Does the Fourth Amendment cover 'the cloud'?

One of the biggest issues facing individuals and corporations choosing to adopt public cloud computing (or any Internet service, for that matter) is the relative lack of clarity with respect to legal rights over data stored online. I've reported on this early legal landscape a couple of times, looking at decisions to relax expectations of privacy for e-mail stored online and the decision to allow the FBI to confiscate servers belonging to dozens of companies from a co-location facility whose owners were suspected of fraud.

However, while I've argued before that the government has yet to apply the right metaphor to the modern world of networked applications and data, there has been little literature that has actually dissected the problem in detail. Even worse, I've seen almost no analysis of how the United States Constitution's Fourth Amendment, which guards against unreasonable searches and seizures, applies to Internet-housed data.

(Credit: Flickr/Thorne Enterprises)

However, I just had the pleasure of reading an extremely well-written note in the June 2009 edition of the Minnesota Law Review titled "Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing (PDF)." Written by David A. Couillard, a student at the University of Minnesota Law School expected to graduate this year, the paper is a concise but thorough outline of where we stand with respect to the application of Fourth Amendment law to Internet computing. It finishes by introducing a highly logical framework for evaluating the application of the Fourth Amendment to cases involving cloud-based data.

According to Coulliard, we aren't very far along at all today:

Under a rubric of "reasonable expectations of privacy," the Court has since defined the contours of the Fourth Amendment's application in varying circumstances. But technology and society's expectations are evolving faster than the law. Although statutory schemes exist, some argue that these laws are outdated. Meanwhile, the Supreme Court has not even addressed the Fourth Amendment's application to e-mail, let alone the expanding uses of cloud-computing platforms. Thus, Fourth Amendment law needs a framework that will adapt more quickly in order to keep pace with evolving technology.

I stated essentially the same thing in my Cloud Computing Bill of Rights back in 2008:

In order for enough trust to be built into the online cloud economy, however, governments should endeavor to build a legal framework that respects corporate and individual privacy, and overall data security. While national security is important, governments must be careful not to create an atmosphere in which the customers and vendors of the cloud distrust their ability to securely conduct business within the jurisdiction, either directly or indirectly.

Coulliard starts his analysis with how legal precedent for telephonic communications may or may not apply to the cloud. He notes that all such law is evaluated under a "reasonable expectation of privacy" test:

The reasonable-expectation-of-privacy test arose out of Katz v. United States, where Justice Harlan, concurring, outlined a two-part requirement: (1) that the person demonstrated a subjective expectation of privacy over the object and (2) that the expectation was reasonable. This test can be applied to both tangible and intangible objects. However, when the object of a search--tangible or not--is voluntarily turned over to a third party, the Supreme Court has held that a person loses their reasonable expectation of privacy in that object.

Much of the legal confusion in cases involving any form of data or transaction on the Internet since has revolved around considering whether storing your data in a third-party data center is in fact subject to the so-called "third-party doctrine." This includes cases like Smith v. Maryland, in which the courts argued that people generally gave up an expectation of privacy with regard to their phone records simply through the act of dialing their phone--as the phone company receives and processes the phone numbers, thereby becoming a party in the transaction.

Coulliard argues, however, that while Smith v. Maryland applies to the phone numbers dialed, it does not apply to the contents of the conversation, as noted in Katz v. United States. Thus, the courts should adopt a framework in which the third-party doctrine is applied much more narrowly to online content (including cloud-based data), according to Coulliard.

Coulliard goes on to discuss legal analogies of virtual containers, encryption and password protection to briefcases, locks, and keys. The argument is complex, but it turns out that in the physical world, the combination of security and opacity of a container used to store an object both affect the "reasonable expectation of privacy" test:

Hypothetically, if a briefcase is locked with a combination lock, the government could attempt to guess the combination until the briefcase unlocked; but because the briefcase is opaque, there is still a reasonable expectation of privacy in the unlocked container. In the context of virtual containers in the cloud...encryption is not simply a virtual lock and key; it is virtual opacity.

So, if the courts were to interpret digital assets in the same way Coulliard does, you could virtually (no pun intended) assure your Fourth Amendment protections, even in the cloud, if you simply encrypted your data. Cloud vendors, are you listening?

Coulliard wraps up with a suggested framework for applying the Fourth Amendment to "the cloud" that is very much in line with my own thinking. Treat digital assets on third-party sites not as transactions (like phone numbers dialed), but in the same way you would treat physical assets kept in an apartment or storage locker:

[T]he service provider has a copy of the keys to a user's cloud "storage unit," much like a landlord or storage locker owner has keys to a tenant's space, a bank has the keys to a safe deposit box, and a postal carrier has the keys to a mailbox. Yet that does not give law enforcement the authority to use those third parties as a means to enter a private space.

The same rationale should apply to the cloud. In some circumstances, such as search engine queries, the third party is clearly an interested party to the communication. But when content data, passwords, or URLs are maintained by a service provider in a relationship more akin to that of landlord-tenant, such as private Google accounts, any such data that the provider is not directly interested in should not be understood to be open to search via consent or a waiver of Fourth Amendment protection.

Amen, Mr. Coulliard. Personally, I hope the courts note this framework, and begin applying it to Fourth Amendment cases arising from Internet-based computing immediately. Furthermore, I call for Congress to explicitly codify a similar framework with laws that clearly and unequivocally state the rights of users with respect to their data in the cloud.

Then again, given the track record of our state and federal legislative bodies with respect to technology law, maybe not...

[bluemist9999]

I believe something on the Internet should be private if the creator of the data takes reasonable action to ensure the data remains private.

For example, on Facebook, a post is NOT private if the sender does not restrict who can or cannot see it. However, a post with restricted visibility is considered private.

In the cloud, if I created a document and there is some way to ensure the document remains private (encryption, access control or whatnot), the document is private.

If there is no way to ensure a document remains private (I'm not sure if Google Docs has such a method), I believe the document must be considered private.

[redwall_hp]

While I believe it should be true of services such as Google Docs or Dropbox, I don't think the same follows for Facebook. It may be to a small audience, but you are broadcasting content when you publish it to Facebook. Any one of your friends could copy/paste your status, rehost your image in a public place, etc. If you're sending something to a group of people, it's not private. It's like sticking something on a bulletin board in an office or school.

[aka_tripleB]

I feel it should be treated like rental property or storage. The cops don't need your permission or a warrant to search your place unless the property owner says he wants one before letting them in.

[phatak_madhu]

Always technology posed a challenge to the legal firms...they should think in new ways rather than sticking to the old ways of making laws

[SergeM256]

No, they should apply existing laws. For every technology-related issue there is always an real-life, material-world equivalent. Try to name at lest one issue that cannot be resolved using traditional, 200 years-old law.

[Demerit]

@SergeM256

The stem cell issue is related to Roe v. Wade and Roe v. Wade is related to the unalienable rights "Life, liberty, and the pursuit of happiness"...has not been resolved.

The automatic weapons issue and how it relates to the 2nd Amendment (and the intent of which)...has not been resolved.

Sure there *may* be related "real-life/material-world" issues but that does NOT automatically mean that even those "real-life" issues have been resolved. So, suggesting that we apply existing laws that don't effectively work for even our 200 year old issues is not reasonable.

That's like trying to hit a broken nail on the head with a broken hammer.

[::G]

@Demerit

Re automatic weapons v. the 2nd Amendment, it is very cut and dried. The people were intended to have access to the same weapons as the military, because the people themselves were intended to be the country's defense. The only fuzzy category of weapons is of the nuclear type -- most people couldn't afford those anyway, though. Hell, I don't trust the government to have military weapons! They have a monopoly of force. Things would be much better off if the thugs in charge couldn't muscle the people around so much.

Re Roe v. Wade: the issue is if the unborn infant is a full-fledged human or not, with all the rights and privileges thereof, because if it were, terminating it is malum in se. And since there's no practical difference between a child just before and just after birth, nor is there a logical and consistent way to delineate a clear point in gestation where one's humanity begins, it must in fact be at conception. However, as a society we make trade-offs: for example, we execute criminals who are a quantifiable threat to society (for non-supporters of capital punishment, an executed life sentence is virtually the same effect). Most of us do not consider that malum in se. If there's any argument for abortion it must be a rationale for trading an infant's life for a comparable objective (such as saving the life of the mother).

[SergeM256]

Some legal issues cannot be resolved ever, like 2nd Amendment. Most people would agree there should be some limits on 2nd Amendment rights but would disagree what these limits are. It is not a new issue, I believe in ancient Rome they had some sort of regulation limiting size of sword that private citizens may carry and, perhaps, they had some kind of debate that we have now.

[ade333]

@::G People like you make me sick. Why not ADMIT that some issues are unresolved instead of trying to sum them up with your opinion-laden responses that are posed as matter of fact. Please please please do what ever you can to increase your ability to relate to the rest of the world. We all have to live with the majority and the minority at the same time- respect that... please.

[BirdDog01]

But the bank does not have the key to your safe deposit box. Lose the key, and you have to pay them to drill the lock and replace it.

[Magallanes]

yes, the bank "doesn't" have a supply key for just-in-case... *blink blink* ;-)

[Ken4usa]

I Don't Know About That...

[StuHamstra]

One must remember that the Supreme Court can only decide on actual cases brought before it. Apparently no one to date has had to bring this matter before any court - and I assume that so far, this means no one's data has been detected to be breached by any authority.

[Magallanes]

because if, for example, the FBI access and duplicate the information from a rack of server then, you will don't known about it until you find that your information was leaked of your information was used against you in a tribunal.

[smp501]

I agree with Magalanes. I have a feeling that right now the FBI is already doing this, and we will hear a report about it in 3-5 years. Then some high-ranking FBI agents will get a stern talking-to by Congress and the issue will be closed. Sound familiar?

[Ken4usa]

911, is used to breached our 4th Amendment...

[frankerin]

There are two dangers as I understand the present socio-political-legal world.

First, the lawyers will never allow any law to be clear and unequivocal; there is no financial future in unambiguous law and further they have never done it before. Kudos to T Jefferson.

Second, momentum is legally now in the hands of the 'peace officers', the TSA, HSA, etc. and the traditional protectors of the people. "And for your safety, ma'am, I am handcuffing you to the car door." They operate on the 'sin first, get forgiveness later', which satisfies all kinds of people, (I'll go naked as long as I am safe. Protect the childred) except those whose lives are accidently on the allegedly criminal servers. Never take a fact laden laptop overseas, when you return you may never see it again.

[redwall_hp]

"Never take a fact laden laptop overseas, when you return you may never see it again."

That is the beauty of the "cloud." You can store your files on a server somewhere, and bring a "clean" laptop with you. Nobody can get to those files unless they know where you store them, and the authentication details.

That brings us back to the problem of this article: Does, and should, the fourth amendment cover the cloud? I'm not a lawyer, but I say it should. (To clarify: It should cover cloud services, but obviously not social media, which is a form of publishing data.)

[Hokulea]

@redwall_hp When you state "You can store your files on a server somewhere..." I hope you realize that any particular server is subject to the laws of the host country/state it is physically located in. Those laws vary. Additionally, you're making assumptions when you state "Nobody can get to those files...". There are several entities, government and otherwise, that can "get to those files" either legally or illegally and most likely you would never know.

There are very few companies that will voluntarily acknowledge a data breach should one occur. Very few places, even within the US, are required by law to notify customers their data has been compromised.

If you do store data in the cloud, I suggest you read your TOS contract thoroughly. Most likely you will find that you have little to no legal recourse if your personal data is stolen, lost, or misplaced. Until data in the cloud is as protected as a document in a safe deposit box, I am not going there.

[ade333]

@Hokulea

" Very few places, even within the US, are required by law to notify customers their data has been compromised."

This isn't very accurate. Quite a few states have laws that now require full disclosure when an issue arises. many of the state that do not have a law yet are actively working on one.

[Sam Papelbon]

the whole 'third party' thing is idiotic. that would be like giving the police the right to search any apartment that is shared by roommates because they each have entrusted each other with their property, so they should have no expectations of privacy.

in my opinion, the police should have to follow the exact same laws regarding privacy as all other citizens including criminal surveillance laws. the only exception is if there is a search warrant or if the police witness a crime in progress and follow the suspect into their house, in which case it is still limited to things within plain sight until they can get a search warrant.

i just believe that the only thing separating a cop from an average citizen is, and always should be, that if they see a crime being committed, they are legally authorized and expected to respond to it. they are like the people seated in the exit row of an airplane. nothing more.

[SergeM256]

As always, lawyers are over-complicating the issue. Same rules should apply as if you rent a storage unit of safe deposit box, simple and clear. It doesn't even matter if you have key or not (concept "even if door was open"). On a cloud, you simply rent storage place. Of course, if you publish your data on a Web, i.e. intentionally made in available to anybody, like posting on Facebook, it is a public domain.

There is nothing new in this world, all technology-related issues could be easily resolved using traditional (classical Roman) law.

[Lerianis4]

Correction, SergeM256.... if you publish your data on the internet and do not 'limit' it to only friends online, THEN it is public domain and you have no right to whine if your privacy is infringed.

[SergeM256]

Yes, that's what I meant - available to anybody - i.e. every person on the world could see it without making any unusual efforts (like hacking and breaking into an account). If it is limited to well-defined group, no matter how big it may be, it's private.

[Demerit]

@SergeM256

First you reference 200 year-old law, implying that nothing new has changed since then.

Now you're referencing 2,000 year-old law and saying that there's nothing new since then.

Since you're being so arbitrary, why don't you up it by another couple factors of ten and say:

"Nothing has changed since the invention of the wheel!"

"Eye for eye! It was good enough for my grand-pappy!"

[Lerianis4]

The Fourth Amendment covers online and offline both, the Constitution does NOT discriminate with that. It's a 'period, done with, over' type of thing, and everyone with a brain knows that.

[jaguar717]

Well, except the thugs running the country, who think the Constitution is a "living, breathing document" where rights are something they can give, take, or create out of thin air, and that the Bill of Rights is a tool giving government power to trample individuals, rather than being the people's defense against intrusive government.

[Sporlo]

Sounds like a good idea. But if we could somehow make home servers affordable for enough people, then we wouldn't need clouds owned by massive companines.

[SergeM256]

No, it is not about home servers. Cloud is data stored somewhere else. If you home gets burned down or your city gets destroyed by flood or earthquake, you still have your data, stored on different servers somewhere thousands miles away.

[scottfillmer]

Not sure it will ever come to this, perhaps for some techies who can't really afford home-based servers but cloud data is still a little more secure from fire and natural disasters than something sitting in someone's home. Even with that, hard to imagine the cost per gig would ever catch up to the cost for the cloud, for the consumer, where many services have free server space. Good idea though.

[guzzokhino]

yes but

[drewbyh]

Yes, the Forth Amendment covers the "cloud" just as it covers your bank accounts, your PO Box or your car. Yes, even if the car is leased.

[biffhenerson]

Perhaps a 300 unit apartment building should be shut down because illegal activity was occuring in one of the units. (analogy to a server hosting many customers data and one customer hosting illegal content) The police/courts shut down entire servers or server farms because it is easy to do and they dont understand how they work. Its easy to just pull the plug and sort things out months later. As far as anyting being private? Off the record, not a chance. On the record, there are laws that limit what can be presented on court.

[krosafcheg]

Encrypt, encrypt encrypt. "They" are forcing all the common mans' hands. Intoxicated with power and paranoid about the obvious and overlooking the dots that are already connected. Fail.

[gjkezski]

Encryption is great, the only problem is that if the Law confiscates a server they will of course attempt to crack ALL encrypted files operating under the assumption that anything encrypted MUST be something illegal or why would it be encrypted in the first place.

[247mark]

The Fourth Amendment protects against "unreasonable" searches and seizures. Only unreasonable searches and seizures are protected, a point often missed. Lack of a warrant will not make the search unreasonable as there are many exceptions to the warrant requirement. A determination in each case needs to be made as to whether the search or the seizure was unreasonable and, therefore, illegal. Moreover, this is not lawyers complicating the matter. You'd be damn glad to have a lawyer arguing your case if your privacy was at risk. In light of the times we live in, the right of the people to be free from unreasonable searches and seizures is often subjugated by "national security interests." Like it or not, that's what is going on. Furthermore, people's increased inclination to post everything they do online doesn't do much to show a reasonable expectation of privacy. If you really had a reasonable expectation of privacy, you would keep the data on your own computer where it is less likely to be hacked. It's not as convenient as easily accessible online data but then you should consider whether privacy or convenience is of paramount concern.

[Dr_Zinj]

E-mail in your box is subject to the reasonable expectation of privacy. You need a user id and a password to access it. Doesn't matter if it's encrypted or not. It holds the same level of expectation of a letter sitting in my mailbox on the side of the street. Ditto your text messages and e-mail in transmission. Same concept as if you were talking on a telephone. You want to listen in on the stream, you need a warrant to do so legally.

Once your message or e-mail has reached it's destination, all bets are off. If the receiver wants to post it publically for the whole world to see, you have no right to privacy in that case.

[ade333]

The debate on this only exists because the bounds of the law want to be tested by the government. The debate is not about what the law intended, but how it can be circumvented or worked-around. In our hearts we all know that this is a much simpler issue. Our privacy should be as protected as fully as possible, vs. exception being made when something vague comes up. Too often privacy forgets about intent... we are being forced to change our expectations by security cameras and the like, but that does not mean our intent is being manipulated as well. We need to make sure that line is not greyed. Perhaps one of the more important thing to consider when electing our leaders.

[Ken4usa]

Applying Fourth Amendment Principles to Evolving Privacy Expectations I Belive it's Real Simple, If You Haven't Given premision to a endavisual, or company Or Lawinforcerment then it's "unlawful" for any one to read what you have put in writing, unless you have given them permission, nothing has changed concerning the Fourth Amendment...
So Stop Complacating it!
Ken4usa

[Ken4usa]

Agen, If you have E-Mail, And a 3rd Party is in voled in the trans-action, you Have Not Given thim Premision to Give It Out To Aney One Elos. Therefore t do so Would be a Vialation Of The Fourth Amendment.
Ken4usa
4,13 2010. 1:04am