Cyberthoughts: Do Govt. Laws Present Undue Risk To Cloud Computing?

(updated 12/12) There has been a bit of a buzz regarding access to citizen and company data by the U.S government and the associated risks of Cloud computing in that regard. I’m talking about the recent searches of gMail and Facebook of WikiLeaks supporters. Paul Carr’s Tech Crunch article and David Linthicum’s InfoWorld story refer to these events. In addition, the New York Times ran a story on secret F.B.I. subpoenas. When you move your data to the cloud, you lose some control over government access to your data during what may (or may not) be a legal search. I touched briefly on this last year (here), in my article on the Challenges and Risks to Cloud Computing. For the purposes of this article, I’ll assume your data is still in the US, not a foreign country data center, which poses an entirely different set of risks.

At issue: an individual or business person’s ability to stop an illegal search of their data when law enforcement shows up at your data’s door (that “door” being the door to your cloud provider’s data center). There is also worry that Fourth Amendment rights will be trampled on because application data has moved to the cloud. Because your data now lives in a data center, presumably operated outside your company or home, you lose the ability to know when you are being searched, to stop warrantless searches, and to analyze the warrant and validate that the search is, in fact, legal. Unless you (or preferably your lawyers) are at the data center during the search, you can’t ensure that it adheres to the boundaries set by the warrant to prevent fishing expeditions. At the same time, you may lose control of privacy or company secrets as part of that search. How do you protect your Fourth Amendment rights if you don’t even know you are being searched? If your data is co-located with other individuals or businesses that are being searched, how are you protected from information leakage when they are searched?

Disclaimer: I am not a lawyer and nothing in this article should be considered legal advise from me.

The assumption that you don’t have to worry about this if you are a law abiding business or individual is invalid. Potentially, you lose the opportunity to even ascertain the legality or prevent illegal searches or “fishing expeditions” of your data.

My question: Are the risks really any greater than having records searched with a legal warrant that reside in a remote locker or your empty home?

As more and more businesses move to the cloud, it will be interesting to see how this issue evolves. It’s one of the many risks of cloud computing, but I don’t consider it a complete showstopper; I refuse to give into alarmist views on this topic. Given the legal decisions I’ve seen so far, I wouldn’t give it a “code red”, but laws still need to catch up. I am obviously not alone in my views, given the current state and continued growth of Cloud Computing. Many companies are willing to accept the risks. I will agree with the David Linthicum article that there are probably some that look at this as a showstopper for their move to cloud computing, but the real impact is unknown and he doesn’t provide any supporting data.

David Couillard, a Minnesota law student, made some interesting statements in a paper published in the Minnesota Law Review regarding fourth amendment rights and privacy expectations in the cloud. From his research of earlier cases, he states that “[the] Bond Court found the opacity of the container and its close proximity to the passenger sufficient to satisfy the reasonable expectation-of-privacy test even absent a lock.” David goes on to say “Several of these cases also indicate that a person does not necessarily lose his privacy interest in a closed container merely by having it in public or otherwise relinquishing direct control over it.” David discusses that a provider, like Google or Salesforce.com may just be providing a “virtual container” that is also made opaque by the use of passwords and therefore provides an expectation of privacy. Courts have spent most of their time looking at email as of his writing and the general precedence is being formed that e-mail is the same as a U.S. mail letter and the expectation of privacy is the same. It should be noted that systems logs showing possible file names, etc. may not have this level of privacy since many providers state in their privacy documents they do collect and look at this surrounding data much like phone records in order to manage their systems and correct problems. Below are a couple of extracts from David’s conclusion section.

“... Further, since users are not sharing this content with the service provider, but merely asking the provider to store it, the idea that the Constitution would permit law enforcement to subpoena from a service provider a document stored in an otherwise private account is rightly viewed as unreasonable.

One might argue that if a person wants to keep his papers and effects private, he should keep them at home or send them through the mail. But had the Supreme Court followed that line of reasoning forty years ago, people would not be able to place a private telephone call. By universally recognizing that digital content does not lose its highly personal status when it is placed online, and by further recognizing that properly concealed virtual containers retain reasonable expectations of privacy, the courts will bring Fourth Amendment law up to speed with modern technology and societal expectations. Furthermore, by acknowledging that the relationship between a cloud service provider and a user is akin to a landlord-tenant relationship and is not entirely transactional, courts will further ensure that privacy concerns do not hamper the expansion of an efficient new way to store and interact with personal digital data.

Notice that many of the statements made by David are future tense. As I write this, precedence is being set but specific laws are slow to catch up.

Criss Candelaria, an Arizona attorney, says that storing your data with electronic storage companies should be no different from storing physical files in a mini storage building. There must be a search warrant too access it. He doesn’t believe that companies give up the “expectation of privacy” with regard to electronic data that is archived in a virtual mini storage building. He does think that any contract for storage should clearly indicate that the persons are not giving up the expectation of privacy and do all possible to keep the data from exposure to outside persons. A person can give up their expectation of privacy if they knowingly expose private data to outside view however.

My current suggestion to help mitigate this risk is to look at a provider’s privacy statement to ensure that they do not poses any expectation of review or access to your data, and data is exposed only to people with authorized access. Also, ask a potential vendor about how they would handle a request for search, and how it is executed and monitored. This is a relatively new area but it would also warrant (pun intended) a review of how the vendor has handled it in the past and a discussion with your legal support on their view of your potential exposure. Also, if you have the ability, encrypt your data before it’s stored, where you are the only key holder. This gives you the keys to opening the locked container so to speak and helps ensure your data stays private. You still need to abide by a legal search warrant request but there’s no doubt that you would be aware of such a request. One example of cloud solutions that encrypts your data at your workstation before it’s stored in the cloud are network backup services. Most vendors offer this feature and encourage the use of it.

As Simon Phipps points out in his December 2012 article regarding defensive actions you can take:

First and foremost, you need a commitment (backed with substantial penalties) that your provider will never take your service offline intentionally without a substantiated and validated court order, whether you are notified in advance or not. Phrases like "at our absolute discretion" are a red flag. It's your infrastructure and your discretion that matters. Until there's proof of judicial review, no service should be rescinded without the provider being penalized. Seek providers willing to make that commitment, or if you have the negotiating power, ensure your contract includes this idea and supercedes the terms of use.

I think that the laws protecting Fourth Amendment rights need to be updated to be in alignment with the digital age, but the situation is not as dire as some would have you believe. I have confidence that my Fourth Amendment rights will not be trampled as I move data to the cloud based on my research to date. As time rolls on, court decisions regarding cloud computing, privacy, and rules for search and seizure are setting precedence that can and will be used by others, and may be the basis for new laws. It may take a significant event, like WikiLeaks related government searches we’ve seen in 2010, to act as a catalyst to modernize our laws in this regard. I would bet that Arizona appellate court Judge Claborne would have tossed any evidence or case that was aided by an illegal search on data stored in the cloud and treat those documents as if they were in a locked warehouse.