Processing authoritative requests

Processing authoritative requests

Processing authoritative requests

As every now and then we receive requests by authorities to provide information on their investigation I want to shed some light on how we process such requests, what that means for us and especially what that means for our customers and why they can rest assured that we still take their privacy seriously. That is mostly Police but through different channels, either directly or through the based on the "EJPD".

We basically have three different scenarios:

1. Authority is not an authority (or request lacks legitimation)

This could be a foreign authority approaching us directly or a local authority placing a request which is not (yet) officially authorized. The latter case occurs very rarely the first one a bit more often. Depending on what information is requested we most often have to reject such requests. However, sometimes the information requested is actually publicly available but overlooked for some reason. If this is the case we might hint the requestor in the right direction in order to not having to deal with further requests from requesters side. If the requested information is not publicly available we have to reject the request and redirect it to a legal way.

2. Authority “just” requesting contact information

This is most often the case as for almost all systems/setups we do not have data sovereignty but our customers have. We only do have data sovereignty over data of our own systems for internal purposes. In this case, if the request is legitimate we provide the requested contact information and the authority then approaches our customer directly.

3. Authority requesting additional information

These are very rare cases and proper legitimation such a request is essential. In that case, if not subpoenaed, we contact the customer about the request and attempt to permanently save the information requested in order to provide it to authorities. It is especially important to provide only the information requested for and protect other customer’s data.

Why do we have to deal with such requests?

As a service provider, we are of course bound to the law. We only can provide services to our customers safe when we have a safe set up ourselves. A safe set up means also a setup compliant with all applicable laws.

What is the reason behind such requests / How can you avoid getting the target of such a request?

First of all: there is no definitive universal advice, as there is always a slight chance of getting targeted accidentally. Generally speaking, we can say that for all requests we received so far there were good reasons. Those were customers that either were abusing their setups for illegal activities themselves or more often customers that neglected their setup and thus got compromised.

So why can’t nine protect customers from getting compromised when they neglect their setup?

For one responsibilities are clear: Nine provides a service the customer can use. It is the customer's obligation to use it in a responsible manner. This also means that any applications run on top of our service area within the customer’s responsibility to maintain.
For the other: Nine cannot monitor each and every application a customer sets up as this would make it a managed application. Also, we do not know about the customer’s requirements for this application. Maybe the customer is aware of some risks and has to accept them due to dependencies or for other reasons.

Lastly: If Nine gets aware of an insecure or even compromised setup we immediately contact that customer so he can take corrective measures, in which we also support them in our best effort.

To sum it all up:

Nine takes your privacy very seriously. Nine will not process requests for which there is no legal basis. However, when we are legally obliged to comply with authoritative requests, we will process that request. It is important to say that while doing so, we make absolutely sure no other customer’s privacy is at stake. This means, for example, that we insist on an electronic version of such requests in order to just copy&paste the addressing elements of the requested information to avoid any typos and accidentally target wrong customers. We also insist on a secure (encrypted) way of transmitting requested information to the recipient. Nine will also inform its customers (unless subpoenaed on a legal basis) about such requests.

As a customer, you can avoid getting targeted by complying with laws and terms and conditions of the contract and also by keeping your setup maintained and applying updates and patches in a timely manner to avoid it being exploited by criminals.

If you have any questions or need assistance please do not hesitate to contact us.

You'd like to stay up to date?  

Subscribe now for the nine blog

 

Reto Bollinger

Information Security Officer @ nine