I’ve been meaning to get this blog off the ground for some time now, and this article over at Ars Technica (a must-read for anyone interested in law and technology) about the application of the Fourth Amendment to cloud computing finally gave me the motivation I needed. The article is a fantastic overview of many of the issues I intend to write about on this blog, and several issues raised are worth discussing.
The article correctly points out that the biggest obstacle facing the recognition of a Fourth Amendment right to privacy in the information we store in the cloud is what is known as the third party doctrine. In a case analogous to storing email, photos, and other personal information with service providers like Yahoo! and Google, the Supreme Court in Smith v. Maryland invoked the third party doctrine in declining to recognize a right to privacy in telephone numbers dialed and subsequently routed through a telephone service provider’s switching equipment. The Court reasoned that when a phone call is placed, the numbers dialed are “conveyed” to the telephone company. At that point, a reasonable person should recognize that those numbers will be monitored and recorded by the company’s equipment for billing and other purposes. Because a person voluntarily gives the phone company access to that information by utilizing its services, she cannot reasonably expect that information to remain private. It is important to point out, however, that the Court’s decision turned on the fact that the actual contents of the conversation were not monitored or recorded. Consequently, any expectation of privacy in the actual conversation would still be reasonable.
This is the problem facing communications and information stored in the cloud. Under the Court’s precedent, information that a user should understand will be monitored by a third party renders an expectation of privacy in that information unreasonable, thereby excluding it from Fourth Amendment protection. Even putting aside a fear of hackers, system administrators, and law enforcement gaining access to information stored in the cloud, it is common knowledge that most of this information is subjected to at least some superficial level of electronic monitoring. The contents of email stored in Gmail, for instance, are regularly scanned by a program designed to identify keywords to generate targeted advertising for that user. Although we may consider an impersonal scan performed by a program to be rather innocuous relative to an actual human being’s reading the same information, this distinction seems immaterial to the Court in Smith: “The switching equipment that processed those numbers is merely the modern counterpart of the operator who, in an earlier day, personally completed calls for the subscriber.” The question is whether the current Court, when it eventually takes up the issue, will distinguish that case on the grounds that the monitored information wasn’t substantive and recognize an expectation of privacy in the monitored contents of emails.
In the comments to the article, many people argued that nothing sent over the Internet or stored in the cloud is truly private. Those commenters pointed out that hackers, sysadmins, and police can, at any time, gain access to personal information stored in the cloud if inclined to do so (regardless of the legality of doing so). In response, I asked the question, “Should the fact that it is merely possible for another to access your information render any expectation of privacy in that information unreasonable?”
With enough effort, a hacker could crack almost any person’s account. Does that make it unreasonable for a person to trust, nonetheless, that her stored information isn’t totally exposed?
If a person’s data becomes corrupted, an admin might have to access her account to restore it. Should we allow such rare occurrences to control our daily expectations?
Law enforcement officers may currently be able to obtain this information with relative ease, but isn’t that a circular argument for denying this information Fourth Amendment protection?
While the answers to these questions seem to me to be rather obvious, I don’t think they persuaded the more tech savvy commenters. Many seemed to view the problem in terms of absolutes, and that is hardly surprising. To the computer helpdesk employee who cringes every time she sees the infamous username/password post-it note defiantly stuck straight to the front of that monitor–or to the sysadmin constantly plugging security holes in our swiss cheese software–or to the kid down the street earning his chops on his neighbor’s unsecured wireless network, anything and everything you put on the Internet is accessible. If you want to keep it private, keep it offline.
Others, though not necessarily the author of the article, have an equally rigid but slightly more optimistic view of privacy in the cloud. They view technology as Homer Simpson does beer: the cause of –and solution to–all of life’s problems. Armed with a silver bullet, they would righteously enforce a policy of absolute exclusion. To these stalwart defenders, encryption will be the panacea of privacy. I, for one, consider it a sword of Damocles.
The notion that anything short of infallible security measures fails to give rise to a reasonable expectation of privacy would render that right a paragon of impeccability beyond reach in the Information Age. We must affirm that, even in the face of uncertainty, we are reasonable in believing that privacy can be maintained in an era of unprecedented vulnerability. Because a policy that demands abstention from modernity as the price of security is one that none of us can afford.
</soapbox>
The crux of your writing while sounding agreeable initially, did not sit well with me after some time. Somewhere within the paragraphs you managed to make me a believer but only for a while. I still have a problem with your leaps in assumptions and you would do well to fill in those gaps. If you can accomplish that, I would certainly be impressed.