Government agencies and civil litigants are increasingly turning to this treasure trove of information in the cloud for evidence to aid their investigations and lawsuits, sometimes sweeping in millions of users with a single subpoena.
One high profile example is the court order Viacom obtained last year requiring YouTube to turn over the login name, IP address and viewing habits of every user who has ever watched a video on the site.
What does individual privacy against search and seizure mean in such an environment? The legal system is still figuring that out, but so far it's not a pretty picture.
A fundamental issue is the way our law regards information held by a third party like Google or Flickr. In the 1976 case U.S. v. Miller and in a series of subsequent decisions, the Supreme Court essentially concluded that an individual's records held by a third party may enjoy considerably less constitutional privacy protections than the same records held by the individual in a filing cabinet (or on his or her laptop). These decisions are often over-interpreted and their full scope is unclear, but the fact is that government agents can often access consumer information held by third parties with a mere subpoena – issued by a prosecutor without approval by a judge and without any real showing of suspicion.
In contrast, to seize information held on an individual's personal computer, or to intercept communications while traveling over the network, government agents need a warrant issued by a judge upon a showing of some pretty concrete suspicion. The difference is significant.
In 1986, Congress enacted ECPA to establish standards for government access to electronic communications. However, Congress did not fully reject the Miller line of cases. Instead, ECPA established a complex matrix of standards based on distinctions that seem nonsensical today.
For example, ECPA provides different protections to e-mail content depending on whether the e-mail is in transit or in storage, whether it is more or less than 180 days old, and whether it is opened or unopened. ECPA also applies different protections to data held by "electronic communications services" and by "remote computing services," even though today most service providers fit both definitions and it is difficult to tell under which category many services fit.
This convoluted setup creates uncertainty for everyone, particularly with ordinary users, who have become totally dependent on the services but are totally unaware of the law's weaknesses. Even the courts are confused.
For example, in a 2007 case, a federal Court of Appeals declared unconstitutional a provision of ECPA that allows government investigators to obtain old e-mails with a subpoena and without notice to an e-mail user.
Then, in 2008, other judges of the same court vacated the ruling on procedural grounds; although the second opinion did not reject the logic of the earlier ruling, the ECPA provision is technically constitutional again. For how long? No one knows.
The patchwork of standards makes it hard for law enforcement to issue appropriate orders, and puts service providers in a difficult position as they try to respond to legitimate government requests while also keeping their users' information confidential.