Summary: In a February 10th presentation at SCU, ACLU-Northern CA Technology and Civil Liberties Policy Director Nicole Ozler warned that Cloud Computing could compromise privacy rights of its users. The problem is that since the information stored in "the cloud" is not in your office or data center, it may not be considered as your private property or an extension of your filing cabinet. Once this information is located in one or more databases "in the cloud", it may be accessed and used in ways that individuals never envisioned or intended, and with little oversight. Governments can dip into this treasure trove with a subpoena; companies can mine this information to build profiles, deliver targeted advertising, and share with others. And with the lengthy data retention periods and ineffective deletion procedures of many companies, we may find it very difficult to remove their data once it is uploaded.
In particular, the state or federal government could order a subpoena that would force the cloud computing provider to turn over its records on your computer usage. Such subpoena’s have no judicial oversight, meaning that your privacy rights would be compromised and you would be denied due process!
Background: Many companies are interested in cloud computing as a potential solution to computer and storage capacity constraints. The idea is an extension of a virtualized data center, where the cloud could potentially be an "overflow data center." In other words, computing capacity would expand during periods of high demand by using the virtual compute servers in the cloud. The major advantage here is that if the cloud can extend your data center, then you don’t need to build another one or increase the capacity of the one you have just to handle intermitted spikes in computing demand.
We have previously written about cloud computing at Viodi View:
Cloud Computing Issues: State of the Net West Conference – August 6, 2008, Santa Clara, CA
The Privacy Problem: The legal precedents being set around the U.S. are potentially devastating for enterprise adoption of cloud computing. The executive branch is repeatedly taking the position that data stored in the cloud does not have the same assumptions of privacy and due process as does data stored in your own infrastructure. The very fact that you put the data "out there" somehow strips any "expectation of privacy" which is a key criterion for the level of due process protection (based on my limited understanding of law).
A recent decision by the Sixth Circuit Court of Appeals (Warshak vs U.S.) seemed to agree to this idea of a lower "expectation of privacy."
For more on this reference case, please refer to:
http://w2.eff.org/legal/cases/warshak_v_usa/
Key Question: Can the state or federal government issue a subpoena to access information you have stored with an on-line backup storage facility? Is privacy for on line storage covered under any law?
It turns out, that it is not an easy question to answer:
Looking at online data, the first question is whether the Fourth Amendment (4A) requires a search warrant to access that data. This depends on whether the record is treated as "in storage" (in which case 4A does apply and a warrant is needed) or as a "business record" (in which case 4A doesn’t apply and no warrant is constitutionally required).
There have been too few decisions on the topic of cloud computing to answer with any certainty at all. However, the more a site/service looks like a "storage facility" – a site designed solely for online storage – the better the argument for constitutional protection. Conversely, if the site uses your content for various purposes (e.g., advertisements or recommendations) and asserts some ownership over data about or generated by users, the constitutional argument is weaker.
Regarding statutory law, the primary federal law is ECPA (Electronic Communications Privacy Act), which applies (with different standards) to both communications in transit and stored communications. ECPA’s application to cloud computing is equally murky, but the same rough spectrum likely applies: the more user control, the greater protection, and the more the site controls or uses the information, the weaker the argument for protection. It’s worth noting that ECPA as written assumes that 4A does not cover cloud computing in many forms, as it proscribes much weaker protections than the Constitution would demand for web email in particular. The courts haven’t really addressed that assumption much, but one recent court held that 4A does apply to online email before the decision was vacated on unrelated grounds.
2 replies on “ACLU Northern CA: Cloud Computing- Storm Warning for Privacy?”
Alan, excellent post! I wonder what the implications are for online email? It seems like this could have the same sort of privacy questions with regards to the Federal or State.
On line email was not discussed. Obtaining records of searches were.
Unfortunately, the state or federal govt can subpoena the search records of Google or another search engine company which tracks your search activity via your IP address. No warrant or court order is required. So your civil liberties and right to privacy would be compromised.
Note: This was actually reported in last Sunday’s Parade magazine (supplement to SF Chron and SJ Merc newspapers).