Privacy and the Cloud

With the increased use of cloud storage new questions have arisen related to the privacy and confidentiality of files stored remotely. Although file storage on remote servers is not a new creation, many of the legal doctrines surrounding privacy and confidentiality of files were created without use of the cloud in mind and have not adapted to the expanded use of the cloud.

While cloud storage can be an economical and practical method for storing data and information, use of the cloud may result in reduced privacy protection.  When using cloud storage, an individual or a company uses storage capacity provided to it by a third party instead of maintaining its own files.  Although one may not intuitively view this distinction as significant, there is case law (US v. Miller (1976)) which allows such information to be treated differently for privacy purposes.  Law enforcement agencies argue that because a file has been turned over to a third party, the file does not have the same privacy protections it would if it were held by the creator.  The significance of the government’s approach becomes increasingly important as more and more files are being turned over for third party storage.

Those in favor of the government’s right to access such information would argue that one does not have a reasonable expectation of privacy once they turn over the information to a third party.  However, is this how individuals and corporations think of the issue when storing information on the cloud?  While most people would likely acknowledge that there is a set of privacy concerns associated with cloud storage, these concerns generally stem from the fact that the information is being stored on the internet and the third party to which the information is turned over may not be trustworthy.  A reasonable expectation of privacy in email was acknowledged in a recent Sixth Circuit decision, US v. Warshak (2010), but it remains to be seen how this will impact the law in the area.

The main statutory provision which protects wire, oral, and electronic communications is the Electronic Communications Privacy Act (ECPA).  Title II of the ECPA, the Stored Communications Act (SCA), protects communications held in electronic storage.  The ECPA has not undergone a major revision since being enacted in 1986 and its privacy standards are wildly out of sync with much of the computer activity which occurs today.  Take, for example, the fact that Email can be accessed by the government without a warrant if it has been left on a server for more than 180 days.  When the law was passed, Email was generally downloaded.  Therefore, the law considered email which remained on a server for more than 6 months to be abandoned.  Today, however, email is regularly kept and stored on servers, yet the law still considers email left on a server abandoned and allows law enforcement to access it without a warrant.  This leads to POP and IMAP email services to be treated asymmetrically.

An organization called Digital Due Process (a coalition of many of today’s most prominent internet companies) has laid out its major principles for bringing the ECPA up to date with today’s computing needs.  These principles include required use of warrants in order for government entities to require that private information from entities covered by the ECPA be turned over, and requirement that more particularized evidence be provider in order for governmental entities to receive subpoenas.  Senator Patrick Leahy has introduced a bill in the Senate which corresponds with many of these ideas.

While these reforms are necessary to align the law with the current state of the internet they are unlikely to be implemented any time soon. The major roadblocks to enacting this change come from the law enforcement and the cloud computing industry itself.  Obviously law enforcement wishes to continue the practices in which they currently take part and want investigative procedures to remain as simple and quiet as possible. At the same time, the cloud computing industry is caught in a tough position.  On the one hand cloud computing providers want to back data and privacy protections insofar as they encourage individuals and corporations to embrace the cloud and utilize their services.  However, the cloud providers want to continue to access individuals data for their own informational purposes (see Amazon terms of service regarding consumer files, particularly 5.2) and do not want to back any laws which might increase privacy protections and inhibit their use of consumer data.


One Reply to “Privacy and the Cloud”

  1. Pingback: Client Confidentiality and the NSA: May attorneys still use unencrypted email?

Leave a Reply