Publications

4th Amendment And Shared Servers: Lessons From Shkreli

9/29/2017 Articles

The prosecution of Martin Shkreli, whom the BBC has called “the most hated man in America,” reveals some important lessons about the Fourth Amendment protections against search and seizure in the digital corporate context: physical access to documents on a server may trump actual ownership of records. As the use of shared servers increases, foresight and commitment to clear document policies can prevent potentially overbroad and unconstitutional data collection.

In December 2015, Shkreli, former head of the pharmaceutical company Retrophin, was indicted for conspiracy to commit securities fraud. Federal prosecutors in Brooklyn alleged that Shkreli raided Retrophin cash and stock to pay defrauded investors in two hedge funds he managed, MSMB Capital Management LP and MSMB Healthcare Management LP. In response to a government subpoena following Shkreli’s indictment, the publicly traded Retrophin produced troves of MSMB Capital and MSMB Healthcare-related documents. Shkreli subsequently moved to suppress those documents, arguing their introduction at trial would violate his Fourth Amendment protection against government searches and seizures.

Shkreli argued that, although he used his MSMB entities’ email to conduct Retrophin business, and although MSMB entity information was stored on Retrophin servers, the produced MSMB information was password protected, and thus not accessible to Retrophin. Therefore, Shkreli argued, he had a reasonable and subjective expectation of privacy in the MSMB documents.

To complete his Fourth Amendment claim, Shkreli also argued that Retrophin functionally acted as a government agent in collecting MSMB documents for production because, Shkreli alleged, the company “partner[ed]” with the government to collect MSMB documents.

Retrophin disagreed and the government opposed Shkreli’s claim. Retrophin filed an affidavit asserting that “emails sent to or from MSMB email addresses (both in current and archived form) were commingled on Retrophin’s servers with emails sent to or from Retrophin email addresses,” that no separate password was required to access MSMB entity emails stored on the Retrophin servers, and that Retrophin — not Shkreli or MSMB entities — paid for and maintained the servers that housed the documents at issue. Moreover, the company responded to the subpoena by producing “responsive documents that it had in its possession, custody or control,” and that merely production did not mean it was acting as a government agent. Therefore, the government asserted Shkreli’s Fourth Amendment rights were not violated by the production of the MSMB entity data.

Judge Kiyo Matsumoto agreed and denied Shkreli’s suppression attempts, finding that Shkreli did not have a reasonable expectation of privacy in the documents at issue, and that “corporate compliance with a government subpoena [does not] transform the complying entity into a government agent.”

The court recognized that, while the Second Circuit had found that a corporate officer like Shkreli may assert a reasonable expectation of privacy in his corporate records, see United States v. Chuang, 897 F.2d 646, 649 (2d Cir. 1990), Shkreli had not made such a showing. The court found that Shkreli willingly co-mingled MSMB and Retrophin records, and that Shkreli signed Retrophin’s email policy, which stated that “[a]ll electronic data ... transmitted through [Retrophin] facilities ... are the property of the company.” In other words, because Shkreli had failed to take proper precautions to keep MSMB material separate from Retrophin material, he could not demonstrate a subjective expectation of privacy in his corporate records. Shkreli was later convicted of three counts of securities fraud.

Shkreli’s failed motion to suppress provides a cautionary tale for entities that share physical or server space. Shkreli essentially argued that, because the MSMB documents formally belonged to MSMB and thus were not in the “possession, custody or control” of Retrophin, their production was a constitutional violation. The court ignored formal ownership, however, and found that the intermingling of Retrophin and MSMB records on a shared server was sufficient to establish Retrophin’s “possession, custody or control” over MSMB material.

Of course, intermingling records alone does not waive constitutional rights, In re SK Foods LP, No. 2:09-CV-02942-MCE (E.D. Cal. Dec. 24, 2009) (finding no authority for assertion that “privacy interests are waived simply because [] companies may have shared storage and access capabilities”), and federal appellate courts considering the Fourth Amendment rights of those not subject to search have proposed procedures for disaggregating intermingled physical documents, see United States v. Tamura, 694 F.2d 591, 595–96 (9th Cir. 1982) holding modified by United States v. Comprehensive Drug Testing Inc., 579 F.3d 989 (9th Cir. 2009) (“In the comparatively rare instances where documents are so intermingled that they cannot feasibly be sorted on site, we suggest that the Government and law enforcement officials generally can avoid violating fourth amendment rights by sealing and holding the documents pending approval by a magistrate of a further search ...”).

Disaggregating electronic records is much more complex than disaggregating physical records, however, and requires courts to grapple with the constitutional implications of server technology and the ubiquity of shared server space. “The advent of fast, cheap networking has made it possible to store information at remote third-party locations,” and "[g]overnment intrusions into large private databases thus have the potential to expose exceedingly sensitive information about countless individuals not implicated in any criminal activity, who might not even know that the information about them has been seized and thus can do nothing to protect their privacy.” United States v. Comprehensive Drug Testing Inc., 621 F.3d 1162, 1177 (9th Cir. 2010).

While the courts grapple with how the constitution contemplates the storage of vast amounts of data stored all over the world, it remains clear that demonstrating a reasonable and subjective expectation of privacy in material is critical to stating a viable Fourth Amendment claim.

To make the strongest case for that expectation of privacy, entities sharing physical or server space should password protect distinct-entity documents, create formal policies regarding ownership of electronic and other records, and consider sharing the costs of hosting servers. Taking these precautions to protect distinct-entity documents on shared server space will strengthen claims to a reasonable and subjective expectation of privacy in entity records, and prevent unconstitutional searches.

Published in Law360.

Firm Highlights

Publication

Nonprofits’ Use of Artificial Intelligence Systems: Intellectual Property and Data Privacy Concerns

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More
Publication

California Proposes New AI & Automated Decision-Making Technology Regulations

The California Privacy Protection Agency (CPPA) released its draft  regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently...

Read More
Publication

Thomson Reuters v. Ross Intelligence: AI Copyright Law and Fair Use on Trial

On Sept. 25, 2023, Judge Stephanos Bibas (sitting by designation in the District of Delaware), determined that fact questions surrounding issues of fair use and tortious interference required a jury to decide media conglomerate...

Read More
Publication

California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In  California Privacy Protection Agency et al. v. The Superior Court of Sacramento County  (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection...

Read More
Publication

It Wasn’t Me, It Was the AI: Intellectual Property and Data Privacy Concerns With Nonprofits’ Use of Artificial Intelligence Systems

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

California AI Proposal Rethinks Consumer Scope and Recordkeeping

The California Privacy Protection Agency will revisit its  draft  regulations for automated decision-making technology on March 8, including use of artificial intelligence to process personal information. Comment periods should be coming soon in 2024...

Read More
Publication

Enforcement of CPRA Regulations Delayed

Shortly before the California Privacy Right Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) were set to become enforceable on July 1, 2023, a Sacramento Superior Court judge issued a ruling on...

Read More
Publication

Top 5 Privacy Cases To Watch, From Chatbots to Geolocation

Litigation — and threats of litigation — related to privacy law violations have been on the rise recently. While some judges have pushed back on the theories set forth by plaintiffs, new privacy lawsuits...

Read More