Perils in the Privacy Cloud

Computing in the "cloud" leaves personal data poorly protected.

Sept. 15, 2009— -- We all know that Internet and communications technology is changing rapidly, creating huge opportunities for business innovation and individual self-expression.

Most people are probably not aware, however, that privacy law is not evolving nearly as quickly. It is time to update legal protections to reflect the impact the digital revolution is having on modern life.

Cloud computing -- a bit of tech-jargon meaning the use of remote servers to store and process data -- is a great example.

The movement of personal and proprietary data off desktop computers and into "the cloud", which is made up of server farms and broadband connections, is a major disruptive trend in computing.

Unless our laws change to account for cloud computing and other equally momentous technology developments, the Constitution's protection against unreasonable search and seizure will become a relic of the past.

The federal law setting standards for government access to personal communications -- the Electronic Communications Privacy Act (ECPA) -- was written more than two decades ago, before the Internet took off.

It has become needlessly complex, while leaving many new categories of data poorly protected. We need a broad-based effort to reform ECPA to offer greater protection for consumers' information.

Meanwhile, reform of ECPA will give service providers the clear rules they deserve and ensure that government agencies have access to electronic communications when justified in law enforcement and national security investigations.

E-Mail, Photos, Medical Records Stored in the 'Cloud'

Increasingly, consumers and businesses alike are taking advantage of cloud computing capabilities by storing e-mail, photos, medical records and other data in the faraway data centers of companies and accessing the data via the Internet.

The payoff for users is massive data storage capacity available at very low -- or zero -- cost and freedom from having to deal with upgrades and security issues.

The downside, however, may be loss of privacy when a government agent or a lawyer with a subpoena shows up at the office of the cloud computing service provider.

E-mail is one of the most familiar examples of the shift to cloud computing. In 1986, when ECPA was written, e-mail users would generally download their e-mails onto their PCs and those e-mails would often be deleted from the computers of the e-mail service provider.

Nowadays, e-mail providers offer thousands of megabytes of storage and actively encourage users not to delete their e-mails, but rather to store them on the service provider's computers -- in the "cloud," if you will. Many individuals and businesses have years of correspondence and other records stored with these third parties.

In the Cloud: Flickr, Photobucket, Google Docs, OpenOffice and More

Other cloud computing services include photo-sharing sites such as Flickr and Photobucket and word processing and spreadsheet programs such as Google Docs and OpenOffice. Health information is starting to move to the cloud as well, with the arrival of personal health record services like Google Health and Microsoft HealthVault.

To give you a sense of the amount of information that is migrating to the cloud, Google recently reported that 20 hours of video content are uploaded to YouTube every minute.

Government agencies and civil litigants are increasingly turning to this treasure trove of information in the cloud for evidence to aid their investigations and lawsuits, sometimes sweeping in millions of users with a single subpoena.

One high profile example is the court order Viacom obtained last year requiring YouTube to turn over the login name, IP address and viewing habits of every user who has ever watched a video on the site.

The Legal Landscape

What does individual privacy against search and seizure mean in such an environment? The legal system is still figuring that out, but so far it's not a pretty picture.

A fundamental issue is the way our law regards information held by a third party like Google or Flickr. In the 1976 case U.S. v. Miller and in a series of subsequent decisions, the Supreme Court essentially concluded that an individual's records held by a third party may enjoy considerably less constitutional privacy protections than the same records held by the individual in a filing cabinet (or on his or her laptop). These decisions are often over-interpreted and their full scope is unclear, but the fact is that government agents can often access consumer information held by third parties with a mere subpoena – issued by a prosecutor without approval by a judge and without any real showing of suspicion.

In contrast, to seize information held on an individual's personal computer, or to intercept communications while traveling over the network, government agents need a warrant issued by a judge upon a showing of some pretty concrete suspicion. The difference is significant.

In 1986, Congress enacted ECPA to establish standards for government access to electronic communications. However, Congress did not fully reject the Miller line of cases. Instead, ECPA established a complex matrix of standards based on distinctions that seem nonsensical today.

For example, ECPA provides different protections to e-mail content depending on whether the e-mail is in transit or in storage, whether it is more or less than 180 days old, and whether it is opened or unopened. ECPA also applies different protections to data held by "electronic communications services" and by "remote computing services," even though today most service providers fit both definitions and it is difficult to tell under which category many services fit.

This convoluted setup creates uncertainty for everyone, particularly with ordinary users, who have become totally dependent on the services but are totally unaware of the law's weaknesses. Even the courts are confused.

Patchwork of Standards Hampers Law Enforcement

For example, in a 2007 case, a federal Court of Appeals declared unconstitutional a provision of ECPA that allows government investigators to obtain old e-mails with a subpoena and without notice to an e-mail user.

Then, in 2008, other judges of the same court vacated the ruling on procedural grounds; although the second opinion did not reject the logic of the earlier ruling, the ECPA provision is technically constitutional again. For how long? No one knows.

The patchwork of standards makes it hard for law enforcement to issue appropriate orders, and puts service providers in a difficult position as they try to respond to legitimate government requests while also keeping their users' information confidential.

The lack of strong and clear protections may also be discouraging use of cloud computing services. The situation may offer an incentive for individuals and businesses to use cloud computing services outside of the United States if they think they can get stronger protections in other countries.

Updating the Privacy Laws

Of course, the government has important interests that justify access to Internet communications in specific cases. However, the fact that the technology has outpaced the law should not diminish Fourth Amendment guarantees against unreasonable search and seizure. It is a fundamental of democracy that government surveillance powers should be subject to rigorous checks and balances.

I believe it is possible for technology companies, privacy and consumer advocates, and the government to come together around some basic privacy principles that would update the laws and strike a better balance between liberty and security.

A core principle of an updated privacy law is that personal information stored in the cloud should have the same protections as information stored on an individual's computer. The government should be required to obtain a warrant issued by a judge in order to read someone's e-mail, regardless of whether it is in transit on the network or stored on a server and regardless of whether the recipient has read it yet or not.

A reasonable update would also set an appropriate standard for the release to a governmental entity of any subscriber identifying information (i.e. name, address, account number), protecting against fishing expeditions by making it clear that court orders must be specific to a particular account in connection with an ongoing investigation.

Another issue that needs to be addressed is location information, which is currently causing confusion among the courts. All of our cell phones and other mobile devices are constantly reporting our location. A full record of our movements is available to government agents, both in real-time or retrospectively over weeks or months. ECPA does not make it clear what standard applies to this information. Some courts have ordered its release under a weak standard.

Time for Technology-Neutral Privacy Improvements

It will probably not be possible to address in advance all of the ways in which technology may change in the coming years. However, technology-neutral privacy improvements can address some of the key gaps in the law.

Some in government are likely to resist any updating of the privacy laws. They want to maintain the current loose restraints on their access to citizens' personal information.

However, a reasonable update of ECPA would not deprive law enforcement agencies of the tools they need to find criminals. Rather, an update would restore clarity and balance to surveillance laws that have become outdated due to rapid technological changes.

Updating ECPA would preserve traditional privacy protections in the context of new technologies.

The words of the Fourth Amendment refer only to protection of our houses and "papers" against unreasonable search and seizure.

It is time for the law to explicitly recognize that privacy protections should extend also to the wealth of digital information that we generate, whether it is resides on a mobile device or is stored in the cloud.

Leslie Harris is president and CEO of the Center for Democracy & Technology.