Cloud computing is when a user provides an input for a program, but some or all of the program’s processing is outsourced to another computer or set of computers (the “cloud server”). Google Maps is an easy example of this – the user provides an input, which Google’s cloud server processes in order to provide the user an output. Cloud servers, in processing inputs, will acquire data, some of which may be highly sensitive (i.e., medical records). Once the data is on the cloud server, any number of things can compromise its privacy – third parties may expose the data through an attack, the data may leak due to faulty coding or hardware, cloud server operators may use the data for gain without consent of the users, or the cloud server operator may hand the data over to the government without consent of the users.
User data uploaded to cloud servers receives, at best, awkward privacy protection through legal doctrine.
First, Fourth Amendment “right to be secure” jurisprudence fails to provide much protection to cloud user data at all. The “Third-Party Doctrine” doctrine of the Fourth Amendment holds that knowingly revealing information to a third party relinquishes Fourth Amendment protection in that information. Thus, when a cloud computer user utilizes cloud computing services, he or she entrusts the security of sensitive information to a third party, the cloud server, thereby waiving his or her Fourth Amendment right to preserve the security of that data. What’s more, the Supreme Court has actually expressed some fear of delving into the intersection of modern internet technology and the Fourth Amendment, noting in City of Ontario, Cal. v. Quon that “The judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear.”
Second, statutes may provide some protection to cloud users, but their language is antiquated and thus applies tenuously, if at all, to modern cloud technology. The Stored Communications Act (“SCA”), codified in 18 U.S.C. §§ 2701-2712, addresses the voluntary and compulsory disclosure of electronic communications and records. However, the SCA was enacted primarily to protect information that is communicative in nature – i.e., electronic mail – and the statute thus has several shortcomings when it is applied to cloud computing:
- The SCA does not address negligent or reckless disclosure of data, only voluntary (i.e., knowingly or purposely) or government-compelled disclosure;
- It is possible that cloud computing falls under neither the “electronic communication service” (“ECS,” defined at 18 U.S.C. § 2510(15)) nor the “remote computing service” (“RCS,” defined at 18 U.S.C. § 2711(2)) scopes of the SCA’s protections;
- Many cloud computing services are not provided “to the public” at large, nullifying the SCA’s protections against voluntary disclosure; and
- Data shed during cloud computing likely do not qualify as “contents” under the SCA (defined at 18 U.S.C. § 2510(8)) and can thus be disclosed freely to any nongovernmental third party.
This begs the question: how should the law protect cloud computing data, if at all? New technology is emerging which will make it easier for cloud users and servers to protect user data. For instance, Christopher W. Fletcher, a researcher in the Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Laboratory, is developing a processor for cloud servers called “Ascend” that makes it impossible for the cloud server to see the data it handles. In essence, Ascend turns the cloud server into a black box to which users send encrypted blobs of data for processing; then the server sends encrypted blobs of data back to the users.
This is to say that emerging technology may do a better job of protecting user data than the legal system can. While Ascend is server-side and thus relies on cloud server operators to install the technology themselves, perhaps a user-side processor with similar effects may be developed in the near future. However, if one were to decide that cloud user data should be protected primarily through technology, there still remains the question of how the law should incentivize the use of such technology. Is cloud user data so sensitive that server operators should by law be required to implement protective measures like Ascend? Or should they merely be incentivized to use such measures by implementing a negligence regime for improperly disclosed or leaked data? Or, should the law sit back and let the free market decide?
In my view, the importance of cloud computing in today’s environment demands a forward-looking and flexible environment. Lawmakers, perhaps through a Congressional subcommittee or an agency, should be tasked with evaluating which types of user data are the most sensitive and thus most entitled to protection, which technologies are sufficient to protect the data, and what degree of liability is appropriate for the harm visited upon the user through inadequate protections.