Dane Jasper is the CEO and co-founder of Sonic.net. The Santa Rosa-based internet service provider is one of the highest rated by the Electronic Frontier Foundation, for actively protecting the privacy of customers' data. (Christopher Chung/ The Press Democrat)

Santa Rosa's Sonic leads in online privacy protection

MARTIN ESPINOZA
THE PRESS DEMOCRAT

In a large, cold, immaculate room, rows of black metal cabinets shelter Internet servers whose blinking green lights indicate the frenetic pulse of our every online move, whether it's sending mundane emails, trolling online forums, messaging a lover or making online purchases.

Multiple safeguards such as handprint scanners, secure keys and a cylindrical "mantrap" chamber with interlocking doors and weight sensors protect the contents of this room, in the southwest Santa Rosa headquarters of Sonic.net.

Privacy is paramount at Sonic, Northern California's largest independent Internet provider. The company has become a national model for Internet privacy policies, even as the foreign and domestic spying tactics of the National Security Agency provoke worldwide criticism and anger.

For the past two years, Sonic has received a perfect rating from the Electronic Frontier Foundation, a civil liberties group that for years has championed the digital rights of consumers, from free speech to protecting consumer data from the government.

When compared to Internet, telecom and tech giants like Google, Comcast, Facebook, AT&T, Verizon, Apple and a dozen others, only Sonic and Twitter have received a perfect rating for their consumer-privacy practices and policies.

"Our customers who are not criminals are our highest priority, and we believe the protection of their privacy is a serious responsibility," said Sonic co-founder and CEO Dane Jasper.

When law enforcement officers ask Sonic for information about you, Sonic asks, "Where's the warrant?"

When one is produced, the company will alert you about it, if they can do so legally - and they've gone to court to make sure they can. Sonic also publishes reports about how many court orders it receives.

Jasper said Sonic does not take part in the kind of bulk data collection that has landed the NSA in the crosshairs of Internet activists who are concerned that such surveillance activities violate the U.S. Constitution's Fourth Amendment, which prohibits unreasonable searches and seizures and requires warrants to be supported by probable cause.

"Sonic's entire business seems to be centered around respecting the consumer," said Nate Cardozo, a staff attorney at the Electronic Frontier Foundation on its digital civil liberties team.

Cardozo, one of the authors of EFF's annual Internet privacy report, titled "Who Has Your Back," said Sonic is an industry standard-bearer when it comes to privacy issues. He said Jasper has sometimes sought guidance, asking, "If Sonic isn't doing it exactly right, help us get it right."

Of the online service providers evaluated in EFF's report, Sonic is one of the smallest companies, born during a more competitive age than the periods that spawned telecommunications giants such as AT&T.

Sonic was started in 1994 by Jasper and co-founder Scott Doty, who devised their plan at Santa Rosa Junior College as part of a class project. It was a time when Internet service providers were starting to bring the World Wide Web to the masses with features like email, instant messaging, FTP file-downloading and virtual communities via computer bulletin board systems.

Jasper said Sonic's commitment to customer privacy is one of the things that sets it apart from its big competitors. He said that a more competitive market would give "a deterrent to providers taking customer privacy rights lightly, because customers who felt their rights were not being respected would depart."

Sonic received EFF's highest rating in both 2012 and 2013 for its actions in the preceding years. EFF's 2014 report, which will analyze companies' privacy polices and actions in 2013, is due next month, Cardozo said.

In its last report, EFF used six criteria to rate each Internet service provider. The companies were evaluated on whether they:

;Require the government to obtain a warrant supported by probable cause before the company hands over customer information.

;Notify users when the government seeks their data, unless they are prohibited from doing so under court order.

;Publish statistics that show how many times the government has sought customer information and how often they have yielded the information.

;Publish law enforcement guidelines that clearly outline - for the public and law enforcement - the company's policies for responding to government demands for information.

;Have a record of resisting certain government demands in court.

;Support efforts to modernize the nation's outdated Electronic Communications Privacy Act of 1986, which the EFF says does not adequately address such advances as the ubiquity of email, mobile-location data, cloud computing and social networking.

Jasper said he was unable to discuss details of specific court cases in which the company fought government requests for information.

One case involves a secret court order demanding that both Google and Sonic surrender data from the email accounts of Jacob Applebaum, a WikiLeaks volunteer. Sonic tried to get the court to unseal the case but was unsuccessful.

The company did manage to obtain permission to notify Applebaum that it was complying with the court order.

The complex system of security at Sonic's headquarters is a telling sign of the company's preoccupation with customer privacy.

Inside the chilly server room - which contains 228 server cabinets - Sonic also rents out cabinet space for servers to clients such as O'Reilly & Associates, the County of Sonoma and a number of IT consulting groups.

Each cabinet row is equipped with a video monitoring system that captures an image every time a visiting client opens one of the 600 cabinet doors to access a server or piece of equipment. An email with that image is immediately sent to the company representative or owner of the company renting the cabinet space.

"For our customers who have space here, we have multiple levels of physical security," Jasper said.

For Jasper, customer privacy is "more about policy, the decisions we make as an organization, how we're going to respond to criminal and law enforcement subpoenas."

As Internet crime becomes more and more prevalent, law enforcement has steadily increased its demands for information, Jasper said, targeting everything from drugs, theft, national security and child protection crimes.

Internet companies also are fielding a number of subpoenas related to civil cases such business and intellectual property disputes and copyright infringement.

According to its transparency report for 2011, Sonic received a total of nine civil court subpoenas, all of which involved copyright infringement cases. Of these the company surrendered data in two cases.

That same year, the company received 13 law enforcement court orders and surrendered data in seven cases.

In 2012, Sonic's rate of surrendered data was even lower. That year, Sonic was again handed nine civil subpoenas involving alleged copyright infringement, but it surrendered data in only one case. Also, the company gave up information to law enforcement officials in two of seven court orders it received in 2012.

Another Sonic practice that sets it apart from larger online service providers is the limited amount of time the company holds on to logs of its customers' online activity. Every two weeks, Sonic automatically deletes its logs, compared to the industry standard of 18 months, Jasper said.

He said two weeks is an adequate period for Sonic to meet its own business needs and also to respond to law enforcement and civil subpoenas and warrants.

"If people do something bad, I need to have that data. We are not absolutist about this," Jasper said.

The issue of online privacy reached a crescendo last year, when major media outlets such as the Washington Post, the Guardian and the New York Times began publishing leaked documents about the NSA's global surveillance programs.

The documents, which were leaked to journalists by NSA contractor Edward Snowden, shed light on a practice in which large telecom companies such as Verizon provide bulk metadata of online activity to the government. Rather than the content of actual phone calls or email messages, metadata details the time, date and location of these communications.

The government has said that its intelligence agencies are interested only in communications tied to foreign intelligence and counterintelligence with the aim of preventing future terrorist attacks. The government says it is bound by laws that prevent it from accessing law-abiding online activity by U.S. citizens.

Civil liberties advocates are not convinced.

"When it comes to spying by the government on the American people, it is vital for the health of our democratic society that the American people know whether their Fourth Amendment freedoms and statutory rights are being protected," said Will Matthews, a spokesman for the American Civil Liberties Union of Northern California.

"Our nation's legacy of privacy should not be secretly forfeited based on dubious promises of security," he said.

Sonic has not been asked by the government to provide such bulk data, probably because of the smaller size of the company, Jasper said. Even so, Jasper said it's inappropriate.

"I think it's not legal," he said. "I'm not a lawyer, but from a constitutional perspective, there's supposed to be probable cause for a search. The idea that the data is not looked at until there is a probable cause doesn't make me feel any more comfortable."

You can reach Staff Writer Martin Espinoza at 521-5213 or martin.espinoza@pressdemocrat.com.

UPDATED: Please read and follow our commenting policy:
  • This is a family newspaper, please use a kind and respectful tone.
  • No profanity, hate speech or personal attacks. No off-topic remarks.
  • No disinformation about current events.
  • We will remove any comments — or commenters — that do not follow this commenting policy.
Send a letter to the editor