Law in the Internet Society

PRIVACY AND CLOUD STORAGE

-- By TuviaPeretz - 30 Oct 2011

Introduction

With the increased use of cloud storage new questions have arisen related to the privacy and confidentiality of files stored on the cloud. Although file storage on remote servers is not a new creation, many of the legal doctrines surrounding privacy and confidentiality of files were created without use of the cloud in mind and have not been adapted to the expanded use of the cloud. This paper will explore some of the ways in which files stored on the cloud may be treated differently from files stored on a user's hard-drive, what steps are being taken to improve the legal doctrines surrounding cloud computing, and what roadblocks stand in the way of improvements.

NOTE: The focus here is on issues related to cloud storage in the United States and not jurisdictional complications. There are a whole set of other legal issues related to cloud computing which have to do with information moving across jurisdictions and being exposed to differing, and potentially conflicting, privacy regimes.

Legal Inconsistencies

While cloud storage can be an economical and practical method for storing data and information, use of the cloud may result in reduced privacy protection. Information which the user may have otherwise stored themselves can be subject to a different set of legal standards once the information is turned over to a third party and retained on a server.

When using cloud storage, an individual or a company uses storage capacity provided to it by a third party instead of maintaining its own files. Although one may not intuitively view this distinction as significant, there is case law (US v. Miller (1976)) which allows such information to be treated differently for privacy purposes. The government argues that because a file has been turned over to a third party, the file does not have the same privacy protections it would if it were held by the creator. The significance of the government’s approach becomes increasingly important as more and more files are being turned over for third party storage.

The question we need to ask is whether there is any valid justification for treating a file turned over to a third party for storage differently than the a file retained by an individual or corporation. Those in favor of the government’s right to access such information would argue that an individual or corporation does not have a reasonable expectation of privacy once they turn over the information to a third party. However, is this how individuals and corporations think of the issue when storing information on the cloud? While most people would likely acknowledge that there is a set of privacy concerns associated with the cloud, I believe these concerns stem from the fact that the information is being stored on the internet as well as whether they trust the third party to which the information is turned over—not the legal distinctions associated with the fact that it has been turned over to a third party. The decision to have data and information stored on a particular cloud is closer to a decision to hire a file management consultant, about whom you hopefully make a educated decision whether or not to trust, to manage and protect your data and less like putting that information in a lockbox to which the government has the key but can only open it when they think it’s important. The view that you do have a reasonable expectation of privacy in E-mails was endorsed in a recent Sixth Circuit decision, US v. Warshak (2010) (Wikipedia), but it remains to be seen how this will impact the law in the area.

The main statutory provision which protects wire, oral, and electronic communications is the Electronic Communications Privacy Act (ECPA). Title II of the ECPA, the Stored Communications Act (SCA), protects communications held in electronic storage. The ECPA has not undergone a major revision since being enacted in 1986 and its privacy standards are wildly out of sync with much of the computer activity which occurs today. Take, for example, the fact that E-mail can be accessed by the government without a warrant if it has been left on a server for more than 180 days. When the law was passed, E-mail was generally downloaded. Therefore, the law considered E-mail which remained on a server for more than 6 months to be abandoned. Today, however, E-mail is regularly kept and stored on servers, yet the law still considers E-mail left on a server abandoned and allows law enforcement to access it without a warrant. This means that POP and IMAP E-mail services are treated asymmetrically for privacy purposes.

Proposals For Change

An organization called Digital Due Process (a coalition of various companies) has laid out its major principles for bringing the ECPA up to date with today’s computing needs, and Senator Patrick Leahy has introduced a bill in the Senate.

Roadblocks

The major roadblocks to enacting this change come from the government and the cloud computing industry itself. Obviously the government is interested in continuing the practices it currently takes part in. The government wants its investigative procedures to remain as simple and as quiet as possible. The government does not want individuals to know they are being investigated and has no interest in increasing the evidentiary standard required to obtain data and information on a person or corporation.

The industry is caught in a tough position. On the one hand they want to back data and privacy protections insofar as they encourage individuals and corporations to embrace the cloud and utilize their services. However, the cloud providers want to continue to access individuals data for their own informational purposes (look at Amazon terms of service regarding your files particularly 5.2) and do not want to back any laws which might increase privacy protections and inhibit their use of consumer data.

It's difficult to know what you mean by cloud storage here. Partly this results from the complete obscurity of the term most of the time, as a buzzword without concrete technical meaning. But here, by including email held in ordinary spools, you seem to mean by "cloud storage" all non-local storage. And your legal discussion, such as it is, concerns updating ECPA, which—for reasons you give in the course of the discussion—is orthogonal to questions about "cloud."

I doubt the effectiveness of your disclaimer at the top, for this reason. Email servers can be said to have a location, and the law that applies to them is, as the saying used to be among pretentious international law types, lex loci server. What might be meant by "cloud storage," however, would be clustered file systems deliberately straddling jurisdictional boundaries (indeed all boundaries), where merely determining the law governing any individual quantum of data at any fixed time may be impossible.


# * Set ALLOWTOPICVIEW = TWikiAdminGroup, TuviaPeretz

Note: TWiki has strict formatting rules. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of that line. If you wish to give access to any other users simply add them to the comma separated list

Navigation

Webs Webs

r3 - 10 Nov 2011 - 23:45:52 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM