There is currently a lot of talk about privacy in digital communications and storage of information. Facebook has been slammed in the past for ignoring its users’ privacy with confusing or misleading settings. Just this week they announced enhanced and new settings, including two-factor authentication, so they are making progress. Other cloud service providers have different takes on privacy, but most have policies saying they will not collect and store personally identifiable information (PII), unless needed to perform a transaction. They also say that you own the data you store and that they take no responsibility for it.
But what about your rights of keeping that data private from a search? I’m not talking about a search engine, but a legal search. The Fourth Amendment of the Constitution of the United States protects citizens against unreasonable search and seizure of property; there are similar laws in many other countries. If you store data in the cloud, is that protected under the Fourth Amendment?
If a law enforcement agency has a probable cause to investigate your cloud service provider and seize the servers they own, how does that impact your Fourth Amendment rights not to have your data on those servers seized? It should be the same as if law enforcement came into a business and seized filing cabinets. Without a warrant for information under lock and key, they don’t have the right to look at it. Unfortunately it’s not that clear in the cloud.
I was recently pointed to a paper written a few years ago by David A. Couillard, entitled ”Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing”, that gives a context to this discussion. Couillard analyzes some of the issues facing organizations that store information in the cloud. He argues that data placed in the cloud has (or should have) some level of Fourth Amendment privacy protection.
Fourth Amendment protection requires a reasonable expectation of privacy. Historically it has focused on physical objects and premises, such as a person’s personal property in their home or business. But the data you put into the cloud is neither physical nor on your premises. There is legal precedent for a lock and key privacy when it comes to your personal possessions. For example, if my car is searched because of a traffic violation, my locked briefcase is considered private unless someone produces a search warrant to examine its contents. Of course there was a recent case in CA where the Supreme Court ruled that the contents of a cell phone was fair game during such a search, so things are not straight forward.
When you store something in the cloud, the container is virtual. Even though it’s technically sitting on a hard drive in a data center, because of virtualization technologies, the perception is that it’s a virtual location. The abstraction of the Internet and the paradigm of accessing my data at any time from any device, from any location, plays into that thinking. Because limited means exist to conceal virtual containers in the cloud, encrypting information should be similar to the idea of virtual opacity. This refers to the idea I mentioned earlier of a locked briefcase. Since no one can see through the locked briefcase, it is considered opaque, hence its contents are private. The same should apply to my encrypted data in the cloud.
Many cloud service providers store information in an encrypted state. If you aren’t sure about yours, check into it. At a minimum, the provider should encrypt the transmission of your data to the cloud with SSL. You can verify this by looking for an HTTPS in the URL as you access the site. Also check the terms of service and feature or capability lists. The stored data should be encrypted with AES, Blowfish or a similar encryption algorithm. This secures the privacy of your data from hackers and from a search and seizure process.
The fact that your data is encrypted and stored on someone else’s servers implies an expectation of privacy. Couillard suggests in his paper that Fourth Amendment rights apply to this situation in the same way as storing something in a safe deposit box. Your service provider has the keys to the hard drive where your data is stored, just like your bank has the keys to your safe deposit box. Your safe deposit box is considered private and law enforcement does not have the authority to demand the keys from your bank to open it. The same thinking should apply to the cloud.
Until the law catches up with technology, you can protect yourself from unreasonable search and seizure actions by encrypting your important information. You should do this whether your information is local or in the cloud. Look at your service providers to make sure your data is encrypted and protected. Moving information to the cloud has tremendous benefits, but you don’t want to give up your rights to privacy as a consequence for convenience.
As Benjamin Franklin said many years ago “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”
Photo credit Arenamontanus