4th Amendment And Shared Servers: Lessons From Shkreli

9/29/2017 Articles

The prosecution of Martin Shkreli, whom the BBC has called “the most hated man in America,” reveals some important lessons about the Fourth Amendment protections against search and seizure in the digital corporate context: physical access to documents on a server may trump actual ownership of records. As the use of shared servers increases, foresight and commitment to clear document policies can prevent potentially overbroad and unconstitutional data collection.

In December 2015, Shkreli, former head of the pharmaceutical company Retrophin, was indicted for conspiracy to commit securities fraud. Federal prosecutors in Brooklyn alleged that Shkreli raided Retrophin cash and stock to pay defrauded investors in two hedge funds he managed, MSMB Capital Management LP and MSMB Healthcare Management LP. In response to a government subpoena following Shkreli’s indictment, the publicly traded Retrophin produced troves of MSMB Capital and MSMB Healthcare-related documents. Shkreli subsequently moved to suppress those documents, arguing their introduction at trial would violate his Fourth Amendment protection against government searches and seizures.

Shkreli argued that, although he used his MSMB entities’ email to conduct Retrophin business, and although MSMB entity information was stored on Retrophin servers, the produced MSMB information was password protected, and thus not accessible to Retrophin. Therefore, Shkreli argued, he had a reasonable and subjective expectation of privacy in the MSMB documents.

To complete his Fourth Amendment claim, Shkreli also argued that Retrophin functionally acted as a government agent in collecting MSMB documents for production because, Shkreli alleged, the company “partner[ed]” with the government to collect MSMB documents.

Retrophin disagreed and the government opposed Shkreli’s claim. Retrophin filed an affidavit asserting that “emails sent to or from MSMB email addresses (both in current and archived form) were commingled on Retrophin’s servers with emails sent to or from Retrophin email addresses,” that no separate password was required to access MSMB entity emails stored on the Retrophin servers, and that Retrophin — not Shkreli or MSMB entities — paid for and maintained the servers that housed the documents at issue. Moreover, the company responded to the subpoena by producing “responsive documents that it had in its possession, custody or control,” and that merely production did not mean it was acting as a government agent. Therefore, the government asserted Shkreli’s Fourth Amendment rights were not violated by the production of the MSMB entity data.

Judge Kiyo Matsumoto agreed and denied Shkreli’s suppression attempts, finding that Shkreli did not have a reasonable expectation of privacy in the documents at issue, and that “corporate compliance with a government subpoena [does not] transform the complying entity into a government agent.”

The court recognized that, while the Second Circuit had found that a corporate officer like Shkreli may assert a reasonable expectation of privacy in his corporate records, see United States v. Chuang, 897 F.2d 646, 649 (2d Cir. 1990), Shkreli had not made such a showing. The court found that Shkreli willingly co-mingled MSMB and Retrophin records, and that Shkreli signed Retrophin’s email policy, which stated that “[a]ll electronic data ... transmitted through [Retrophin] facilities ... are the property of the company.” In other words, because Shkreli had failed to take proper precautions to keep MSMB material separate from Retrophin material, he could not demonstrate a subjective expectation of privacy in his corporate records. Shkreli was later convicted of three counts of securities fraud.

Shkreli’s failed motion to suppress provides a cautionary tale for entities that share physical or server space. Shkreli essentially argued that, because the MSMB documents formally belonged to MSMB and thus were not in the “possession, custody or control” of Retrophin, their production was a constitutional violation. The court ignored formal ownership, however, and found that the intermingling of Retrophin and MSMB records on a shared server was sufficient to establish Retrophin’s “possession, custody or control” over MSMB material.

Of course, intermingling records alone does not waive constitutional rights, In re SK Foods LP, No. 2:09-CV-02942-MCE (E.D. Cal. Dec. 24, 2009) (finding no authority for assertion that “privacy interests are waived simply because [] companies may have shared storage and access capabilities”), and federal appellate courts considering the Fourth Amendment rights of those not subject to search have proposed procedures for disaggregating intermingled physical documents, see United States v. Tamura, 694 F.2d 591, 595–96 (9th Cir. 1982) holding modified by United States v. Comprehensive Drug Testing Inc., 579 F.3d 989 (9th Cir. 2009) (“In the comparatively rare instances where documents are so intermingled that they cannot feasibly be sorted on site, we suggest that the Government and law enforcement officials generally can avoid violating fourth amendment rights by sealing and holding the documents pending approval by a magistrate of a further search ...”).

Disaggregating electronic records is much more complex than disaggregating physical records, however, and requires courts to grapple with the constitutional implications of server technology and the ubiquity of shared server space. “The advent of fast, cheap networking has made it possible to store information at remote third-party locations,” and "[g]overnment intrusions into large private databases thus have the potential to expose exceedingly sensitive information about countless individuals not implicated in any criminal activity, who might not even know that the information about them has been seized and thus can do nothing to protect their privacy.” United States v. Comprehensive Drug Testing Inc., 621 F.3d 1162, 1177 (9th Cir. 2010).

While the courts grapple with how the constitution contemplates the storage of vast amounts of data stored all over the world, it remains clear that demonstrating a reasonable and subjective expectation of privacy in material is critical to stating a viable Fourth Amendment claim.

To make the strongest case for that expectation of privacy, entities sharing physical or server space should password protect distinct-entity documents, create formal policies regarding ownership of electronic and other records, and consider sharing the costs of hosting servers. Taking these precautions to protect distinct-entity documents on shared server space will strengthen claims to a reasonable and subjective expectation of privacy in entity records, and prevent unconstitutional searches.

Published in Law360.