strangers in the sky: the cloud, third-parties and the fourth amendment
TRANSCRIPT
Strangers in the Sky: The Cloud, Third-Parties, and the Fourth Amendment
By Justin James
I. Introduction: Behold The Cloud
In the beginning Man created the computer.1 And the computer was without
Ethernet, and Wi-Fi; and loneliness was upon the face of the operating systems. And
Man said (or maybe Al-Gore), Let there be Internet: and there was Internet. And Man
saw the Internet, that it was good:2 and Man divided the Internet from the cable. And
Man called the cabled internet Ethernet, and the internet without cable Wi-Fi. And
Man said, Let us make data storage without limits: and let the people store whatever
they want, as much as they want. So Man created the Cloud. And the people could
access the Cloud anywhere. And the government saw the Cloud and behold, it was
very good. For the government now could access the thoughts of the people. 3
This paper discusses the Cloud; how the Fourth Amendment privacy
protections currently apply and will likely apply to the Cloud, including a discussion
of the third-party doctrine; and, finally other statutory protections for Cloud
Computing.
1 For creation of Man see Genesis 1:26-31.
2 Sussannah Fox, Lee Rainie, The Webat 25 in The U.S. (February 27, 2014) http://www.pewinternet.org/2014/02/27/summary-of-findings-3/ (last accessed March 27, 2014) (“76% of internet users say the internet has been a good thing for society”)
3 See Louis Columbus, PRISM Projected to Cost U.S. Cloud Computing Industry $35B, (August 8, 2013) http://www.forbes.com/sites/louiscolumbus/2013/08/08/prism-projected-to-cost-u-s-cloud-computing-industry-35b/ (last accessed March, 25, 2014); Daniel Castro, How Much Will Prism Cost the U.S. Cloud Computing Industry? (August 2013), http://www2.itif.org/2013-cloud-computing-costs.pdf (last accessed 3/25/2014);
14819-8179-2538.1
II. The Air up There: What is Cloud Computing?
A precise definition of cloud computing is not easy to pin down. 4 This is due, at
least inpart, to the “buzz” around the cloud as the latest tech craze. 5 But, in its
simplest form—much like this paper—cloud computing is the ability to run
applications, process scripts, and store data on a server over the internet, rather than
on a personal computer.6 The user accesses this server via a network connection and
views the application or data on his personal computer—think of a web browser based
word processing program like Google Docs or Microsoft Office 365.
Six years ago nearly 69% of online Americans used some form of cloud
computing.7 Last year, more than half of the U.S. businesses used cloud computing. 8
And the Cloud is predicted to grow. According to a PEW Research study by 2020 “the
4 Geoffrey A. Fowler & Ben Worthen, The Internet Industry Is on a Cloud--Whatever That May Mean, Wall St. J., Mar. 26, 2009, http://online.wsj.com/news/articles/SB123802623665542725, (last accessed April 27, 2014). (“While almost everybody in the tech industry seems to have a cloud-themed project, few agree on the term's definition.”)
5 Id.
6 William Jeremy Robinson, Free at What Cost?: Cloud Computing Privacy Under The Stored Communications Act, 98 Geo. L.J. 1195, 1199. (2010).
7 John B. Horrigan, Cloud Computing Gains in Currency: Online Americans Increasingly Access Data and Applications Stored in Cyberspace, Pew Research Center (Sept. 12, 2008), http://www.pewinternet.org/2008/09/12/use-of-cloud-computing-applications-and-services/ (Last visited March 18 2014). (“Some 69% of online Americans use webmail services, store data online, or use software programs such as word processing applications whose functionality is located on the web.”)
8 Reuven Cohen, The Cloud Hits Maintstream: More than Half of U.S. Businesses Now Use Cloud Computing, (April 16, 2013), http://www.forbes.com/sites/reuvencohen/2013/04/16/the-cloud-hits-the-mainstream-more-than-half-of-u-s-businesses-now-use-cloud-computing/, (last accessed March 27, 2014).
24819-8179-2538.1
cloud will dominate” as stored data and cloud based apps continue to grow in
popularity.9
As our online lives expand privacy concerns begin to rise. 10 After Edward
Snowden’s disclosure of the NSA’s spying program, American citizens and
companies, both foreign and domestic, are left wondering whether the constitution has
been violated and how the Fourth Amendment’s privacy rights apply to the Cloud. 11
III. Fourth Amendment Protections for the Cloud Are Still Up In the Air
Whether Fourth Amendment protections exist for the data we store in the Cloud
is not easily answered. While a privacy expectation may pass the reasonable
expectation to privacy test as set forth in United Sates v. Katz,12 the third-party
doctrine further blurs the answer.13 And the Sixth Circuit’s opinion in Warshak shed
little light on the question.14
9 Pew Research Internet Project, The Future of Apps and Web, (March 23, 2012) http://www.pewinternet.org/2012/03/23/the-future-of-apps-and-web-2/ (last accessed march 27, 2014).
10 Lee Rainie, Sara Kiesler, Ruogu Kang, and Mary Madden, Anonymity, Privacy, and Security Online, Pew Research Center (September 5, 2013) http://www.pewinternet.org/2013/09/05/anonymity-privacy-and-security-online/, (86% of internet users have taken steps online to remove or mask their digital footprints). (Last visited March 27, 2014).
11 Chris Paoli, Shattered Trust: IT Survey Shows PRISM Allegation Have Brought Cloud Misgivings, (September, 9, 2013) http://redmondmag.com/articles/2013/10/01/shattered-trust.aspx (last accessed March 27, 2014)
12 389 U.S. 347, 361 (1967) (Harlan, J., concurring) (“there is a twofold requirement, first that a person have exhibited an actual (subjective) expectation of privacy, and second, that the expectation be one that society is prepared to recognize as ‘reasonable.’”13 See Smith v. Maryland 442 U.S. 735 (1979) (Finding privacy expectation in numbers dialed unreasonable because the telephone company had permissible access to the information).
14 United States v. Warshak, 631 F.3d 266, 285--86 (6th Cir. 2010).3
4819-8179-2538.1
A. Look to the Lodestar: Katz and a Reasonable Expectation in to Privacy in
the Cloud.
Analysis of the Cloud and the Fourth Amendment begins with the lodestar case
Katz v. United States.15 In Katz, the United States Supreme Court addressed the
question of whether the defendant’s Fourth Amendment rights were violated when the
police used an electronic listening device to listen to Katz’s phone call made from a
public telephone booth.16, 17 Up to this point Olmstead v. United States established the
Fourth Amendment jurisprudence and held that the Fourth Amendment only applied
to searches and seizures of physical property.18 Katz deviated from precedent,
overruled Olmstead, and held that “the Fourth Amendment protects people, not
places.”19
The Court held that listening to the phone call without a warrant was indeed a
violation of the defendant’s Fourth Amendment rights because the evesdropping was
an invasion of the defendant’s expectation of privacy despite the phone booth’s open
location on a public street.20 Finally, Katz established the test for determining what
15 389 U.S. 347 (1967)
16 Id at 354.
17 A telephone booth is a small structure which houses a wired telephone. Typically a small glass cube measuring 3’ x 3’ x 8’, an individual could enter the telephone booth, close a folding door, and deposit coins in order to make a phone call. The telephone booth is virtually extinct due to the advent of the cellular phone and mobile computing.
18 Olmstead v. United States, 277 U.S. 438, 466—68 (1928).
19 Katz, 389 U.S. at 351-53.
20 Id. at 353.4
4819-8179-2538.1
privacy interests are protected in Justice Harlan’s concurring opinion: “there is a
twofold requirement, first that a person have exhibited an actual (subjective)
expectation of privacy [closing the phone booth door], and second, that the
expectation be one that society is prepared to recognize as ‘reasonable.’” 21
Katz has subsequently been referred to as the lodestar in “determining whether
a particular form of government-initiated electronic surveillance is a ‘search’ within
the meaning of the Fourth Amendment.”22 In short, Katz laid the foundation for Fourth
Amendment protection of electronic communications and gave the touchstone test for
nearly all modern day Fourth Amendment issues involving electronic information.
Does data on stored on the Cloud pass the Katz test? At first blush it would
appear that the answer to this question is yes. Many individuals in our society who use
cloud services, one would have to assume,23 have an expectation that their information
is private and safe. From medical records24 to lawyer’s client documents25 more and
21 Id. at 361 (Harlan, J., concurring).
22 Smith v. Maryland, 442 U.S. 735, 739 (1979).
23 John B. Horrigan, Cloud Computing Gains in Currency: Online Americans Increasingly Access Data and Applications Stored in Cyberspace, Pew Research Center (Sept. 12, 2008), http://www.pewinternet.org/2008/09/12/use-of-cloud-computing-applications-and-services/ (Last visited March 18 2014). (“Some 69% of online Americans use webmail services, store data online, or use software programs such as word processing applications whose functionality is located on the web.”)
24AT&T Corp, Medical Imaging in the Cloud (07/10/2012) http://www.corp.att.com/healthcare/docs/medical_imaging_cloud.pdf (Executive Summary imploring hospitals to use AT&T’s specialized Cloud service to store medical imaging). (Last accessed 3/18/2014).
25 Natalie Kelly, Daniel J. Siegel, John W. Silmek, Moving Your Practice to the Cloud Safely and Ethically, American Bar Association presentation, (January 14, 2013), http://www.americanbar.org/content/dam/aba/events/cle/2013/01/moving_your_law_practice/
54819-8179-2538.1
more personally private and confidential information is being stored in the Cloud. But
the answer is not so simple. Despite the doctor’s and the lawyer’s belief in the Cloud’s
security many believe their information is not completely private online. 26 This calls
into question whether society is willing to recognize the privacy expectation in Cloud
stored data as reasonable. And the third-party doctrine further clouds the answer.
B. The Third Party Doctrine and How it Applies to the Cloud
The third-party doctrine states that when persons share information with third
parties there cannot be a reasonable expectation of privacy. Its origins lies with
undercover agents and government informant.27 In Hoffa v. United States, the
defendant, Jimmy Hoffa, sought to have his conviction of bribing jurors overturned
because the government used information gained by an informant who had worked his
way into Hoffa’s inner circle and heard Hoffa describe the bribery. 28 He lost.29 The
Court held that Hoffa’s “misplaced confidence ... did not implicate Fourth
Amendment rights because the Fourth Amendment does not protect a misplaced belief
course_materials.authcheckdam.pdf, (ABA presentation instructing Lawyers on how to ethically use the Cloud to store their work product and client documents). (Last visited March 18 2014).
26 Lee Rainie, Sara Kiesler, Ruogu Kang, and Mary Madden, Anonymity, Privacy, and Security Online, Pew Research Center (September 5, 2013) http://www.pewinternet.org/2013/09/05/anonymity-privacy-and-security-online/, (59% of internet users do not believe it is possible to be completely anonymous online). (Last visited March 18 2014).
27 Orin S. Kerr, The Case for the Third-Party Doctrine, 107 Mich. L. Rev. 561, 567 (2009).
28 385 U.S. 293, 300 (1966).
29 Id. at 305.
64819-8179-2538.1
that a person to whom one voluntarily confides his wrongdoing will not reveal it. 30
The third-party doctrine began to have its nascent effect on the Fourth Amendment.
The doctrine continued to develop in United States v. White.31 In this case,
much like Hoffa, the defendant shared inculpatory information with a government
informant and that information was used to win a conviction. 32 The Court, citing
Hoffa, held that the Fourth Amendment does not protect “a wrongdoer’s misplaced
belief that a person to whom he voluntarily confides his wrongdoing will not reveal it”
and that a criminal “must realize and risk that his companions may be reporting to the
police.”33 The third-party doctrine continued to devlop.
The third-party doctrine hit puberty and then adulthood in the 1970’s when it
was applied to business records. First, in Couch v. United States the Internal Revenue
Service subpoenaed Couch’s accountant for Couch’s tax related documents. 34 The
government searched the records in the accountant’s possession, and built a successful
case against Couch for understating his gross income.35 On appeal to the Supreme
Court, Couch argued that the government violated his Fourth Amendment rights when
it engaged in a warrantless search of the records given to his accountant without a
30 Id. at 302–03.
31 401 U.S. 745 (1971).
32 Id. at 302
33 Id.
34 Couch v. United Stated, 409 U.S. 322, 323.
35 Id. at 324–25.7
4819-8179-2538.1
warrant.36 The Court succinctly held that Couch had no reasonable expectation of
privacy because it was without question that much of the information in those records
would be disclosed by the accountant in the tax return.37
Three years later the Court expanded the third-party doctrine in United States v.
Miller.38 Here, Miller had been convicted for several federal crimes relating the
manufacturing of alcohol.39 The government subpoenaed Miller’s bank for “all records
of accounts” for Mitch Miller and his aliases. 40 The Government then used these
records to prove, among other things, that Miller had been evading whiskey taxes. 41
Relying on Katz, Miller argued that obtaining and using his bank records without a
warrant was a violation of his privacy rights under the Fourth Amendment because the
records were “merely copies of personal records that were made available to the banks
for a limited purpose and in which [Miller had] a reasonable expectation of privacy.” 42
The Supreme Court rejected this argument and stated that “we perceive no legitimate
‘expectation of privacy’ in [the bank records] contents” because the “depositor takes
36 Id. at
37 Id. at 335.
38 425 U.S. 435 (1976).
39 Id. at 436.
40 Id. at 437–38.
41 Id. at 436.
42 Id at 422.8
4819-8179-2538.1
the risk, in revealing his affairs to another, that the information will be conveyed by
that person to the Government.”43
Finally, Smith v. Maryland, the pen register case.44 In this case, a person was
robbed.45 After the robbery the victim began receiving intimidating phone calls from a
man claiming to be the robber.46 The police asked the telephone company to install a
pen register to record the numbers dialed from the telephone of a suspect’s, the
petitioner Michael Smith, home.47 The register showed that Smith was indeed calling
the victim and the police were able to obtain a search warrant based, in part, on this
evidence.48 Smith sought to have the fruits of the pen register excluded on the basis
that he had a reasonable expectation that the numbers he was calling were private. 49
The Court rejected this argument on the basis that even if there were a
subjective expectation to privacy, this expectation is “not one that society is prepared
to recognize as reasonable.” 50 One of the explanations that Court gave for society not
recognizing this expectation as reasonable was that “[m]ost phone books tell
43 Id. at 442–43.
44 442 U.S. 735 (1979).
45 Id. at 737.
46 Id.
47 Id.
48 Id.
49 Id. at 741–43.
50 Id. at 742 citing Katz, 389 U.S. at 361.
94819-8179-2538.1
subscribers, ... , that the company can ‘frequently help in identifying to the authorities
the origin of unwelcome and troublesome calls.’”51
These three cases—Couch, Miller, and Smith52—create the foundation of the
third party doctrine and have often been cited to support the notion that the third-party
doctrine applies to a person’s electronically stored information. 53 If this notion is true
then documents stored on many of the popular Clouds 54 fall squarely within the
confines of the third-party doctrine. iCloud, Google Drive, OneDrive (formerly
SkyDrive) and Dropbox all have privacy policies that allow the provider to scan the
contents of the data stored on their Cloud Services in order to gather data that could
later be used for advertising to that customer.55 If this was the end, it would appear
that the answer is simple: there is no Fourth Amendment protection, or any protection
for information stored on the Cloud. But, it is never that simple.
C. Exceptions to the Third Party Doctrine and Other Things That Ruined My Day
51 Id.
52 Sounds like a red-neck’s trio: a couch, a beer, and a gun.
53 Guest v. Leis, 255 F.3d 325, 335 (6th Cir. 2001) (ruling that there is no Fourth Amendment protection for subscriber information—names addresses, birthdates, and passwords—given to the third-party systems operator).
54 Such as iCloud, Google Drive, Dropbox, and Onedrive (formerly SkyDrive).
55 All of the service providers in note 54 have privacy policies which allow the company to scan the data’s content in order to craft targeted advertisements. This information may also be shared with other advertising agencies. See Microsoft’s Privacy Policies (March 23, 2014), http://privacy.microsoft.com/en-us/fullnotice.mspx#collection; Google’s Privacy Policies (March 23, 2014), http://www.google.com/policies/privacy/; DropBox’s Privacy Policies (March 23, 2014), https://www.dropbox.com/privacy.
104819-8179-2538.1
Leave it to lawyers to make an otherwise simple doctrine complicated to the
point of incomprehension. At its heart, the third party-doctrine is simple: if you share
information with a third party, you cannot have a reasonable expectation of privacy in
that information. But, as Justice Stewart pointed out in his dissent in Stewart v.
Maryland, if the third-party doctrine was as simple as it sounds, then Katz would be
wrong because the telephone company could have recorded the entire phone
conversations just as easily as it can record the numbers dialed.56 And, not only did the
telephone company in Katz have the capability to listen to telephone calls, it also had
the right to listen to telephone calls in certain situations. 57 But clearly the third-party
doctrine does not allow the government to listen in to the substance of our phone calls
without a warrant. This was exactly the issue in Ktaz.58
56 Smith, 442 U.S. at 747
57 See 18 U.S.C. § 2511(2)(a)(i) (“It shall not be unlawful under this chapter for... a provider of wire or electronic communication service... to intercept, disclose, or use [a] communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service ...”) See also Bubis v. United States, 384 F.2d 643, 648 (9th Cir. 1967) (“When a subscriber of a telephone system uses the system’s facilities in a manner which reasonably justifies the telephone company’s belief that he is violating his subscription rights, then he must be deemed to have consented to the company’s monitoring of his calls to an extent reasonably necessary for the company’s investigation.”)
58 See Katz, 389 U.S. 347
114819-8179-2538.1
This also is the case with rented space. We have a privacy expectation to our
hotel rooms,59 our apartments,60 and our workspaces61 despite third parties having
permissible access. Hotel staff enters the locked hotel room every morning to clean.
Our landlords have access to our apartments. And maintenance and cleaning staff
come into our office. Yet, it has never been successfully argued that there is not a
reasonable expectation to privacy because a third-party has access to these spaces.
This leaves the Third-Party doctrine and the Cloud in a state of uncertainty. On the
one hand, a plain language reading of the third-party doctrine would lead one to
believe that there is no Fourth Amendment protection for Cloud computing. But on
the other hand, there are several exceptions to the third-party doctrine, and the Cloud
feels like it lies in one of those exceptions.
This feeling is legitimized in the Sixth Circuit’s Decision in Warshak—perhaps
the most relevant decision to date. In this case, the Sixth Circuit recognized a Fourth
Amendment right to the privacy of one’s emails stored with an Internet Service
Provider.62 The defendant, Steve Warshak, was accused of mail and bank fraud for
operating a business that used an often undisclosed “auto-ship” program in its sale of
penis pills—specifically Enzyte.63
59 United States v. Allen, 106 F.3d 695, 699 (6th Cir.1997); United States v. Young, 573 F.3d 711, 717 (9th Cir. 2009); Hoffa v. United States, 385 U.S. at 301
60Bivens v. Six Unknown Named Agents of Fed. Bureau of Narcotics, 403 U.S. 388, 390 (1971).
61 O'Connor v. Ortega, 480 U.S. 709, 737 (1987).
62 Warshak, 631 F.3d 266, 285–86.
63 Id. at 278–81.12
4819-8179-2538.1
In building its case, the government obtained over 27,000 of Warshak’s emails
by an administrative subpoena under the Secured Communications Act (“SCA”). 64
Warshak argued that the government’s means to obtain the emails was an
unreasonable search under the Fourth Amendment and should therefore be
suppressed.65 The Sixth Circuit agreed with Warshak and found that he did have a
subjective expectation of privacy and that it was one that society would recognize as
reasonable.66 However, Warshak’s conviction was not overturned because of the
government’s good faith reliance on the SCA. 67 Yet, the Sixth Circuit held, “to the
extent that the SCA purports to permit the government to obtain such emails
warrantlessly, the SCA is unconstitutional.”68 In short, the government could no
longer reasonably rely on the SCA to obtain emails without a warrant. The Fourth
Amendment is back!—at least in regards to email and within the Sixth Circuit.
But what effect, if any, does Warshak have on Cloud computing? The Court’s
reasoning perhaps shines some light on this question. The Sixth Circuit applied the
Katz test to determine that Warshak’s privacy expectations in his email was
reasonable.69 The Sixth Circuit Court applied the same reasoning that Supreme Court
64 Id. at 282.
65 Id. at 281.
66 Id. at 274, 284.
67 Id. at 282.
68 Id. at 288.
69 Warshak, 631 F.3d at 284
134819-8179-2538.1
used in Katz. In Katz, the Court based its decision on “the vital role that the public
telephone [had] come to play in private communication.”70 The Warshak court
reasoned very similarly:
“Since the advent of email, the telephone call and the letter have waned in importance, and an explosion of Internet-based communication has taken place. People are now able to send sensitive and intimate information, instantaneously, to friends, family, and colleagues half a world away. Lovers exchange sweet nothings, and businessmen swap ambitious plans, all with the click of a mouse button. [71] Commerce has also taken hold in email. Online purchases are often documented in email accounts, and email is frequently used to remind patients and clients of imminent appointments. In short, “account” is an apt word for the conglomeration of stored messages that comprises an email account, as provides an account of its owner’s life. By obtaining access to someone’s email, government agents gain the ability to peer deeply into his activities.”72
The Sixth Circuit’s analogy of email to the telephone is clear: “it goes without
saying that like the telephone in earlier history, e-mail is an ever-increasing mode of
private communication, and protecting shared communications through this medium is
as important to Fourth Amendment principles today as protecting telephone
conversation has been in the past.”73
But the analogy of a telephone, mail, or e-mail, to the Cloud is not nearly as
clean. In fact, it is hard to draw any analogy. Unlike any of the above communication
methods where the service provider—the telephone company, postal service, or
70 Katz, 389 U.S. at 352.
71 The reference to a mouse may already date this opinion.
72 Warshak, 631 F.3d at 284.
73 Id. at 286.
144819-8179-2538.1
internet service provider—is not the intended recipient of any communications, in the
Cloud the service provide is, in a way, the intended recipient. When you store
something in the Cloud, you send that data to the service provider and often, only the
service provider with the intent to access it later.
And yet hope is not lost, as the Warshak court noted: “[o]ur conclusion finds
additional support in the application of Fourth Amendment doctrine to rented space.”
The Sixth Circuit’s brief analogy of e-mail to rented space serves as a much better
analogy for the Cloud. If one imagines the Cloud as a rented storage unit or deposit
box, the renter enjoys Fourth Amendment protection of the contents in his storage unit
or safe deposit box despite the owners of the storage building or the bank vault having
access.74
D. Is This Broad Enough For Ya?
Just because the analogy is there—the Cloud is a lot like rented space—it does
not mean that Cloud computing has Fourth Amendment protections in all
circumstances. As the Warshak Court aptly stated:
“[W]e are unwilling to hold that a subscriber agreement will never be broad enough to snuff out a reasonable expectation of privacy. As the panel noted in Warshak I, if the ISP expresses an intention to ‘audit, inspect, and monitor’ its subscriber’s emails, that might be enough to render an expectation of privacy unreasonable.”75
74 United States v. Johnson, 584 F.3d 995, 1001 (10th Cir. 2009) (“People generally have a reasonable expectation of privacy in a storage unit, because storage units are secure areas that command a high degree of privacy”); United Sates v. First Nat. City Bank, 568 F.2d 853, 858 (2nd Cir. 1977) (Search of a safe deposit box is within the scope of the Fourth Amendment);
75 Warshak, 631 F.3d at 287.
154819-8179-2538.1
And this is, perhaps, precisely the issue with Cloud Computing: is the service
provider’s privacy policies or other policies so broad that an expectation of privacy is
unreasonable? As mentioned, Cloud Service Providers typically have privacy policies
that allow them to scan the contents of your data. 76 Google’s Google Drive Terms are
perhaps the broadest: “when you upload or otherwise submit content to our Services,
you give Google (and those we work with) a worldwide license to use, host, store,
reproduce, modify, create derivative works (....) communicate, publish, publicly
perform, publicly display and distribute such content”77
It is hard to believe that this is not the type of service agreement the Warshak
Court was referring to. Google expressly states it has the right to distribute the
contents of your Google Drive. That is a broad—if not obese—subscriber agreement
that leaves little for one to reasonably expect his data is private.
What’s more there are no express protections that your data will be secure. And
Cloud services can be surprisingly, albeit scarily, easy to hack into. 78 If Steve
Wozniak’s prophecy is correct—there are going to be a lot of horrible problems in the
next five years as a result of Cloud Computing and giving more control of our
76 See note 39, above.
77 Google’s Privacy Policies (March 23, 2014), http://www.google.com/policies/privacy/ (emphasis added).
78 Dune Lawrence, How Long Can Cloud Servers Hold Off Hackers? Not as Long as You Think, (December 19, 2013) http://www.businessweek.com/articles/2013-12-19/how-long-can-cloud-servers-hold-off-hackers-not-as-long-as-you-think, (CloudPassage, a cloud security company, set up six servers loaded with various combinations of widely used programs, and had a contest for hackers to see how long it would take. It took four hours, and the winner was a self-described amateur, who thought it would be a fun evening to poke around).
164819-8179-2538.1
property to Cloud Service Providers79—then the Cloud cannot be a place that society
recognizes a privacy interest once the notoriety of hackers spreads. At such a point the
analogy of the Cloud to a rented space breaks down. A renter of a storage unit or safe
deposit box is ensured that certain safety precautions will be taken. There are walls,
locks, cameras, and guards. There is limited access. But, when there is no promise of
such precautions,80 and it is believed that the storage is relatively unsecured, then the
Cloud becomes the equivalent to an open field and there cannot be a reasonable
expectation of privacy to items found in an open field. Therefore there cannot be a
Fourth Amendment protection for an unsecure Cloud.81
And apparently such a notion is already taking hold: 59% of Americans believe
that you can never be completely private online.82 What’s more, this study was
completed before the public was fully aware of the PRISM surveillance program. 83 As
79 Seth Feigerman, Steve Wozniak: Cloud Computing Will Cause ‘Horrible Problems In the Next Five Years,’ (Aug. 6, 2012) http://www.businessinsider.com/steve-wozniak-cloud-computing-will-cause-horrible-problems-in-the-next-five-years-2012-8 (Last accessed March 25, 2014).
80 Not all Cloud base services are unsecure. Services such as SecureOak, Tonido and Cubby offer services very similar to dropbox, iCloud, GoogleDrive, and OneDrive, but will encrypt the data so that it is secure. These services do not store your encryption password so they cannot decrypt your data.81 Oliver v. United States, 466 U.S. 170, 179 (1984). Holding that there is no reasonable expectation to privacy in an open field.
82 Lee Rainie, Sara Kiesler, Ruogu Kang, and Mary Madden, Anonymity, Privacy, and Security Online, Pew Research Center (September 5, 2013) http://www.pewinternet.org/2013/09/05/anonymity-privacy-and-security-online/, (59% of internet users do not believe it is possible to be completely anonymous online). (Last visited March 18 2014).
83 PRISM is a mass electronic surveillance program used by the NSA. The program is used to collect data from several internet sources, including the contents of Cloud stored documents.
174819-8179-2538.1
more and more people—both domestic and foreign—wise up to the security flaws and
open their eyes to just how unsecure their cloud documents are, at least on U.S. based
cloud servers, more and more consumers are flocking away from U.S. based Cloud
services in favor of Cloud Service Providers where there are security guarantees. 84
E. Conclusion on the Constitutional Protections Afforded to the Cloud
So, where do things correctly stand? Katz gives us the basic test: is there a
subjective expectation to privacy and is that expectation reasonable? Couch, Miller,
and Smith give us the third-party doctrine which states that if you share your
information with a third party, then you cannot have a reasonable expectation of
privacy. But, there are exceptions to this doctrine as the Warshak Court pointed out.
And, although one cannot claim a complete analogy when comparing the Cloud with
telephone or mail, there is a closer analogy to rented space.
Yet, this analogy breaks down for two reasons: first, Cloud Service Provider’s
Terms of Use are often so broad that there cannot be a reasonable expectation to
privacy (Google can distribute the contents of your files to others); second, the
analogy to rented space breaks down when it comes to security because the Cloud is
relatively unsecured. And, this insecurity gnaws away at society’s expectations that
84 Daniel Castro, How Much Will Prism Cost the U.S. Cloud Computing Industry? (August 2013), http://www2.itif.org/2013-cloud-computing-costs.pdf (last accessed 3/25/2014), (“On the low end, U.S. cloud computing providers might lose $21.5 billion over the next three years. This assumes the U.S. eventually loses about 10 percent projected market share for the domestic market. On the high end, the U.S. cloud computing providers might lose $35.0 billion by 2016. This assumes the U.S. eventually loses 20 percent of the foreign market ot competitors and retains its current domestic market share.”)
184819-8179-2538.1
their Cloud stored documents are private to a point that society is no longer willing to
recognize as reasonable the expectation that your Cloud saved documents are private.
And so, like so many other things in the law, the Fourth Amendments
application to the Cloud is unclear. As of this writing no court has addressed this
issue. But, pulling a Steve Wozniak like prophecy, this issue will likely result in a
circuit split as a result of the third-party doctrine. Admittedly this is not much of a
prophecy as it has already started to happen. The Sixth Circuit and the Fifth Circuit
have set the two paths the other Circuits will likely follow.
The Sixth Circuit and its decision in Warshak likely supports a finding that
Cloud stored documents do enjoy Fourth Amendment protections for at least some
Cloud Service Providers—Google Drive and others like it with broad Terms of Use
may never enjoy Fourth Amendment Protections unless they amend their Terms of
Use. The Cloud’s analogy to rented space supports this notion.
The Fifth Circuit has its decision in In re U.S. for Historical Cell Site Data and
appears that it would likely find in favor of the government and rule that there is no
Fourth Amendment protections for Cloud stored data.85 In this case, the Court ruled
that it was not an unreasonable search for the Government to warrantlessly obtain cell
site data from cell phone service providers because it was information shared with and
collected by the provider: “to the extent an individual knowingly exposes his activities
to third parties, he surrenders Fourth Amendment protections.”86 A Cloud case would
85 In re U.S. for Historical Cell Site Data, 724 F.3d 600, 610 (5th Cir. 2013)
86 Id.
194819-8179-2538.1
likely be decided similarly: it is information knowingly shared with and collected by a
third party.
Even in those Circuits that follow the decision in Warshack, there is still a
problem with broad Terms of Use and other security risks. As a result, companies will
likely cure their security risks and amend their Terms of Use so that society can
maintain its expectation to privacy in the Cloud.
Eventually, this issue will make it to the Supreme Court. There, hopefully, the
Justices follow Justice Sotomayor’s concurrence in U.S. v. Jones as it relates to the
Third-Party Doctrine and we will have yet another exception as it applies to digital
data.87
87United States v. Jones, 132 S. Ct. 945, 957 (2012) (The Third-Party Doctrine is “ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”)
204819-8179-2538.1