a made up person…
74012 (pop. 57526) Male Birthdate 12/13/1987 Easily identifiable by birthdate (about 1) Birth Year 1987 Lots with your birth year (about 378) Range 1987 to 1991 Wow! There are lots of people in your age range (about 1894)

A lot of retailers today use services like GeoCapture. This service produced by Harte-Hanks (http://www.harte-hanks.com) simply captures your name from your credit card and with the clerk entering your Zip code into the POS during the transaction. Using the GeoCapture service your store matches the collected information to a comprehensive consumer database to return an address.

Beside your address GeoCapture can…

• Identify customers, understand purchase behavior, and follow up with dynamic, personalized marketing.
• Provides customer contact information and purchase history.
• Extensive, proprietary matching logic and nickname tables identify customers easily with accuracy rates close to 100%.
• Can be used in conjunction with Reverse E-mail Append for customer identification.

Here is the PDF from Harte-Hanks that describes services offered to retail stores. Of course if you shop in your own Zip code and the clerk enters the store Zip code. They got you. http://www.hartehanks.com/pdf/Data%20Services%20and%20Solution%20brochure%20100108.pdf

Ok here are some simple proven ways to help protect your privacy.

• 1. Sign out of online accounts when not using them, Hotmail, Facebook, etc. (This is becoming more difficult with always on mobile apps).
• 2. Don’t give out personal information when shopping.
• 3. Encrypt your hard drive on your computer.
• 4. Turn on 2-step authencation for all app that provide this. Gmail does.
• 5. Pay cash for embarrassing things.
• 6. Change your Facebook settings to Friends Only.
• 7. Clear your browser history and cookies on a regular basis.
• 8. Use an IP masker. www.hidemyass.com
• 9. Set and use your passcode on all of your wireless devices.
• 10. Remember everyone now carries a phone with a camera. If you do some something stupid it is very likely someone took a picture of it and posted it on the Internet.

I thought this was a cool site and I wanted to share it with you. Smile your on camera, maybe. http://360gigapixels.com/petrin-prague-photo/

Cost of a Data Breach and Information collected about you on the Internet.

While we wait, talk and complain about our governments intrusion into our private lives we do very little about the professional criminal who is breaking into our web sites stealing our data. Curious isn't it?





Ok, now about all that data that we make freely available so we don't have to pay for services like google, youtube, hotmail, etc. Remember when your mom and dad said there was no such thing like a free lunch? They weren't wrong.

1. Google Street View has collected over 5,000,000 miles of images 
2. 58% of people are unaware of how data is gathered and shared online by advertisers 
3. Facebook collects over 500 terabytes of data from its users each day 
4. 50% of iOS apps track your location 
5. Free apps are more than 4x as likely to access contact lists 
6.  87% of US adults can be tracked via their mobile device

Facebook

Datalogix: Has over 50% market share of the top 100 advertisers and over 90% of the top 50 digital media and ad tech companies. Today it has the world largest platform of 1:1 offline purchasing data and tracks over $1 trillion in consumer transactions in a wide range of retail settings.

Acxiom: Mainly collects data from financial services, insurance, information services, direct marketing, and federal, state and local government sector. 

Epsilon: Monitors social networking and online media sites to see what people are saying about a company, advises on markets to target, helps develop and maintain customer loyalty programs. 

Bluekai: Has created an actionable audience database on more than 300 million users (80% of the entire US Internet population). 

So what do these companies have in common? In February, Facebook announced partnerships with the above four companies. Facebook is moving into new area to combine its online data with its users and with their offline purchases. The goal is to create better targeted/relevant ads for Facebook users and its advertisers.

This means the lines between and our physical and digital self’s has been blurred.

For me this means I reveal more personal information without being able to opt-out. That isn’t necessarily bad in my opinion. If the data is used to make my shopping experience better, better product placement, more relevant products closer to the door that is better for me. However I doubt if I am the most targeted demography group so my shopping experience will stay the same. 

Will companies in the future offer private shopping as a feature for the discerning shopper? Right now I don’t feel this is a viable option. Maybe Lindsay Lohan will want a bit more privacy in her shopping habits and will be willing to pay for it. If so now privacy is a sellable retail item. It would be kinda funny seeing people in Target walking around in plain brown boxes to protect their identity. Funny as that would be I do see a market in the future where banks offer anonymous ATM/credit cards to number accounts to protect their clients identity. 

This can also work against me my last big purchase was a car a few months ago. I had gone to the dealership’s web site I bought the car from. In fact the dealers web site and his inventory of cars is one reason I went to his brick and motor store. If he is able to use my online digital profile and link it to my physical profile he can use my own information against me to get a better price for his car. I doubt if I can get the same information on his sales to use his sales data against him for the best price for me. Seems a bit unfair to me.

References:

http://www.nytimes.com/2013/03/26/technology/facebook-expands-targeted-advertising-through-outside-data-sources.html?ref=acxiomcorp&_r=0

http://adage.com/article/digital/facebook-partner-acxiom-epsilon-match-store-purchases-user-profiles/239967/

http://allfacebook.com/custom-audiences-datalogix-epsilon-acxiom-bluekai_b111746

“A man’s home is his castle”

“A man’s home is his castle”. This aphorism invokes many emotions tied to our notions on privacy. Our courts have reached another decision when we travel from the physical world to our digital world. Daniel Reed in “Information Privacy: Changing Norms and Expectations” offers three ideas about the future of personal online information management. 

 The first two could be binary access specifications that can be embed into the content. The content would be encrypted so that only users who know the public encryption key of the content owner and use a viewer that has the binary access specifications built into it would be able to view the content. The two binary access specifications are… 

 1. Bounded lifetime. An end of life attribute that can be embedded into media content that I upload to the Internet. Any pictures of me during college or high school I might want to have an end of life once my college life is over. 

 2. Transitivity of access. An attribute that controls how far my content can travel. It allows me to say this content can be shared within my group of friends but my friends cannot share it outside of my group I tied to this content. 

 The usability of UI for privacy and security deserves far more attention than it is getting. This is not a vendor problem but belongs to content owners, individuals who view others content and system providers. Privacy specifications must be made far simpler and more intuitive. Content owners who post content to the Internet must understand their roles in privacy for themselves and others. Individuals who use or transmit content of others must understand the implications of their actions. Vendor or system providers must provide tools to control the ownership and privacy of our content. 

 Is anyone listening at Facebook, Yahoo, or Google???

ACM Blog Information-privacy-changing-norms-and-expectations/fulltext 

Microsoft Azure is part of the Safe Harbor Act

The U.S. and European Union (EU) have vastly differing views of what privacy is. In the U.S. companies who collect the information own the information. In the EU the individuals own their own information collected by companies like Facebook or Google.  Microsoft says Azure supports the Safe harbor Act which acts like a bridge of the differing view on privacy but what do we need to know?

The Safe harbor is designed to protect privacy of individuals by legislating the manner in which personal data is processed including storage, collection, etc. A high overview of the safe harbor principles is as follows:

• Notice – Organizations must inform individuals as to the purposes for which information about them is being collected and used, and the types of third parties to whom the organization may disclose information. Individuals must be informed how they can contact the organization with inquires or complaints as well as the choices they have with respect to limiting the use and disclosure of information about them.
• Choice – Individuals must be provided the opportunity to “opt out” of allowing their information to be disclosed to a third party or to be used for a purpose incompatible with the purpose for which it was originally collected.
• Safe Harbor Sensitive Information Principle – For sensitive personal information, such as that specifying medical conditions, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation, individuals must explicitly “opt in” before such information can be disclosed to a third party or be used in a manner other than for which it was originally collected.
• Onward Transfer – Prior to disclosing information to a third party, the organization must ensure that the third party provides the same level of privacy protection as required by the safe harbor principles. Having done this, the organization will not be held responsible should the third party process the data in a manner contrary to the safe harbor privacy principles.
• Security – Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
• Data Integrity– Organizations must take reasonable steps to ensure that data is accurate, complete, current, relevant, and reliable for its intended use.
• Access – Organizations must provide individuals with access to personal information collected about them. Individuals must be allowed to correct, amend, or delete such information if it is inaccurate. Exceptions to this principle may be allowed where the burden or expense of providing such access is considered disproportionate to the risks to the individual’s privacy.
• Enforcement – Organizations must define procedures and mechanisms for assuring compliance with the principles. These mechanisms must also include a means by which complaints and disputes raised will be investigated and resolved, and obligations whereby sanctions will be applied should the organization fail to be compliant. 

Another important fact we should consider is having our data stored in a foreign country doesn’t put us outside of the U.S. laws. The USA Patriot Act can give our government access to expat data stored outside the US.

Plus now we add state privacy laws from California, New York, and Massachusetts. Massachusetts has new regulations that went into on March 1, 2010. Significantly, the new regulations are not restricted to companies that are located or operate in Massachusetts. Instead, they apply to businesses located anywhere in the United States that store or maintain “personal information” about a Massachusetts resident. By default this means any data on Massachusetts’s residents no matter where the data is stored subject to Massachusetts’s privacy laws. 

Stored Communications Act

In our discussion on data stored in the cloud we need to understand the laws and regulations governing our data. Unfortunately this area of privacy with federal, state and industry regulations is not unified under one encompassing umbrella. In fact it is a broken mosaic with federal and state laws competing against each other. In this blog post I will look at the Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA) and how it relates to our Fourth Amendment rights.

A federal statue known as Stored Communications Act governs the privacy of stored Internet communications. The SCA was enacted in 1986 as part of the Electronic Communications Privacy Act.

We need to start with the Fourth Amendment and see why the architecture of the Internet raises puzzling issues for the scope of Fourth Amendment protection. The Fourth Amendment offers strong privacy protections for our homes; it reads, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

The Fourth Amendment protection is extended to luggage, briefcases, backpacks, purses, opaque bags, and lockers. The important point here is these are all physical objects.

The privacy protection given above is not extended to the Internet. The Internet does not give us a physical “home”, nor really any private space at all. Although we may think of the storage on the Internet space as a “virtual home”, in fact our “virtual home” is just a block of ones and zeroes stored somewhere on somebody else’s computer.

The reasons why privacy protections do not apply to our “virtual homes” in cyberspace are three fold.

1. The Supreme Court has held that Fourth Amendment does not protect information revealed to third parties.  This is important we in IT do not view http/tcp traffic as being revealed to third parties, however the courts have upheld this belief in more than one case. This is the biggest obstacle for applying Fourth Amendment rights to the Internet.
2. Fourth Amendment governing grand jury subpoenas offer a second reason why Fourth Amendment has weak privacy protection online.
3. The third reason is the Fourth Amendment generally offers weak privacy protection online is that most ISPs are private actors.

The SCA tries to fix these issues to help provide privacy. But we need to understand some basic provisions that are in the SCA. The SCA adopts two distinctions of computer services providers. However these distinctions today are not vital in understanding the SCA. Most computer service providers have blurred the lines between the two distinctions by providing cross over services.

The first thing we need to understand is the SCA does not provide any privacy protection for “basic subscriber information” (session logs, IP addresses, etc).

The second thing is privacy of content. This is very frustrating to learn at first but it is the current law. With SCA our takeaways need to be the following.

• Unretrieved/Unopened communications, including email and voice mail (in electronic storage 180 days or less) the provider is allowed to voluntary disclosed to law enforcement or government.
• Opened communications, including email and voice mail (in electronic storage more than 180 days) the provider is allowed to voluntary disclosed to law enforcement or government.
• Other content (including database records, images, music files, etc.) being stored or processed the provider is allowed to voluntary disclosed to law enforcement or government.