The Nebulous Privacy Rights of Cloud Computing

7/30/2019 The Nebulous Privacy Rights of Cloud Computing

1/18

Bert van Uitert

The Nebulous Privacy Rights of Cloud Computing

I. Introduction

It is widely acknowledged that the cloud is among the most significant innovations to

ever hit the technology industry.1 Some have even gone so far as to label cloud computing the

next evolution of the Internet.2

In fact, cloud computing is becoming an important part of how

we interact with each other, conduct our business, spend our money, and many other daily

activities. As cloud computing becomes more and more ubiquitous, it becomes ever more

important to understand what rights are associated with content in the cloud. The Internet has

been and always will be an indisputably public medium

3

and cloud computing is still in its

technological infancy. This paper will define cloud computing and give a brief history of

computers through the recent rise of the cloud. The discussion will then cover the clouds

constitutional and statutory frameworks for privacy protection and give suggestions for future

judicial and legislative decisions.

II. What is Cloud Computing?

The definition of cloud computing is a matter of considerable debate.4

While many

definitions exist, simply put, cloud computing is the ability to run applications and store data on

1Nicole D. Galli & Edward Gevovich. Cloud Computing and the Doctrine of Joint

Infringement: Current Impact and Future Possibilities. 11 J. Marshall Rev. Intell Prop. L

673, 674. (2012).2 Barry Reingold & Ryan Mrazik. Cloud Computing: The Interesction of Massive Scalability,

Data Security, and Privacy (Part 1), 14 No 5 Cyberspace Law 1 (2009).3

David A. Coulliard,Defogging the Cloud: Applying Fourth Amendment Principles to Evolving

Privacy Expectations in Cloud Computing. 93 Minn. L. Rev 2205, 2231. (2009). (quoting U.S. v.Gines-Perez, 214 F. Supp. 2d 205, 225 (D.P.R. 2002)).4

Ilana R. Kattan. Cloudy Privacy Protections: Why The Stored Communications Act Fails toProtect the Privacy of Communications Stored in the Cloud, 13 Vand J. Ent. & Tech. L. 617, 620

(2011).


2/18

Bert van Uitert

a service providers computer over the Internet, rather than on ones personal computer.5

This

takes the processing, storage, and other computational activities out of the confines of the home

or business and into the nebulous backbone of the worlds servers and datacenters.

Many people use cloud technology every day without realizing or understanding the

technology behind the scenes. A concrete example helps to illustrate the difference between

traditional and cloud computing. In a traditional word processing program (such as Microsoft

Word), a user must purchase, install, and run a program locally on their computer. When the

document is saved, it is to the local hard drive. Unless the computer is attached to a network,

this saved document can only be accessed when someone is physically at the computer.

Conversely, when word processing is done in the cloud (with services such as Microsoft Office

365 orGoogle Docs) usually no software is ever installed and the software is accessed through a

web browser. All of the information processing and other services are performed on a server (a

powerful computer at a remote location) in a datacenter (a facility filled with thousands of

servers) and are then transmitted over the Internet to the users computer. These data and

programs can be accessed from any internet-enabled computer, phone, or tablet. Cloud

computing leverages economies of scale to bring massive computational power to the masses

quickly, cheaply, and efficiently.6 As cloud computing has become a part of daily life, nearly

every piece of traditional software has a cloud-based version, with services such as email, data

storage, photo editing, online video rental, virtual computer systems, and nearly anything else

imaginable.7

5William Jeremy Robinson,Free at What Cost?: Cloud Computing Privacy Under The Store

Communications Act, 98 Geo. L.J. 1195, 1199. (2010).6

See Kattan, Supra, at 621-622.7

A fairly comprehensive list of cloud-based services can be accessed at

http://www.cloudxl.com/.


3/18

Bert van Uitert

III. A Brief History of Computers and Networking

To understand relevant privacy legislation, court precedent, and their relationship to

cloud computing, one must be briefly informed of the history of computers and networking.

When computers first became available in the 1960s, they were prohibitively expensive for

individuals and could only be purchased by large institutions such as NASA, the IRS, and other

similarly situated government agencies.8

Advances over the next two decades decreased the

overall size of computers (the system originally would fill up a large room) and increased their

individual processing power.9

Computers also saw advances in usability when companies such

as Apple and Microsoft released intuitive personal computers that replaced the technician-

controlled mainframes of the past.10

By the mid 1980s, stand-alone personal computers (PCs)

became prevalent in homes and businesses throughout the United States.11

Soon, floppy disks

and other storage devices became insufficient to handle many businesses need to pass data

quickly between PCs. In response to this need, companies started connecting their computers

with intra-office networks.12

In the 1990s, these networks began connecting with each other to

form the Internet13 and the World Wide Web.14 The rapid expansion of the Internet (and the

speed at which it can be accessed) soon led to the growth of cloud computing during the late

1990s and early 2000s. The first widely used cloud services were web-hosted email systems

(webmail).15

In traditional email systems of the 1980s and early 1990s, emails were sent to a

8See Robinson, Supra, at 1197.

9Id.10Id.11

http://en.wikipedia.org/wiki/History_of_computer_hardware12

See Robinson, Supra, at 1198; This topic alone is quite expansive. For more information, starthere: http://en.wikipedia.org/wiki/Computer_network - Intranets_and_extranets13

Inter-net. Get it?14

See Robinson, Supra, at 1198.15

Id. at 1203.


4/18

Bert van Uitert

target computer and then stored on the local hard drive.16

In contrast, webmail systems store

emails remotely on the providers servers, allowing users to access emails from any Internet-

enabled computer on the planetnot just from home or the workplace.17

The webmail model

has been replicated in many other services over the years. Starting around 2004, streaming

music services became an alternative to local MP3 storage.18

Online video streaming and

storage exploded in 2006 when YouTube became a household name. Netflix furthered this trend

by replacing physical DVD rentals with streaming TV and movie downloads.19 Recently, the

cloud data storage/backup market has erupted with dozens of companies creating services to

backup personal files to the cloud, synchronize files across multiple computers, and allow mobile

access to important documents.20

Presently, almost any program or service available on

traditional computer systems is now available in the cloud.21

IV. Constitutional Protections

a. The Fourth Amendment and The Katz Test

The Fourth Amendment of the Constitution provides the basic framework for nearly all

privacy protection in the United States. The amendment says, in relevant part, that the right of

the people to be secure in their persons, houses, papers, and effects, against unreasonable

16http://en.wikipedia.org/wiki/Webmail

17Id.18 Some of the most popular services are Pandora Radio, Spotify, and Google Music.19

Similar services are provided by Netflixs competitors Amazon Prime Instant Video, iTunes

TV and Movie Rental, and Hulu Plus.20

For a comprehensive list of cloud storage services, as well as their advantages and

disadvantages, visit http://www.zdnet.com/the-top-10-personal-cloud-storage-services-7000011729/21

See Robinson, Supra, at 1204.


5/18

Bert van Uitert

searches and seizures, shall not be violated[.]22

It also states that searches may only be

conducted with a warrant supported by probable cause.23

To determine what constitutes a search under the 4th

amendment, the Supreme Court

formulated a reasonable-expectation-of-privacy test. This test, first articulated inKatz v. United

States, has two requirements: (1) that the person demonstrated a subjective expectation of

privacy over the object and (2) that the expectation was reasonable according to societal

expectations.24Katzis notable to cloud computing because it extends privacy protection to

intangible communications. The Court inKatzruled, specifically, that the defendant retained

privacy rights in the content of his telephone conversation.

25

Katz entered a telephone booth,

closed the door, and made a telephone call which the police recorded.26

This evidence was later

used in court to convict him of his crime.27

Justice Harlan noted that (1) by closing the door

behind him, Katz demonstrated a subjective expectation that his call would not be intercepted

and (2) that his temporary expectation of privacy is reasonable under societal standards.28

Applying this test, Courts have also found a reasonable expectation of privacy in many other

containers such as luggage, backpacks, purses, and lockers.29

As well, there have been several cases where courts have applied 4th Amendment

principles and the reasonable-expectation-of-privacy to traditional (i.e. non-cloud-based) pieces

22United States Const. amend IV

23Richard M. Thompson II, Cloud Computing: Constitutional and Statutory Privacy Protections.

Congressional Research Service. Accessed at http://www.fas.org/sgp/crs/misc/R43015.pdf. Note

also that there are numerous instances where searches are conducted without a warrant throughan exception or the police conduct is not considered a search. Seehttp://www.nolo.com/legal-

encyclopedia/search-seizure-criminal-law-30183.html for more information.24

389 U.S. 347, 361 (1967) (Harlan, J., Concurring).25

SeeKatz, 389 U.S. at 352.26

Id. at 361.27

Id.28

Id.29

See Coulliard, Supra, at 2208-09.


6/18

Bert van Uitert

of information technology. In one such case, a Pennsylvania district court held that removing

and copying a hard drive from a computer and creating a duplicate image of the stored data

constituted a search under the Fourth Amendment, despite the fact that the original hard drive

was never accessed or compromised.30 The Court held that by saving the data on his personal

computer in his home, the defendant demonstrated that he expected the data to remain private

an expectation shared by society at large.31

This made the copying of his hard drive an

unreasonable search.32 Along these lines, Courts have generally held that people have legitimate

expectation of privacy in their home computers.33

However, these rulings focused on searches of

locally stored information and not to any remotely stored content as would be seen in cloud

computing.

The Katz test has some notable limits and exceptions. Most relevant to cloud computing

is the third party doctrine exception. InKatzconcurrence, Justice White said that [w]hen one

man speaks to another, he takes all the risks ordinarily inherent in so doing, including the risk

that the man to whom he speaks will make public what he has heard. The Fourth Amendment

does not protect against unreliable (or law-abiding) associates.34 This associate is considered a

party to the communication and police may use this third party to obtain the information without

a warrant. Courts have held that a person doesnt have legitimate expectations of privacy in

what he or she voluntarily turns over to third parties.35

Some have characterized this doctrine as

either the waiver of a reasonable expectation of privacy or an implied consent to be searched.36

30United States v. Crist, No. 1:07-cr-211, 2008 WL 4682806, at 9 (M.D. Pa. Oct. 22, 2008).31Id.32

Id.33

SeeUnited States v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004); Guest v. Leis, 355 F.3d 325,333 (6

thCir. 2001).

34Katz, 389 U.S. at 363 (White, J. concurring).

35United States v. Miller, 425 U.S. 435, 442-44 (1976).

36See Coulliard, Supra, at 2215.


7/18

Bert van Uitert

b. Limited Interpretations of Katz in the Cloud Context

As discussed above, Applying Katz to the cloud context requires an individual analysis of

the defendants subjective and objective expectation of privacy. In other words, the defendant

must have taken some action to demonstrate that he intended his information to be private and

society at large must acknowledge the defendants privacy right.37

Few courts have applied the

reasonable expectation of privacy test to cloud computing, but these sparse rulings have

established themes that can be applied across the entire cloud context.

InForrester v. United States, the Ninth Circuit Court of Appeals held that the

government did not perform an unreasonable search by obtaining non-content information

from the defendants Internet service provider.38

That is, the police installed a device to learn the

to/from addresses of his emails, the IP addresses of the websites he visited, and the total amount

of data sent to or from his computerwithoutthe ability to see what was written in the emails or

contained on the websites he visited.39

The Court analogized this non-content information to

the transactional information needed to make a phone call or send a letter in the postal service.

For example, while a defendant would have a reasonable expectation of privacy in the contents

of a physical, sealed envelope, it is not reasonable to expect that the address and return

information on the outside of the envelope are equally private.40 By sharing this routing

information with the postal service, the sender loses his reasonable expectation of privacy under

the third party doctrine.41

Using similar logic, the Third Circuit held that no reasonable

expectation of privacy exists in an IP address, because that information is also conveyed to and,

indeed, from third parties, including [Internet service providers]. IP addresses are not merely

37Katz, 389 U.S. at 361.

38United States v. Forrester, 512 F.3d 500, 509 (9th Cir. 2007).

39See Thompson, Supra, at 8.

40See Ex Parte Jackson, 96 U.S. 727, 732 (1878); Smith v. Maryland, 442 U.S. 735 (1979).

41Id.


8/18

Bert van Uitert

passively conveyed through third party equipment, but rather are voluntarily turned over in order

to direct the third partys servers.42

In other words, an IP address in an Internet page request is

analogous to a street address on a physical letter: you must volunteer the information to a third

party before it can be delivered and thereby waive any expectation of privacy to it.

The Sixth Circuit further reinforced this content vs. non-content framework in United

States v. Warshak.43

In this case, the government compelled the defendants Internet service

provider to make copies of all of his emails so the government could look at them later without

providing a search warrant.44

The government was given access to over 27,000 total emails,

which the defendant later moved to suppress.

45

Comparing email to physical mail, and relying on

the content/non-content distinction seen above, the Court said that because of the similarities

between e-mail and traditional forms of communication, it would defy common sense to afford

emails lesser Fourth Amendment protections. Email is the technological scion of tangible mail,

and it plays an indispensible part in the Information Age. As some forms of communication

begin to diminish, the Fourth Amendment must recognize and protect nascent ones that arise.46

Further, the Sixth Circuit expressly rejected the idea that the third party doctrine applied to the

content of emails shared with Internet service providers.47

Thus, there are three principles that can be gleaned from these cases. First, the

government may obtain non-content information (such as IP addresses, to/from addresses from

email communications, subscriber information, etc.) from Internet service Providers without

42 See Thompson, Supra, at 8 (quoting United States v. Christie, 624 F.3d 558, 674 (3d Cir.

2010).43

United States v. Warshak, 631 F.3d 266 (6th Cir. 2010).44

Id.45

Id.46

Id. at 286.47

Note, however, that the Sixth Circuits holding is not accepted in all jurisdictions and has been

expressly rejected by certain arms of the government.


9/18

Bert van Uitert

violating the Fourth Amendment. Second, courts put substantial weight behind non-digital

analogues to cloud services. Third, at least in relation to email, the actual content of the data can

be protected from government intrusion in some jurisdictions unless it first obtains a warrant.

These limited cases form a framework for future cloud computing cases and should form at least

a minimum standard for Fourth Amendment cloud computing analysis.

c. How Courts Should Apply Fourth Amendment Principles to the Cloud.

In 1985, the Supreme Court said that calendars, photographs, address books,

correspondence, and diaries are highly personal items that warrant privacy protection.48

There

is little doubt that society at large recognizes the need to protect the privacy of these items in

their physical form. Why then, should their digital forms not warrant the same protection?

The largest hurdle to ensuring that cloud computing is protected by the Fourth

Amendment is the uncertainty surrounding how the judiciary will apply the third party doctrine

to data stored in the cloud.49

A pair of analogies illustrate the competing paradigms for and

against application of the third party rule in cloud computing. First, imagine the cloud as a

safety deposit box in a bank. Any time a client chooses, he may come into the bank and gain

access to his personal belongings, as long as the bank teller opens the box and displays the

content for him. By so doing, the teller will see the contents of the box, and the clients

expectation of privacy will have vanished because a third party is now privy to the same

information. This analogy relates because when a user uploads data into the cloud, they can only

48Doe ex rel Doe v. Little Rock Sch. Dist., 380 F.3d 349, 353 (8th Cir. 2004) (citingNew Jerseyv. T.L.O., 469 U.S. 325, 339 (1985)).49

http://news.cnet.com/8301-13578_3-57368025-38/supremes-to-congress-bring-privacy-law-into-21st-century/ (The Court has in the past held that, as soon as you share information with

any third party, youve given up any expectation of privacy. Thus, while the FourthAmendment applies to digital files on your computer, it may not protect the same file stored on

Dropbox or in your Gmail.)


10/18

Bert van Uitert

re-access the data when the third party presents it to him through a web browser or other

application.

A competing analogy would be to compare cloud computing to renting a self-service

storage space. The manager need only register the client and open the gate during the initial

visit. After that, the client does the rest. The manager, who would only enter a storage space

under the direst of circumstances, would likely never see the contents of the storage unit. The

client comes and goes as he pleases and can store whatever he wants in his allotted space and

would only talk to the manager if he sought more space or to close his account. The manager

never sees what is inside the storage shed; hence the client maintains a reasonable expectation of

privacy because the information hasnt been shared with a third party. This analogy highlights

the fact that data uploaded into the cloud rarely, if ever, are accessed by a human on the other

end. In cloud computing, the third party with which information is shared is generally a server

and nothing more. Users may expect to have a high level of privacy protection with information

that it shares with an inanimate object, like a storage unit or a server, far more than if they share

the information directly with another person.

As well, the evolving nature of the web has created a societal expectation that there can

be private spheres inside of the Internet. Just ten years ago, it would have been unfathomable to

think about posting something online and expecting it to remain private. However, the amounts

and kinds of data that society uploads everyday indicate that the publics perception of the

Internet has evolved tremendously over time.50

Just as public perception has evolved on its expectations of Internet privacy, the courts

should update the reasonable expectation of privacy test to accommodate our changing digital

age. The test should still require defendants to demonstrate the subjective expectation of

50See Coulliard, Supra, at 2232-33.


11/18

Bert van Uitert

privacy, but change how third party interactions are construed. For example, a blogger clearly

couldnt have a reasonable expectation of privacy in a public post. But if a userencrypts their

uploaded data, password protects an account, turns a YouTube videos settings to private, or

other similar technique, the subjective element of the Katz test should be met.51 If courts will

then update the objective element to incorporate modern views on digital content and privacy,

users will be able to compute in the cloud without fear for their personal privacy.

These privacy standards should also be changed for policy reasons. If Fourth

Amendment protections are not provided to cloud computing with broad latitude, there could be

serious negative ramifications for the international economy. Cloud computing is no passing

fad.52

Some analyst predict that the personal cloud will replace the personal computer and the

mobile device as the center of consumers digital lives by the year 2014.53

A recent forecast

from the International Data Corporation predicts that in the year 2016 worldwide spending on

cloud computing will be roughly twenty-four billion dollars.54

While some individual consumers

will continue to use cloud services regardless of the privacy implications, businesses would not

follow suit if putting an email or other document in the cloud means that it loses its Fourth

Amendment protection. One-third of all spending in Information Technology is going towards

cloud computing.55 Directing this money someplace else will stifle innovation and stunt the

United States dominance in this market. If companies in other countries with more

comprehensive privacy laws are given an advantage, it could have serious long-term effects on

the United States economy.

51Id. at 2233-2236.52

http://www.storagecraft.com/blog/cloud-computing-forecast-a-chance-of-reign/53

http://www.gartner.com/newsroom/id/194731554

http://www.businesswire.com/news/home/20130228005032/en/IDC-Forecasts-Worldwide-

Spending-Hosted-Private-Cloud55

http://www.forbes.com/sites/joemckendrick/2012/04/11/more-than-one-third-of-it-budgets-

now-spent-on-cloud-survey/


12/18

Bert van Uitert

Fortunately, at least one Justice of the Supreme Court is skeptical of the applicability of

the third party doctrine in the modern information age. In her concurrence to the recent Fourth

Amendment case United States v. Jones, Justice Sotomayor called into question the premise that

an individual has no reasonable expectation of privacy in information that he chooses to give to

third parties.56

Justice Sotomayor asserted:

[the third party doctrine] is ill suited to the digital age, in which people reveal a great

deal of information about themselves to third parties in the course of carrying out

mundane tasks. People disclose the phone numbers that they dial or text to their cellular

providers; the [websites] that they visit and the e-mail addresses with which they

correspond to their internet service providers; and the books, groceries, and medications

they purchase to online retailers. I for one doubt that people would accept without

complaint the warrantless disclosure to the Government of a list of every Web site they

had visited in the last week, or month, or year. I would not assume that all information

voluntarily disclosed to some member of the public for a limited purpose is, for that

reason alone, disentitled to Fourth Amendment Protection.57

Justice Sotomayors dicta gives hope to businesses, tech enthusiasts, and average users

everywhere that the reasonable expectation of privacy test will be upgraded to meet the demands

of cloud computing.

V. Statutory Protections

a. The Stored Communications Act

In the1980s, Congress was concerned that privacy protections under the Fourth

Amendment andKatzwould not provide sufficient protection to users of the newfangled Internet

56United States v. Jones, 132 S. Ct. 945, 957 (2012) (Sotomayor, J. Concurring).

57Id.


13/18

Bert van Uitert

that was growing in popularity.58

To address these and other problems, Congress overhauled

federal communication laws in the Electronic Communications Privacy Act of 1986 (ECPA).59

Title II of the act, dubbed the Store Communication Act (SCA), was crafted specifically to

address privacy concerns with the access and dissemination of electronic information stored on

computers.60

The SCA defined and protected the two primary uses of computer networks that

existed at that time: (1) the electronic communication service (ECS) and (2) the remote

computing service (RCS).61

Under the SCA, Electronic communication systems are systems that receive data

transmissions and electronic mail,

62

and in order to be classified as an ECS, the system must

meet two requirements. First, the service must offer the ability to send or receive electronic

communications.63

Second, service provider must keep the communication in electronic

storage, which is defined as either temporary, intermediate storageof an electronic

communication incidental to the electronic transmission or as a backup of the original copy.64

This confusing statute was crafted to protect email systems based on the technological standards

that were in place at the time.65 When stored in an ECS, the government needs a warrant in

order to obtain information that is in temporary electronic storage and has been there for less

than 180 days.66 After 180 days, the government can access communications with a subpoena or


59 Electronic Communications Privacy Act of 1986, P.L. 99-508, 100 Stat. 1848.60 18 U.S.C. 2701 2712.61


Id.63

18 U.S.C. 2510(15).64

18 U.S.C. 2510(17).65


18 U.S.C. 2703(a).


14/18

Bert van Uitert

court order if the government has shown reasonable grounds to believe that the contents . . . .are

relevant and material to an ongoing criminal investigation.67

Remote computing systems are systems that provide computing services to users from

remote facilities. There are four requirements that a service must meet before it can be classified

as an RCS. First, the provider must offer computer storage or processing services.68

Second, the

user has to give the data to the RCS electronically.69

Third, the electronic data must be

maintained solely for the purpose of providing storage or computer processing services to

users.70

Lastly, the provider cant be allowed to access the data to provide any services other

than storage or computer processing.

71

RCSs were included to ensure the privacy of outsourced

data from third-party service providers. All data contained in an RCS is subject to the same

lower standard as an email stored for over 180 days: the government must only show that it has

reasonable grounds to believe that the contents are relevant to an ongoing investigation.72

2. The Stored Communications Act and the Cloud

The SCA does not provide sufficient privacy protection for the new digital age in the

cloud because it rarely provides protection to email users and few if any systems can qualify for

the weak protections of the RCS. The statutory language provides no protection to the vast

majority of email users in this day and age. In one recent ruling, the Court found that once an

email had been opened it was not necessary to obtain a warrant before compelling the service

provider to turn over the information.73

Another court determined that if the only copy of an

email is in the cloud, then it didnt constitute a backup of an original and therefore was not in

67 18 U.S.C. 2703(d)68

18 U.S.C. 2510(10).69

18 U.S.C. 2702(a)(2)(A).70

18 U.S.C. 2702(a)(2)(B).71

Id.72

18 U.S.C. 2703(d)73

United State v. Weaver, 636 F. Supp 2d 769 (C.D. Ill. 2009).


15/18

Bert van Uitert

the statutory definition of a ECS.74

One of the great advantages of webmail is that it provides

increasingly large storage quotas that eliminate the need to individually download and store

email content on local hard drives. Consequently, few users ever download emails onto their

computers, a seemingly necessary element for SCA protection to apply. As well, with the ability

to check email on mobile devices, few people leave emails in their system unopened for very

long, meaning that emails lose the other mechanism for ensuring heightened protection. These

outdated requirements essentially preclude any regular email user from having the increased

statutory protections of the SCA.

The outlook for cloud computing to be considered an RCS is even more foreboding.

First, the belief of relevance standard do little to prevent the government from being able to

access any information it wants inside of an RCS . In fact, the police would never need a

warrant to obtain information from any system deemed an RCS. Second, the requirements to

designate a system as an RCS are so restrictive that almost no cloud computing system could

qualify for its increased protections. Because the statute demands that the information be

accessed solely for the purposes of storage and processing, few systems could meet this

qualification. The vast majority of cloud services are offered for free to consumers in

exchange for being able to access their content to provide targeted ads to customers.75 Other

services need to access the content in order to perform their services and provide value.76

Thus, while the SCA adequately protecedt the electronic communications of the 80s,

Congress couldnt foresee where technological advances would end up and crafted a bill that is

poorly suited for the evolving nature of the Internet.

74Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2003).

75See Robinson, Supra, at 1213-14.

76Id.


16/18

Bert van Uitert

3. Proposed Statutory Amendments to the Stored Communications Act

In the most recent Congresses, numerous proposals have been offered to clarify and

strengthen the protections preventing the government from performing searches under the loose

rules of the SCA. Thesebills hope to, inter alia, (1) bring the standard required for a

government entity to obtain a warrant in an RCS equal to the higher standard needed for an ECS,

(2) completely eliminate the 180-day abandonment rule to better align with current thinking on

electronic storage, (3) amend the statute to cover electronic storage (presumably emails) that are

being held or maintained by the service even after they have been read, (4) require the

government to notify users within three days if a warrant has been executed and user content has

been searched, and (5) prevent service providers from being able to voluntarily share user

information with the government without a warrant.77

Some proposals also ask for increased

reporting to Congress on how often and under what circumstances warrants are sought and

issued so that Congress can update laws accordingly.78

Theseproposals would better align the SCA with its original intended purpose of the

statute back in 1986. As discussed above, so little of the information transfer that takes place on

the Internet is actually covered by the SCA that the statute has not been able to provide the

protection Congress intended. While these proposals are an excellent first step towards bringing

statutory privacy into the age of the cloud, Congress should also put a plan in place to frequently

audit and update privacy laws related to the use of Internet. As the SCA aptly demonstrates,

laws that are structured around current technological standards dont stay up-to-date for very

long. The updated proposal will work towards helping the currentprivacy issues in the cloud,

but they will surely be outdated within a few years, potentially stifling innovation and economic


78Id. at 17-18; See also:


17/18

Bert van Uitert

output. If a framework is put in place to mandate frequent tweaks to policyperhaps by a non-

partisan group composed of legislators, business representative, privacy advocates, etc.it will

increase the likelihood that Congress doesnt wait another 27 years before updating laws to

conform to technological advances.

VI. Implications for Businesses and Professionals

As should be clear, everyone has a personal interest in understanding how his or her

personal privacy is affected by using the cloud. However, these laws and principles are of

particular importance to several professional industries. Generally, any profession that has a

general or ethical responsibility to keep information confidential should be particularly wary of

using cloud computing in their business practices. Specifically, medical doctors and

psychologists have an ethical duty to keep medical information private (including mental health)

as well as a legal duty under the Health Insurance Portability and Accountability Act. As well,

lawyers and accountants have ethical responsibilities to maintain the confidentiality of legal and

financial information respectively.

Consequently, local and national ethics committees from each of these fields have issued

guidelines to practitioners who seek to use the cloud in their businesses. Although each varies in

its specificity, they consistently recommend a few general principles.79 First, the professional

must ensure that the cloud provider has an enforceable obligation to preserve confidentiality and

security and that the professional will be notified if the provider is served with process regarding

the production of client information.80

Second, the professional must investigate the online data

storage providers security measures, policies, backup methodologies, and other procedures

79http://www.mondaq.com/x/170266/Privacy/Lawyers+And+Technology+New+Threats+To+Ke

eping+Client+Information+Confidential80

For example, many sites have certificates proving that they are HIPAA complaint.http://www.onlinetech.com/compliant-hosting/hipaa-compliant-hosting/resources/what-is-hipaa-

compliance.


18/18

Bert van Uitert

determine if they are adequate. Finally, the professional must employ available technology to

guard against reasonably foreseeable attempts to infiltrate stored data. These guidelines will be

frequently updated to ensure that ethical standards keep up with the rapid pace of technology.

VII. Conclusion

As more and more of the world becomes digitized, it is increasingly important for

individuals to understand the privacy implications of cloud computing. The Fourth Amendment

and theKatztest generally protect information in the cloud. However, because the nature of

cloud computing involves sharing information with a service provider, the third party doctrine

limits the protections afforded by those safeguards. Many, including Supreme Court Justice

Sonia Sotomayor, believe that the third party doctrine should be reevaluated because of our ever-

changing digital society. In addition to the Constitutional safeguards, Congress has passed

statutory privacy protections for digital information with the Stored Communication Act.

Unfortunately, the act was narrowly tailored to the technology standards of the mid-1980s and

provides little protection in modern day scenarios. To address the outdated law, numerous

legislators have proposed amendments to update the language to cover cloud technologies. As

judges and legislators approach solutions to cloud privacy problems, they should be careful to

craft rulings and statutes that address current issues without limiting future innovation and

technological advances. In sum, because privacy rights in the cloud remain nebulous, users must

tread with caution.

Documents

The Nebulous Privacy Rights of Cloud Computing