Wednesday, June 10, 2009

Privacy and the Cloud

This is another post about how technology can make it difficult to decide if something is or is not "private."

I’m going to speculate about cloud computing and the 4th Amendment’s protecting us from “unreasonable” searches and seizures. The issue briefly came up at a meeting I attended last week, as one of the so-far unresolved issues evolving technology raises.

As I’ve explained in earlier posts, the 4th Amendment protects us from “unreasonable” searches and seizures; as I’ve also explained, the 4th Amendment’s guarantees only apply to state action, i.e., to searches and seizures conducted by law enforcement officers or other agents of the government. It follows, then, that the 4th Amendment doesn’t apply (i) if there isn’t a “search” or a “seizure;” or (ii) if the search or seizure is carried out by a private citizen, not an agent of the government.

As I’ve explained, a “search” violates what the U.S. Supreme Court calls a reasonable expectation of privacy. Under the Supreme Court’s decision in Katz v. U.S., 389 U.S. 347 (1967), I have a reasonable expectation of privacy in a place or thing if (i) I think it’s private and (ii) society agrees that it’s private. So in the Katz case, the Court held that Katz had a reasonable expectation of privacy in the content of calls he made from a phone booth; he thought his calls were private, and the Court found that society (at least in 1967) agreed.

A reasonable expectation of privacy is just that; it’s not a PERFECT expectation of privacy (though a perfect expectation of privacy would be a reasonable expectation). A perfect expectation of privacy would require that you do something to put the information you want to protect completely beyond the government’s reach; encrypting your data with a very secure encryption system would presumably create a perfect expectation of privacy.

The Supreme Court, however, has never imposed such a demanding and unrealistic standard because it would create a truly adversarial relationship between citizens and the government; that is, I would not be able to assume privacy based on my taking reasonable steps (like keeping my laptop in my home) to prevent the government from gaining access to my property or communications. As 4th Amendment law stands now, if we make a good-faith (reasonable) effort to keep our property or communications private, that’s enough; once we establish a 4th Amendment expectation of privacy in, say, a laptop, the government’s accessing the laptop becomes a search, which means the government has to get a search warrant or be able to rely on an exception to the warrant requirement (such as consent) to get into the laptop.

As I’ve explained before, a seizure of property occurs when the government interferes with my possession and use of that property (by, say, taking it from me). As I’ve noted before, my favorite 4th Amendment seizure case is Soldal v. Cook County, 506 U.S. 56 (1992). In Soldal, the Cook County Sheriff and some of his deputies helped the owner of a trailer park tow the Soldals’ mobile home from where it had been parked on a lot in a mobile harm park. The owner of the park claimed she had the right to evict the Soldals – which involved evicting their mobile home – and relied on the law enforcement officers to keep Mr. Soldal from interfering.

The Soldals brought a civil rights suit, claiming that towing away their mobile home was an unlawful seizure under the 4th Amendment. It was clear there was state action (the Sheriff and his deputies), but for some reason the issue as to whether towing the mobile home was a 4th Amendment seizure went all the way to the U.S. Supreme Court. Sure enough, the Court said it was a seizure; how it could have been anything else is beyond me. If you tow away someone’s home, you’ve clearly interfered with their right to possess and use that property.

All right, enough 4th Amendment context. Let’s talk about cloud computing. Specifically, let’s talk about whether I would have a 4th Amendment expectation of privacy in data I store in the cloud.

As I explained in a law review article, the 4th Amendment was developed at a time when the only privacy was spatial privacy; for something to be private, I had to keep it IN my home or office (and maybe in a locked chest), which both made it difficult for law enforcement officers to gain access to it and symbolically invoked my right to assume they wouldn’t gain access to it. (In other words, I could assume privacy.)

As I explained in that article, our lives have already moved far beyond spatial privacy; I talked about the 4th Amendment’s application to the contents of emails and what we do online -- arguing that it should apply to both, but noting that courts so far do not tend to agree. I think cloud computing will take this analysis to the next level.

Currently, courts treat data containers – laptops, cell-phones, Blackberries, etc. – as “closed containers” analogous to a locked chest or, as one court said, a footlocker. Under the 4th Amendment, we’ve always have a constitutional expectation of privacy in containers, including opaque containers we carry around with us; a police officer cannot, for example, demand that you open your briefcase so he can look through it. Since you have a 4th Amendment expectation of privacy in the briefcase (a closed container), he has to get a search warrant or your consent to look through it.

As I’ve explained in several posts, courts tend to analogize what we do online to our use of the U.S. mail; I think that analogy is valid to some extent because like sending a letter, emailing and surfing the web involve sending information via a third-party party. One problem I see with the analogy is that the U.S. mail is operated by the government, which means we’re sharing whatever information or property we send with agents of the government. When I email or do other things online, I share information with a privacy company, which I think differentiates online activity from the use of the mail, but so far no court has bought that proposition.

Actually, courts tend to rely on two analogies in analyzing what we do online: One is, as I noted, our use of the mails; as I explained in an earlier post, in a nineteenth-century decision, the Supreme Court held that sealed letters and packages are protected by the 4th Amendment, but postcards are not. Sealed items are protected because we have made an effort to protect their contents from postal employees; they are, in effect, “closed containers.” The other analogy derives from the 1979 Smith v. Maryland case, in which the Court held that we have no 4th Amendment expectation of privacy in the numbers we dial from our telephones, even our home phones, because we voluntarily give that information to the phone company. According to the Smith Court, by giving that information to the phone company, we assume the risk the phone company will give it to the government, which means any expectation of privacy we have in it isn’t reasonable.

What about privacy in an era of cloud computing? If I store my data in a cloud, is the data in a “closed container” and therefore private under the 4th Amendment? Or is putting data in a cloud analogous to giving the numbers I dial on my phone to the phone company? If courts decide the latter analogy is the correct one, then by putting data in a cloud I lose any 4th Amendment expectation of privacy in it unless and until the Supreme Court takes up this issue and holds otherwise. I can also see prosecutors making a third argument as to why cloud data is not protected by the 4th Amendment: They can say that data I store in a cloud is analogous to a postcard; that is, they can say that by giving the data to a third-party, I assume the risk that employees of the cloud computing service will access it and share it with law enforcement.

I don’t think the third argument works: It think putting data in a cloud creates a bailment relationship between the cloud computing company (and its employees). As I explained in an earlier post, in a bailment relationship, I give my property to someone so they can hold onto it for me (a storage service, say) or transport it for me (Fed Ex, say). As I noted in that post, in a bailment I transfer possession of the property for a specific purpose and a limited time; I still retain ownership of the property, and the bailor (the person who has taken possession of it) doesn’t have the right to sell it or access it if I haven’t specifically authorized that.

I also think the validity of the third argument depends on the extent to which the data I store in a cloud is secure from the cloud computing company and its employees. If they can read the contents of the data I’ve stored with them, then I can’t have a 4th Amendment expectation of privacy in that data; it’s essentially the equivalent of sending a postcard through the mail (only worse, because I’m leaving it with the cloud computing service for a lot longer than it takes a mail to travel from sender to recipient).

I don’t think putting data in a cloud is the equivalent of sharing the numbers I dial on my phone with the phone company because to use the phone company’s service, I HAVE to give it those numbers. The phone company’s systems can’t connect my calls if I don’t let them know what phone number I’m calling and what phone number I’m calling from. Since all I’m doing in cloud computing is storing data on a system, I don’t see that I’m sharing it with the owner of the cloud computing service and its employees, unless, of course, the data isn’t encrypted or otherwise sealed in a virtual “closed container.” If it’s in a sealed, functionally-opaque container, then the neither the owner of the system nor its employees can read my data; it again is analogous to sending a sealed letter.

My point is that even under current 4th Amendment law, I can make what I think are valid arguments as to why the 4th Amendment should apply to data stored in a cloud (as long as the appropriate conditions exist). I really think, though, that we shouldn’t be using cases that were decided thirty years ago or a hundred and thirty years ago to set the standard for 4th Amendment privacy in an era of advancing technology. As I argued in that law review article, I think we need to move beyond a purely spatial approach to privacy to approaches that encompass both spatial and non-spatial privacy.

No comments: