It should not come as a surprise to learn that technology and digital data are evolving faster than the law can adapt. From copyright to privacy law, issues arise on a regular basis where existing laws and legal precedence simply don’t make sense in the context of electronic media and Internet communications.
The Fourth Amendment of the Constitution of the United States protects citizens against unreasonable search and seizure of property. Storing data in the cloud creates some gray area when applying those Fourth Amendment rights, though. If a law enforcement agency has a probable justification to investigate the cloud storage provider and seize the servers they own, how does that impact your Fourth Amendment rights not to have *your* data on those servers seized?
A recent article on CNet explores the question of whether or not your Fourth Amendment rights are protected in the cloud. The article focuses on discussing a paper featured in the June 2009 edition of the Minnesota Law Review titled ”Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing.” In the paper, University of Minnesota Law School student David A. Couillard, provides a detailed and insightful analysis of the issues faced when applying the Fourth Amendment on the Internet.
In the paper, Couillard notes:
Hypothetically, if a briefcase is locked with a combination lock, the government could attempt to guess the combination until the briefcase unlocked; but because the briefcase is opaque, there is still a reasonable expectation of privacy in the unlocked container. In the context of virtual containers in the cloud…encryption is not simply a virtual lock and key; it is virtual opacity.
Basically, the fact that your data is stored in an encrypted state–even when stored on servers belonging to a third-party–implies an expectation of privacy.
Ultimately, Couillard suggests a legal framework that applies Fourth Amendment rights by treating data stored on with third-party providers the same as personal possessions kept in s storage unit, or valuables stored in a bank safe deposit box:
[T]he service provider has a copy of the keys to a user’s cloud “storage unit,” much like a landlord or storage locker owner has keys to a tenant’s space, a bank has the keys to a safe deposit box, and a postal carrier has the keys to a mailbox. Yet that does not give law enforcement the authority to use those third parties as a means to enter a private space.
The same rationale should apply to the cloud. In some circumstances, such as search engine queries, the third party is clearly an interested party to the communication. But when content data, passwords, or URLs are maintained by a service provider in a relationship more akin to that of landlord-tenant, such as private Google accounts, any such data that the provider is not directly interested in should not be understood to be open to search via consent or a waiver of Fourth Amendment protection.
This paper is simply a proposal from a law student, and doesn’t represent any existing legal framework or precedent. However, the arguments seem sound. In the absence of an established legal precedent that makes sense, ensuring your data is stored in an encrypted state can serve as a reasonable expectation of privacy and help to ensure your Fourth Amendment rights even in the cloud.