Friday, September 25, 2009

Privacy and the Cloud - Part 2

A while back, I did a post on privacy and cloud computing. In it, I focused on the extent to which the 4th Amendment’s guarantee of privacy applies to data stored in a cloud.

This post is about a different but related issue: the extent to which the federal statutes that govern intercepting communications and accessing stored data apply to cloud computing.

In analyzing the statutory issues, I’m going to deal with two scenarios: In the first, law enforcement officers copy data as it is in the process of being uploaded to the cloud. (The same issues would arise if they copied the data as it was being downloaded from the cloud, but I’m going to focus primarily on uploading, for reasons I’ll explain later.)

In the second scenario, law enforcement officers copy data that is being stored on a cloud. In neither scenario do the officers obtain a warrant before copying the data.

The critical issue in the first scenario is whether the officers who copied the data “intercepted” the contents of a communication in violation of Title III of the Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. 9-352, June 19, 1968, 82 Stat. 197, which was codified at 18 U.S. Code §§ 2510-2521. As Wikipedia explains, Title III was adopted to implement two U.S. Supreme Court decisions: Katz, v. United States, 389 U.S. 347 (1967) and Berger v. New York, 388 U.S. 41 (1967).

As I’ve explained before, in the Katz case the Supreme Court held it was a “search” under the 4th Amendment for FBI agents to wiretap calls Charles Katz made from inside a phone booth. The Court found that by going into the booth and closing the door, Katz manifested a “reasonable expectation of privacy” in the content of his calls; as I’ve explained, the Katz Court held that when one manifests a reasonable expectation of privacy in a place or thing, the 4th Amendment protects that place or thing. Since the place/thing is protected by the 4th Amendment, officers must have a search warrant or an exception to the warrant requirement to examine (search) the place/thing. In Berger, the Supreme Court held that a New York wiretap statute that did not require officers to comply with 4th Amendment requirements in order to get a wiretap authorization was unconstitutional.

We could simply be using the Katz and Berger decisions as our guide to how the 4th Amendment applies to the interception of phone calls and other communications, but Congress thought it was necessary to adopt statutes governing this type of activity. That is why Congress adopted, and the President signed, the bill that gave us the Title III-based provisions of the federal code. Title III’s requirements for intercepting the contents of communications actually go beyond the 4th Amendment in certain respects, such as requiring that a prosecutor approve applications for wiretaps and that such applications include a statement by officers saying that they need to use wiretaps because other methods have been tried and failed (or are likely to fail) or are too dangerous to use.

Okay, all that means is that law enforcement’s intercepting the contents of telephone calls must comply with the requirements of the 4th Amendment as slightly expanded by Title III. (Failing to do so is a crime.) So we need to review what Title III says.

When it was originally adopted, Title III applied to intercepting the contents of phone calls. In the Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 – Congress expanded the scope of Title III so it now applies to “wire, oral or electronic communications.” 18 U.S. Code § 2511(1)(a). That brings us back to the first scenario: Law enforcement agents copy a file as I upload it to my storage in the cloud; we’ll assume, for the purposes of analysis, that the file is a text file, so its contents are analogous to the conversations Katz had in the phone booth. (I’m not saying that the file wouldn’t contain “content” encompassed by Katz or Title III if it consisted of jpgs or other non-text data; I’m simply assuming text to make the analysis as analogous to what happened in Katz as possible).

If the agents copy the file as I am sending it to the cloud, have they “intercepted” the contents of an electronic communication? The original version of Title III defined “intercept” as the “aural acquisition” of the contents of a phone call. The drafters of Title III didn’t spend much time defining intercept because the only way you can capture the contents of a phone call is to do so in real-time, because the content’s existence is transient. That, of course, changed with electronic communications; you can capture them while they’re being transmitted or while they’re in storage (which we’ll get to in a minute). In this first scenario, though, I think we clearly have the “interception” of the contents of the file because the agents acquire the contents contemporaneously with the transmission of the file to the cloud. Courts have held that interception requires that the officers capture the contents while it is being transmitted.

So we have interception. We also have the acquisition of the contents of the file, so we have two elements – interception and contents – that are analogous to what happened in Katz. The critical issue, I think is whether we have an electronic “communication.”

Section 2510(12) of Title 18 of the U.S. Code defines terms used in Title III. It defines an electronic communication as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce”. On its face, that definition is, I think, clearly broad enough to encompass my transferring data from my computer to a server in a cloud. A prosecutor, however, could argue that my transferring data from my computer to the cloud server is not a communication because I am not transmitting information to another human being.

I can’t find any reported cases that deal with this issue, but Black’s Law Dictionary defines communication as the “exchange of information by speech, writing, gestures, or conduct; the process of bringing an idea to another's perception” Black’s Law Dictionary (8th ed. 2004). Since Title III was implementing the Court’s decision in Katz, that is the exactly the kind of communication it was intended to protect, which means this could be a very credible argument.

I focused the first scenario on my uploading the file to the cloud – instead of on my downloading it from the cloud – because I thought uploading was conceptually a little more analogous to the calls at issue in Katz than downloading. In downloading, the transfer of data is coming from an inanimate source to me; even though I initiated the transfer, it looks a little less like Katz’s phone calls, I think, than uploading.

That brings me to the second scenario, in which the officers copy the file as it is stored on the cloud. I’m assuming the company that owns the cloud servers gave the officers access to the server on which my data was stored, so they didn’t commit the crime of unauthorized access to a computer.

In my first post on cloud computing I analyzed whether copying data stored on a cloud would violate the 4th Amendment. Though there are credible arguments that it would not, I disagree, as I explained there. In this post, I’m going to focus on whether the federal statues that protect stored data would protect my information in the cloud.

The statute that applies here is the Stored Communications Act (SCA), Pub. L. 99-508, 100 Stat. 1860 (1986). Congress adopted the SCA to provide some protection for stored data; as I noted in my earlier post, some say it is outside the 4th Amendment under the Supreme Court’s decision in Smith v. Maryland.

The SCA applies to “electronic communication services” and to “remote computing services”, terms that made much more sense in 1986 than they do today. The SCA defines “electronic communication service” as “any service which provides to users thereof the ability to send or receive wire or electronic communications”. 18 U.S. Code § 2510(15). It defines “remote computing service” as “the provision to the public of computer storage or processing services by means of an electronic communications system”. 18 U.S. Code § 2711(2).

The SCA says that providers of electronic communication or remote computing services “shall not knowingly divulge” the contents of a communication that is being stored on an electronic communication service or is “carried or maintained” on a remote computing service. 18 U.S. Code § 2702(a). The prohibition is subject to certain exceptions, such as disclosing the contents to the person who sent it or was the intended recipient and disclosing contents that the provider inadvertently obtained and that relate to a crime. 18 U.S. Code § 2702(b). Law enforcement can obtain the contents of an electronic communication that has been stored on an electronic communications service for 180 days or less by getting a search warrant that complies with the 4th Amendment. Officers can get the contents of such a communication that has been stored for more than 180 days and can get the contents of an electronic communication from a provider of remote computing services by getting a search warrant, a subpoena or a court order. 18 U.S. Code § 2703(b). The premise is that communications (emails) stored for less than 180 days get 4th Amendment protection, while everything else does not.

Getting back to my second scenario, whether the officers acted lawfully when they got a copy of my file from the cloud server depends on a couple of things. One is whether the operator of the cloud server qualifies as a provider of electronic communication services or is a provider of remote computing service. If the company that owns the cloud service to which I subscribe simply operates a cloud data storage service, then it would seem to be a provider of remote computing services; if that is true, then the officers could use a subpoena (a grand jury or administrative subpoena) or a court order to get the copy of my file. Neither a subpoena nor the court order requires that they have probable cause to believe the file contains evidence of a crime, so neither satisfies the requirements of the 4th Amendment. The SCA is based on the premise that under Smith v. Maryland I don’t have a 4th Amendment expectation of privacy in stored data, so the statute is, in effect, giving me more privacy protection than I’m entitled to under the Constitution.

What if, like Apple’s Mobile Me service, the cloud operator also lets me send and receive emails? That would mean it is, at least in part, a provider of electronic communication services which, in turn, MIGHT mean the officers would have to get a search warrant to copy the file. The problem I can see here is the one I noted before -- that the contents of the file may not qualify as the kind of “communication” the SCA is talking about when it refers to communications that have been in storage more than/less than 180 days. By that, it means emails, and my file isn’t an email . . . so it probably falls under the remote computing services option, and can probably be obtained without a warrant.

Personally, I think the statutory approach is too outdated and too fragile to protect our privacy in an era of digital communications. I think this is best handled under the 4th Amendment; I think the Supreme Court should overrule Smith and apply the 4th Amendment to communications while they’re in flight and to data we (responsibly) store with reliable data storage agents.

No comments: