Upload
medialawguy
View
216
Download
0
Embed Size (px)
Citation preview
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
1/18
Bert van Uitert
The Nebulous Privacy Rights of Cloud Computing
I. Introduction
It is widely acknowledged that the cloud is among the most significant innovations to
ever hit the technology industry.1 Some have even gone so far as to label cloud computing the
next evolution of the Internet.2
In fact, cloud computing is becoming an important part of how
we interact with each other, conduct our business, spend our money, and many other daily
activities. As cloud computing becomes more and more ubiquitous, it becomes ever more
important to understand what rights are associated with content in the cloud. The Internet has
been and always will be an indisputably public medium
3
and cloud computing is still in its
technological infancy. This paper will define cloud computing and give a brief history of
computers through the recent rise of the cloud. The discussion will then cover the clouds
constitutional and statutory frameworks for privacy protection and give suggestions for future
judicial and legislative decisions.
II. What is Cloud Computing?
The definition of cloud computing is a matter of considerable debate.4
While many
definitions exist, simply put, cloud computing is the ability to run applications and store data on
1Nicole D. Galli & Edward Gevovich. Cloud Computing and the Doctrine of Joint
Infringement: Current Impact and Future Possibilities. 11 J. Marshall Rev. Intell Prop. L
673, 674. (2012).2 Barry Reingold & Ryan Mrazik. Cloud Computing: The Interesction of Massive Scalability,
Data Security, and Privacy (Part 1), 14 No 5 Cyberspace Law 1 (2009).3
David A. Coulliard,Defogging the Cloud: Applying Fourth Amendment Principles to Evolving
Privacy Expectations in Cloud Computing. 93 Minn. L. Rev 2205, 2231. (2009). (quoting U.S. v.Gines-Perez, 214 F. Supp. 2d 205, 225 (D.P.R. 2002)).4
Ilana R. Kattan. Cloudy Privacy Protections: Why The Stored Communications Act Fails toProtect the Privacy of Communications Stored in the Cloud, 13 Vand J. Ent. & Tech. L. 617, 620
(2011).
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
2/18
Bert van Uitert
a service providers computer over the Internet, rather than on ones personal computer.5
This
takes the processing, storage, and other computational activities out of the confines of the home
or business and into the nebulous backbone of the worlds servers and datacenters.
Many people use cloud technology every day without realizing or understanding the
technology behind the scenes. A concrete example helps to illustrate the difference between
traditional and cloud computing. In a traditional word processing program (such as Microsoft
Word), a user must purchase, install, and run a program locally on their computer. When the
document is saved, it is to the local hard drive. Unless the computer is attached to a network,
this saved document can only be accessed when someone is physically at the computer.
Conversely, when word processing is done in the cloud (with services such as Microsoft Office
365 orGoogle Docs) usually no software is ever installed and the software is accessed through a
web browser. All of the information processing and other services are performed on a server (a
powerful computer at a remote location) in a datacenter (a facility filled with thousands of
servers) and are then transmitted over the Internet to the users computer. These data and
programs can be accessed from any internet-enabled computer, phone, or tablet. Cloud
computing leverages economies of scale to bring massive computational power to the masses
quickly, cheaply, and efficiently.6 As cloud computing has become a part of daily life, nearly
every piece of traditional software has a cloud-based version, with services such as email, data
storage, photo editing, online video rental, virtual computer systems, and nearly anything else
imaginable.7
5William Jeremy Robinson,Free at What Cost?: Cloud Computing Privacy Under The Store
Communications Act, 98 Geo. L.J. 1195, 1199. (2010).6
See Kattan, Supra, at 621-622.7
A fairly comprehensive list of cloud-based services can be accessed at
http://www.cloudxl.com/.
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
3/18
Bert van Uitert
III. A Brief History of Computers and Networking
To understand relevant privacy legislation, court precedent, and their relationship to
cloud computing, one must be briefly informed of the history of computers and networking.
When computers first became available in the 1960s, they were prohibitively expensive for
individuals and could only be purchased by large institutions such as NASA, the IRS, and other
similarly situated government agencies.8
Advances over the next two decades decreased the
overall size of computers (the system originally would fill up a large room) and increased their
individual processing power.9
Computers also saw advances in usability when companies such
as Apple and Microsoft released intuitive personal computers that replaced the technician-
controlled mainframes of the past.10
By the mid 1980s, stand-alone personal computers (PCs)
became prevalent in homes and businesses throughout the United States.11
Soon, floppy disks
and other storage devices became insufficient to handle many businesses need to pass data
quickly between PCs. In response to this need, companies started connecting their computers
with intra-office networks.12
In the 1990s, these networks began connecting with each other to
form the Internet13 and the World Wide Web.14 The rapid expansion of the Internet (and the
speed at which it can be accessed) soon led to the growth of cloud computing during the late
1990s and early 2000s. The first widely used cloud services were web-hosted email systems
(webmail).15
In traditional email systems of the 1980s and early 1990s, emails were sent to a
8See Robinson, Supra, at 1197.
9Id.10Id.11
http://en.wikipedia.org/wiki/History_of_computer_hardware12
See Robinson, Supra, at 1198; This topic alone is quite expansive. For more information, starthere: http://en.wikipedia.org/wiki/Computer_network - Intranets_and_extranets13
Inter-net. Get it?14
See Robinson, Supra, at 1198.15
Id. at 1203.
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
4/18
Bert van Uitert
target computer and then stored on the local hard drive.16
In contrast, webmail systems store
emails remotely on the providers servers, allowing users to access emails from any Internet-
enabled computer on the planetnot just from home or the workplace.17
The webmail model
has been replicated in many other services over the years. Starting around 2004, streaming
music services became an alternative to local MP3 storage.18
Online video streaming and
storage exploded in 2006 when YouTube became a household name. Netflix furthered this trend
by replacing physical DVD rentals with streaming TV and movie downloads.19 Recently, the
cloud data storage/backup market has erupted with dozens of companies creating services to
backup personal files to the cloud, synchronize files across multiple computers, and allow mobile
access to important documents.20
Presently, almost any program or service available on
traditional computer systems is now available in the cloud.21
IV. Constitutional Protections
a. The Fourth Amendment and The Katz Test
The Fourth Amendment of the Constitution provides the basic framework for nearly all
privacy protection in the United States. The amendment says, in relevant part, that the right of
the people to be secure in their persons, houses, papers, and effects, against unreasonable
16http://en.wikipedia.org/wiki/Webmail
17Id.18 Some of the most popular services are Pandora Radio, Spotify, and Google Music.19
Similar services are provided by Netflixs competitors Amazon Prime Instant Video, iTunes
TV and Movie Rental, and Hulu Plus.20
For a comprehensive list of cloud storage services, as well as their advantages and
disadvantages, visit http://www.zdnet.com/the-top-10-personal-cloud-storage-services-7000011729/21
See Robinson, Supra, at 1204.
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
5/18
Bert van Uitert
searches and seizures, shall not be violated[.]22
It also states that searches may only be
conducted with a warrant supported by probable cause.23
To determine what constitutes a search under the 4th
amendment, the Supreme Court
formulated a reasonable-expectation-of-privacy test. This test, first articulated inKatz v. United
States, has two requirements: (1) that the person demonstrated a subjective expectation of
privacy over the object and (2) that the expectation was reasonable according to societal
expectations.24Katzis notable to cloud computing because it extends privacy protection to
intangible communications. The Court inKatzruled, specifically, that the defendant retained
privacy rights in the content of his telephone conversation.
25
Katz entered a telephone booth,
closed the door, and made a telephone call which the police recorded.26
This evidence was later
used in court to convict him of his crime.27
Justice Harlan noted that (1) by closing the door
behind him, Katz demonstrated a subjective expectation that his call would not be intercepted
and (2) that his temporary expectation of privacy is reasonable under societal standards.28
Applying this test, Courts have also found a reasonable expectation of privacy in many other
containers such as luggage, backpacks, purses, and lockers.29
As well, there have been several cases where courts have applied 4th Amendment
principles and the reasonable-expectation-of-privacy to traditional (i.e. non-cloud-based) pieces
22United States Const. amend IV
23Richard M. Thompson II, Cloud Computing: Constitutional and Statutory Privacy Protections.
Congressional Research Service. Accessed at http://www.fas.org/sgp/crs/misc/R43015.pdf. Note
also that there are numerous instances where searches are conducted without a warrant throughan exception or the police conduct is not considered a search. Seehttp://www.nolo.com/legal-
encyclopedia/search-seizure-criminal-law-30183.html for more information.24
389 U.S. 347, 361 (1967) (Harlan, J., Concurring).25
SeeKatz, 389 U.S. at 352.26
Id. at 361.27
Id.28
Id.29
See Coulliard, Supra, at 2208-09.
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
6/18
Bert van Uitert
of information technology. In one such case, a Pennsylvania district court held that removing
and copying a hard drive from a computer and creating a duplicate image of the stored data
constituted a search under the Fourth Amendment, despite the fact that the original hard drive
was never accessed or compromised.30 The Court held that by saving the data on his personal
computer in his home, the defendant demonstrated that he expected the data to remain private
an expectation shared by society at large.31
This made the copying of his hard drive an
unreasonable search.32 Along these lines, Courts have generally held that people have legitimate
expectation of privacy in their home computers.33
However, these rulings focused on searches of
locally stored information and not to any remotely stored content as would be seen in cloud
computing.
The Katz test has some notable limits and exceptions. Most relevant to cloud computing
is the third party doctrine exception. InKatzconcurrence, Justice White said that [w]hen one
man speaks to another, he takes all the risks ordinarily inherent in so doing, including the risk
that the man to whom he speaks will make public what he has heard. The Fourth Amendment
does not protect against unreliable (or law-abiding) associates.34 This associate is considered a
party to the communication and police may use this third party to obtain the information without
a warrant. Courts have held that a person doesnt have legitimate expectations of privacy in
what he or she voluntarily turns over to third parties.35
Some have characterized this doctrine as
either the waiver of a reasonable expectation of privacy or an implied consent to be searched.36
30United States v. Crist, No. 1:07-cr-211, 2008 WL 4682806, at 9 (M.D. Pa. Oct. 22, 2008).31Id.32
Id.33
SeeUnited States v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004); Guest v. Leis, 355 F.3d 325,333 (6
thCir. 2001).
34Katz, 389 U.S. at 363 (White, J. concurring).
35United States v. Miller, 425 U.S. 435, 442-44 (1976).
36See Coulliard, Supra, at 2215.
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
7/18
Bert van Uitert
b. Limited Interpretations of Katz in the Cloud Context
As discussed above, Applying Katz to the cloud context requires an individual analysis of
the defendants subjective and objective expectation of privacy. In other words, the defendant
must have taken some action to demonstrate that he intended his information to be private and
society at large must acknowledge the defendants privacy right.37
Few courts have applied the
reasonable expectation of privacy test to cloud computing, but these sparse rulings have
established themes that can be applied across the entire cloud context.
InForrester v. United States, the Ninth Circuit Court of Appeals held that the
government did not perform an unreasonable search by obtaining non-content information
from the defendants Internet service provider.38
That is, the police installed a device to learn the
to/from addresses of his emails, the IP addresses of the websites he visited, and the total amount
of data sent to or from his computerwithoutthe ability to see what was written in the emails or
contained on the websites he visited.39
The Court analogized this non-content information to
the transactional information needed to make a phone call or send a letter in the postal service.
For example, while a defendant would have a reasonable expectation of privacy in the contents
of a physical, sealed envelope, it is not reasonable to expect that the address and return
information on the outside of the envelope are equally private.40 By sharing this routing
information with the postal service, the sender loses his reasonable expectation of privacy under
the third party doctrine.41
Using similar logic, the Third Circuit held that no reasonable
expectation of privacy exists in an IP address, because that information is also conveyed to and,
indeed, from third parties, including [Internet service providers]. IP addresses are not merely
37Katz, 389 U.S. at 361.
38United States v. Forrester, 512 F.3d 500, 509 (9th Cir. 2007).
39See Thompson, Supra, at 8.
40See Ex Parte Jackson, 96 U.S. 727, 732 (1878); Smith v. Maryland, 442 U.S. 735 (1979).
41Id.
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
8/18
Bert van Uitert
passively conveyed through third party equipment, but rather are voluntarily turned over in order
to direct the third partys servers.42
In other words, an IP address in an Internet page request is
analogous to a street address on a physical letter: you must volunteer the information to a third
party before it can be delivered and thereby waive any expectation of privacy to it.
The Sixth Circuit further reinforced this content vs. non-content framework in United
States v. Warshak.43
In this case, the government compelled the defendants Internet service
provider to make copies of all of his emails so the government could look at them later without
providing a search warrant.44
The government was given access to over 27,000 total emails,
which the defendant later moved to suppress.
45
Comparing email to physical mail, and relying on
the content/non-content distinction seen above, the Court said that because of the similarities
between e-mail and traditional forms of communication, it would defy common sense to afford
emails lesser Fourth Amendment protections. Email is the technological scion of tangible mail,
and it plays an indispensible part in the Information Age. As some forms of communication
begin to diminish, the Fourth Amendment must recognize and protect nascent ones that arise.46
Further, the Sixth Circuit expressly rejected the idea that the third party doctrine applied to the
content of emails shared with Internet service providers.47
Thus, there are three principles that can be gleaned from these cases. First, the
government may obtain non-content information (such as IP addresses, to/from addresses from
email communications, subscriber information, etc.) from Internet service Providers without
42 See Thompson, Supra, at 8 (quoting United States v. Christie, 624 F.3d 558, 674 (3d Cir.
2010).43
United States v. Warshak, 631 F.3d 266 (6th Cir. 2010).44
Id.45
Id.46
Id. at 286.47
Note, however, that the Sixth Circuits holding is not accepted in all jurisdictions and has been
expressly rejected by certain arms of the government.
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
9/18
Bert van Uitert
violating the Fourth Amendment. Second, courts put substantial weight behind non-digital
analogues to cloud services. Third, at least in relation to email, the actual content of the data can
be protected from government intrusion in some jurisdictions unless it first obtains a warrant.
These limited cases form a framework for future cloud computing cases and should form at least
a minimum standard for Fourth Amendment cloud computing analysis.
c. How Courts Should Apply Fourth Amendment Principles to the Cloud.
In 1985, the Supreme Court said that calendars, photographs, address books,
correspondence, and diaries are highly personal items that warrant privacy protection.48
There
is little doubt that society at large recognizes the need to protect the privacy of these items in
their physical form. Why then, should their digital forms not warrant the same protection?
The largest hurdle to ensuring that cloud computing is protected by the Fourth
Amendment is the uncertainty surrounding how the judiciary will apply the third party doctrine
to data stored in the cloud.49
A pair of analogies illustrate the competing paradigms for and
against application of the third party rule in cloud computing. First, imagine the cloud as a
safety deposit box in a bank. Any time a client chooses, he may come into the bank and gain
access to his personal belongings, as long as the bank teller opens the box and displays the
content for him. By so doing, the teller will see the contents of the box, and the clients
expectation of privacy will have vanished because a third party is now privy to the same
information. This analogy relates because when a user uploads data into the cloud, they can only
48Doe ex rel Doe v. Little Rock Sch. Dist., 380 F.3d 349, 353 (8th Cir. 2004) (citingNew Jerseyv. T.L.O., 469 U.S. 325, 339 (1985)).49
http://news.cnet.com/8301-13578_3-57368025-38/supremes-to-congress-bring-privacy-law-into-21st-century/ (The Court has in the past held that, as soon as you share information with
any third party, youve given up any expectation of privacy. Thus, while the FourthAmendment applies to digital files on your computer, it may not protect the same file stored on
Dropbox or in your Gmail.)
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
10/18
Bert van Uitert
re-access the data when the third party presents it to him through a web browser or other
application.
A competing analogy would be to compare cloud computing to renting a self-service
storage space. The manager need only register the client and open the gate during the initial
visit. After that, the client does the rest. The manager, who would only enter a storage space
under the direst of circumstances, would likely never see the contents of the storage unit. The
client comes and goes as he pleases and can store whatever he wants in his allotted space and
would only talk to the manager if he sought more space or to close his account. The manager
never sees what is inside the storage shed; hence the client maintains a reasonable expectation of
privacy because the information hasnt been shared with a third party. This analogy highlights
the fact that data uploaded into the cloud rarely, if ever, are accessed by a human on the other
end. In cloud computing, the third party with which information is shared is generally a server
and nothing more. Users may expect to have a high level of privacy protection with information
that it shares with an inanimate object, like a storage unit or a server, far more than if they share
the information directly with another person.
As well, the evolving nature of the web has created a societal expectation that there can
be private spheres inside of the Internet. Just ten years ago, it would have been unfathomable to
think about posting something online and expecting it to remain private. However, the amounts
and kinds of data that society uploads everyday indicate that the publics perception of the
Internet has evolved tremendously over time.50
Just as public perception has evolved on its expectations of Internet privacy, the courts
should update the reasonable expectation of privacy test to accommodate our changing digital
age. The test should still require defendants to demonstrate the subjective expectation of
50See Coulliard, Supra, at 2232-33.
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
11/18
Bert van Uitert
privacy, but change how third party interactions are construed. For example, a blogger clearly
couldnt have a reasonable expectation of privacy in a public post. But if a userencrypts their
uploaded data, password protects an account, turns a YouTube videos settings to private, or
other similar technique, the subjective element of the Katz test should be met.51 If courts will
then update the objective element to incorporate modern views on digital content and privacy,
users will be able to compute in the cloud without fear for their personal privacy.
These privacy standards should also be changed for policy reasons. If Fourth
Amendment protections are not provided to cloud computing with broad latitude, there could be
serious negative ramifications for the international economy. Cloud computing is no passing
fad.52
Some analyst predict that the personal cloud will replace the personal computer and the
mobile device as the center of consumers digital lives by the year 2014.53
A recent forecast
from the International Data Corporation predicts that in the year 2016 worldwide spending on
cloud computing will be roughly twenty-four billion dollars.54
While some individual consumers
will continue to use cloud services regardless of the privacy implications, businesses would not
follow suit if putting an email or other document in the cloud means that it loses its Fourth
Amendment protection. One-third of all spending in Information Technology is going towards
cloud computing.55 Directing this money someplace else will stifle innovation and stunt the
United States dominance in this market. If companies in other countries with more
comprehensive privacy laws are given an advantage, it could have serious long-term effects on
the United States economy.
51Id. at 2233-2236.52
http://www.storagecraft.com/blog/cloud-computing-forecast-a-chance-of-reign/53
http://www.gartner.com/newsroom/id/194731554
http://www.businesswire.com/news/home/20130228005032/en/IDC-Forecasts-Worldwide-
Spending-Hosted-Private-Cloud55
http://www.forbes.com/sites/joemckendrick/2012/04/11/more-than-one-third-of-it-budgets-
now-spent-on-cloud-survey/
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
12/18
Bert van Uitert
Fortunately, at least one Justice of the Supreme Court is skeptical of the applicability of
the third party doctrine in the modern information age. In her concurrence to the recent Fourth
Amendment case United States v. Jones, Justice Sotomayor called into question the premise that
an individual has no reasonable expectation of privacy in information that he chooses to give to
third parties.56
Justice Sotomayor asserted:
[the third party doctrine] is ill suited to the digital age, in which people reveal a great
deal of information about themselves to third parties in the course of carrying out
mundane tasks. People disclose the phone numbers that they dial or text to their cellular
providers; the [websites] that they visit and the e-mail addresses with which they
correspond to their internet service providers; and the books, groceries, and medications
they purchase to online retailers. I for one doubt that people would accept without
complaint the warrantless disclosure to the Government of a list of every Web site they
had visited in the last week, or month, or year. I would not assume that all information
voluntarily disclosed to some member of the public for a limited purpose is, for that
reason alone, disentitled to Fourth Amendment Protection.57
Justice Sotomayors dicta gives hope to businesses, tech enthusiasts, and average users
everywhere that the reasonable expectation of privacy test will be upgraded to meet the demands
of cloud computing.
V. Statutory Protections
a. The Stored Communications Act
In the1980s, Congress was concerned that privacy protections under the Fourth
Amendment andKatzwould not provide sufficient protection to users of the newfangled Internet
56United States v. Jones, 132 S. Ct. 945, 957 (2012) (Sotomayor, J. Concurring).
57Id.
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
13/18
Bert van Uitert
that was growing in popularity.58
To address these and other problems, Congress overhauled
federal communication laws in the Electronic Communications Privacy Act of 1986 (ECPA).59
Title II of the act, dubbed the Store Communication Act (SCA), was crafted specifically to
address privacy concerns with the access and dissemination of electronic information stored on
computers.60
The SCA defined and protected the two primary uses of computer networks that
existed at that time: (1) the electronic communication service (ECS) and (2) the remote
computing service (RCS).61
Under the SCA, Electronic communication systems are systems that receive data
transmissions and electronic mail,
62
and in order to be classified as an ECS, the system must
meet two requirements. First, the service must offer the ability to send or receive electronic
communications.63
Second, service provider must keep the communication in electronic
storage, which is defined as either temporary, intermediate storageof an electronic
communication incidental to the electronic transmission or as a backup of the original copy.64
This confusing statute was crafted to protect email systems based on the technological standards
that were in place at the time.65 When stored in an ECS, the government needs a warrant in
order to obtain information that is in temporary electronic storage and has been there for less
than 180 days.66 After 180 days, the government can access communications with a subpoena or
58See Thompson, Supra, at 6.
59 Electronic Communications Privacy Act of 1986, P.L. 99-508, 100 Stat. 1848.60 18 U.S.C. 2701 2712.61
See Robinson, Supra, at 1205.62
Id.63
18 U.S.C. 2510(15).64
18 U.S.C. 2510(17).65
See Robinson, Supra, at 1205.66
18 U.S.C. 2703(a).
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
14/18
Bert van Uitert
court order if the government has shown reasonable grounds to believe that the contents . . . .are
relevant and material to an ongoing criminal investigation.67
Remote computing systems are systems that provide computing services to users from
remote facilities. There are four requirements that a service must meet before it can be classified
as an RCS. First, the provider must offer computer storage or processing services.68
Second, the
user has to give the data to the RCS electronically.69
Third, the electronic data must be
maintained solely for the purpose of providing storage or computer processing services to
users.70
Lastly, the provider cant be allowed to access the data to provide any services other
than storage or computer processing.
71
RCSs were included to ensure the privacy of outsourced
data from third-party service providers. All data contained in an RCS is subject to the same
lower standard as an email stored for over 180 days: the government must only show that it has
reasonable grounds to believe that the contents are relevant to an ongoing investigation.72
2. The Stored Communications Act and the Cloud
The SCA does not provide sufficient privacy protection for the new digital age in the
cloud because it rarely provides protection to email users and few if any systems can qualify for
the weak protections of the RCS. The statutory language provides no protection to the vast
majority of email users in this day and age. In one recent ruling, the Court found that once an
email had been opened it was not necessary to obtain a warrant before compelling the service
provider to turn over the information.73
Another court determined that if the only copy of an
email is in the cloud, then it didnt constitute a backup of an original and therefore was not in
67 18 U.S.C. 2703(d)68
18 U.S.C. 2510(10).69
18 U.S.C. 2702(a)(2)(A).70
18 U.S.C. 2702(a)(2)(B).71
Id.72
18 U.S.C. 2703(d)73
United State v. Weaver, 636 F. Supp 2d 769 (C.D. Ill. 2009).
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
15/18
Bert van Uitert
the statutory definition of a ECS.74
One of the great advantages of webmail is that it provides
increasingly large storage quotas that eliminate the need to individually download and store
email content on local hard drives. Consequently, few users ever download emails onto their
computers, a seemingly necessary element for SCA protection to apply. As well, with the ability
to check email on mobile devices, few people leave emails in their system unopened for very
long, meaning that emails lose the other mechanism for ensuring heightened protection. These
outdated requirements essentially preclude any regular email user from having the increased
statutory protections of the SCA.
The outlook for cloud computing to be considered an RCS is even more foreboding.
First, the belief of relevance standard do little to prevent the government from being able to
access any information it wants inside of an RCS . In fact, the police would never need a
warrant to obtain information from any system deemed an RCS. Second, the requirements to
designate a system as an RCS are so restrictive that almost no cloud computing system could
qualify for its increased protections. Because the statute demands that the information be
accessed solely for the purposes of storage and processing, few systems could meet this
qualification. The vast majority of cloud services are offered for free to consumers in
exchange for being able to access their content to provide targeted ads to customers.75 Other
services need to access the content in order to perform their services and provide value.76
Thus, while the SCA adequately protecedt the electronic communications of the 80s,
Congress couldnt foresee where technological advances would end up and crafted a bill that is
poorly suited for the evolving nature of the Internet.
74Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2003).
75See Robinson, Supra, at 1213-14.
76Id.
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
16/18
Bert van Uitert
3. Proposed Statutory Amendments to the Stored Communications Act
In the most recent Congresses, numerous proposals have been offered to clarify and
strengthen the protections preventing the government from performing searches under the loose
rules of the SCA. Thesebills hope to, inter alia, (1) bring the standard required for a
government entity to obtain a warrant in an RCS equal to the higher standard needed for an ECS,
(2) completely eliminate the 180-day abandonment rule to better align with current thinking on
electronic storage, (3) amend the statute to cover electronic storage (presumably emails) that are
being held or maintained by the service even after they have been read, (4) require the
government to notify users within three days if a warrant has been executed and user content has
been searched, and (5) prevent service providers from being able to voluntarily share user
information with the government without a warrant.77
Some proposals also ask for increased
reporting to Congress on how often and under what circumstances warrants are sought and
issued so that Congress can update laws accordingly.78
Theseproposals would better align the SCA with its original intended purpose of the
statute back in 1986. As discussed above, so little of the information transfer that takes place on
the Internet is actually covered by the SCA that the statute has not been able to provide the
protection Congress intended. While these proposals are an excellent first step towards bringing
statutory privacy into the age of the cloud, Congress should also put a plan in place to frequently
audit and update privacy laws related to the use of Internet. As the SCA aptly demonstrates,
laws that are structured around current technological standards dont stay up-to-date for very
long. The updated proposal will work towards helping the currentprivacy issues in the cloud,
but they will surely be outdated within a few years, potentially stifling innovation and economic
77See Thompson, Supra, at 17.
78Id. at 17-18; See also:
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
17/18
Bert van Uitert
output. If a framework is put in place to mandate frequent tweaks to policyperhaps by a non-
partisan group composed of legislators, business representative, privacy advocates, etc.it will
increase the likelihood that Congress doesnt wait another 27 years before updating laws to
conform to technological advances.
VI. Implications for Businesses and Professionals
As should be clear, everyone has a personal interest in understanding how his or her
personal privacy is affected by using the cloud. However, these laws and principles are of
particular importance to several professional industries. Generally, any profession that has a
general or ethical responsibility to keep information confidential should be particularly wary of
using cloud computing in their business practices. Specifically, medical doctors and
psychologists have an ethical duty to keep medical information private (including mental health)
as well as a legal duty under the Health Insurance Portability and Accountability Act. As well,
lawyers and accountants have ethical responsibilities to maintain the confidentiality of legal and
financial information respectively.
Consequently, local and national ethics committees from each of these fields have issued
guidelines to practitioners who seek to use the cloud in their businesses. Although each varies in
its specificity, they consistently recommend a few general principles.79 First, the professional
must ensure that the cloud provider has an enforceable obligation to preserve confidentiality and
security and that the professional will be notified if the provider is served with process regarding
the production of client information.80
Second, the professional must investigate the online data
storage providers security measures, policies, backup methodologies, and other procedures
79http://www.mondaq.com/x/170266/Privacy/Lawyers+And+Technology+New+Threats+To+Ke
eping+Client+Information+Confidential80
For example, many sites have certificates proving that they are HIPAA complaint.http://www.onlinetech.com/compliant-hosting/hipaa-compliant-hosting/resources/what-is-hipaa-
compliance.
7/30/2019 The Nebulous Privacy Rights of Cloud Computing
18/18
Bert van Uitert
determine if they are adequate. Finally, the professional must employ available technology to
guard against reasonably foreseeable attempts to infiltrate stored data. These guidelines will be
frequently updated to ensure that ethical standards keep up with the rapid pace of technology.
VII. Conclusion
As more and more of the world becomes digitized, it is increasingly important for
individuals to understand the privacy implications of cloud computing. The Fourth Amendment
and theKatztest generally protect information in the cloud. However, because the nature of
cloud computing involves sharing information with a service provider, the third party doctrine
limits the protections afforded by those safeguards. Many, including Supreme Court Justice
Sonia Sotomayor, believe that the third party doctrine should be reevaluated because of our ever-
changing digital society. In addition to the Constitutional safeguards, Congress has passed
statutory privacy protections for digital information with the Stored Communication Act.
Unfortunately, the act was narrowly tailored to the technology standards of the mid-1980s and
provides little protection in modern day scenarios. To address the outdated law, numerous
legislators have proposed amendments to update the language to cover cloud technologies. As
judges and legislators approach solutions to cloud privacy problems, they should be careful to
craft rulings and statutes that address current issues without limiting future innovation and
technological advances. In sum, because privacy rights in the cloud remain nebulous, users must
tread with caution.