Cloud storage operator ordered to disclose user details for use in foreign proceeding
The High Court recently ordered an internet cloud storage company to disclose user information to Kazakhstan for use in a US proceeding. The judgment provides a useful overview of the relevant principles considered by courts faced with requests for assistance from foreign courts and fuels discussion around balancing the provision of requested information with local privacy legislation against a background of increased public awareness of the impact of hacking, as experienced with the Panama Papers.
Kazakhstan claimed that its government computer systems had been hacked and that thousands of sensitive and confidential documents had been accessed. A substantial number of the documents were uploaded to a cloud storage service operated by Mega Limited, a company registered in New Zealand. Kazakhstan could not identify the hackers, but filed an anonymous civil action against them in the US District Court for the Southern District of New York. Kazakhstan obtained a letter of request from the New York court to the High Court, seeking its assistance in obtaining specific information, which Kazakhstan claimed would lead to the identification of the hackers. The specific information was connected to the accounts of certain Mega website users, namely their:
- IP addresses;
- email addresses;
- contact information;
- account information; and
- payment information.
In the High Court, Kazakhstan sought an order for a subpoena requiring a Mega representative to attend the court for examination and to produce the documents specified in its request. Kazakhstan had to be able to identify the hackers in order to obtain the remedies sought against them in the New York court (a permanent injunction and damages). Mega opposed the application on the grounds that the orders were unavailable and inappropriate under the Evidence Act 2006 and were in breach of the Privacy Act 1993. Mega premised its opposition on the basis that cloud storage providers differ materially from other third parties because of the high level of security and privacy that they promise to customers. Because its operational model centred on protecting users' privacy, it was required to test and challenge attempts to access personal user information that it held.
Jurisdiction and discretion to respond to request
The High Court's jurisdiction and discretion to give effect to applications for assistance by foreign courts are governed by Sections 184 and 185 of the Evidence Act. Sections 184 and 185 are based on the UK Evidence (Proceedings in Other Jurisdictions) Act 1975 and were intended to be consistent with the Hague
Convention on the Taking of Evidence Abroad in Civil or Commercial Matters (although New Zealand is not yet a party to the convention).
Did the request seek to elicit evidence or was it part of an investigatory inquiry?
The central issue was whether the request was seeking to elicit evidence for trial or was merely part of an investigatory inquiry. Consistently with the UK position, only the former is permissible. Mega submitted that the proposed subpoena was directed solely at gaining access to information held by Mega for investigatory purposes and was unconnected to evidence that any individual could give.
The court held that it was necessary to look at the request's substance and determine the application's purpose. The following general principles were relevant:
- The question of relevance to a foreign action issue is primarily a matter for the foreign court.
- It is necessary for the High Court to recognise the principle of comity and, if it is proper to do so, to accede to letters of request issued by foreign courts seeking evidence for use in litigation before them.
- In doing so, the High Court must balance the legitimate requirements of the foreign court with the burden that those requirements may place on the intended witnesses.
The court considered that, in this case, the request's purpose was to obtain evidence for use at trial. The court took into account the fact that:
- the request was for specific and identified evidence, which was central to Kazakhstan's ability to prove its case;
- evidence tending to identify the anonymous defendants would be admissible at trial;
- although there was an "investigatory flavour" to the request, in that the information sought would be used to establish a fact not yet known to Kazakhstan, rather than to support a fact which it alleged to be true, this was not the request's overarching purpose;
- it was impossible to obtain the requested information by any other means; and
- the request was narrow and for specific evidence that the New York court was satisfied was relevant and essential for the purposes of the New York proceedings.
The court was unpersuaded by Mega's submissions concerning the efforts to which it would have to go to comply with the request. The court did not consider the fact that no physical documents existed, so Mega could not produce any to meet the order, counted against making the order. The court also did not accept Mega's submission that the fact that it had had to "interrogate its own database to create collections of data" meant that the request effectively required Mega to undertake an investigation on behalf of Kazakhstan.
Potential ramifications for hackers or accomplices
Mega submitted that, if it divulged the specified information and if this led to the identification of the hackers, there might be political reprisals and human rights violations against those identified, and that this was relevant to the exercise of the court's discretion. Mega drew an analogy with provisions for information requests in criminal proceedings, which expressly allow the court to consider whether the overseas proceedings were of a political character.
The court rejected Mega's argument, noting that similar submissions had been made in the New York court and that the New York court had issued a protective order governing access to any information produced by Mega pursuant to the request. The court made further reference to the principle of comity and the desirability of acceding to letters of request issued by foreign courts, if the court could properly do so. In this regard, the court noted UK case law confirming that the principle of comity was particularly important where the litigation arose out of fraud on an international scale.(1) The court held that, although the case did not involve international fraud, recent examples of illegal and unauthorised hacking of international databases had attracted worldwide attention and shared important public interest considerations with international fraud, including substantial financial, security and personal privacy costs for those affected by the hacking.
Mega submitted that the request did not provide a basis for belief that the existence of a volume of allegedly stolen materials on Mega's website necessarily meant that those who had posted the materials were either the hackers or people working in concert with them. It submitted that the information sought might not further Kazakhstan's investigation, but would inevitably intrude on the privacy of the users in question and be contrary to the privacy principles under the Privacy Act. Accordingly, Mega submitted that the disclosure was not 'necessary' in the sense required by the Privacy Act.
The court disagreed, holding that the New York court had made the request on the basis of extensive information, and that the New York court's conclusion that the specified information may help Kazakhstan identify the defendants was supported by evidence before it. It was relevant that extensive investigations by Kazakhstan had not uncovered any other website that contained a similar volume of hacked documents to that which had been posted on the Mega website. In addition, subpoenas issued to Facebook, Microsoft, Google and others were unlikely to reveal the information sought as those companies were not expected to have the user account information of the persons who had posted the stolen documents on the Mega website.
Finally, the court noted that the privacy expectations of Mega's customers were necessarily limited by Mega's terms of service, which expressly stated that users could not store, upload or otherwise transmit or make available data in violation of any law. The terms and conditions also expressly reserved Mega's right to disclose user information when required by law, as well as to comply with any legal processes, including subpoenas and court orders. The court held that users' privacy interests were not absolute, particularly in light of the express limitations on privacy contained in Mega's terms and conditions. The limited nature of the information that Mega would be required to give was also relevant. The court held that, with the possible exception of account and payment information, the requested information was neither particularly revealing nor particularly sensitive. It did not, for example, carry the same degree of confidentiality as an individual's email or phone records. The court was satisfied that privacy interests in this case did not carry significant weight.
The judgment provides a useful overview of relevant principles in dealing with requests for assistance from foreign courts. The ever-increasing interconnectedness of global trade and information technology means that an increase in similar requests is foreseeable. Future requests will similarly require the balancing of the interests of those who claim that their information was uploaded without their permission, with those of legitimate users of internet services. The principle of comity, highlighted in this case, should lead to a consistent approach across jurisdictions in keeping with the transnational incidence and effects of hacking and data acquisition.