In mid-April, a coalition of privacy groups filed a brief in federal district court in Colorado, defending Yahoo against attempts by the federal government to obtain the contents of Yahoo Mail messages without first obtaining a warrant. One month earlier, the Justice Department filed a 17-page brief arguing that Yahoo Mail messages do not fall under current statutory protection because, once opened, those messages are not considered to be in “electronic storage.”
The privacy coalition—which included Google—came to Yahoo’s defense, arguing that users with e-mail stored in the cloud have a reasonable expectation of privacy in the contents of that e-mail, and should thus be protected from warrantless searches by the government. (Hopefully the irony of Google opposing robust searches is not lost on Google’s attorneys.)
Unfortunately, the protections afforded by the warrant requirement have not yet been fully extended to the digital “cloud.” This handy metaphor for the ethereal Internet as a storage and access hub is coming to have other implications: can we really conceal our data inside this cloud, shielding it from government intrusion?
In fact, there is not even any guarantee that e-mails stored locally on a personal home computer will be afforded such protection. But as this novel question has remained unanswered by the sloth-like pace of legal innovation, a dozen more questions have cropped up. Meanwhile, the technological innovators are demanding faster answers.
The fourth amendment and reasonable expectations of privacy
The Fourth Amendment to the US Constitution provides that the people shall “be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…” The Fourth Amendment also provides a method by which an otherwise unreasonable search might be characterized as “reasonable” and, therefore, constitutionally valid: by aid of a warrant, issued “upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
Requiring law enforcement to properly justify itself before conducting invasive searches offers an essential layer of constitutional privacy protection which, if breached, renders the improperly seized evidence inadmissible in court against the person whose privacy was violated. But a warrant is not always necessary to make a search reasonable. In some situations a search and seizure is reasonable without the need for a warrant, such as when items are in plain view, or when a person consents to being searched.
Over time, the courts have developed a standard for determining when a search requires a warrant and when it is reasonable on its own. This standard, which requires a warrant only if there exists a “reasonable expectation of privacy,” originated from a 1967 Supreme Court case involving the wiretapping of a phone booth. In that case, because the phone booth had a door which could be shut behind the user, he was deemed to have reasonably expected that nobody was listening in. The presence of a physical barrier also acted as a legal one.
The “reasonable expectation of privacy” test actually has two requirements. First, the person must have had a subjectively reasonable expectation that the item was private. Second, that item must also be something that society in general is willing to objectively recognize as reasonably private. In other words, it’s not enough that you think your fenced-in backyard is private if society as a whole would find it unreasonable to think so. Sunbathers beware.
Nuances in this standard have developed in the years since the phone booth case. One such nuance is the “third-party doctrine.” For example, the police do not need a warrant to obtain a list of the phone numbers you have dialed and when those calls were made, because, unlike the content of your calls, the transactional data is part of the business records of a third party—the service provider.
Similarly, receipts and checks exchanged with a bank or retailer are not considered to enjoy Fourth Amendment protection, because society is not prepared to reasonably expect privacy in those documents. This third-party doctrine has narrowed the situations in which a warrant is required to conduct a search.
Of course as the courts have narrowed these protections vis-à-vis the Constitution, Congress has passed legislation fortifying the constitutional protections and filling in the gaps created by new technologies. But there are two major problems with those fortifications. First, statutes can be overturned or repealed, whereas constitutional protections provide more permanent safeguards. Second, most of these laws are decades old and have hardly been updated to account for changing technologies.
Among these laws is the Stored Communications Act (SCA), which was passed in 1986. The SCA is at the heart of the dispute between Yahoo and the Justice Department, and the government’s position is that e-mails in the cloud that have already been opened are no longer in “electronic storage,” and thus fall outside the protection of the statute.
Updating these statutes is one short-term option. But, just as Google and the other groups defending Yahoo have argued, there is a basis for interpreting the “reasonable expectation of privacy” standard to cover these new cloud computing and storage uses, shielding at least parts of the cloud with the protection of the warrant requirement.
The differing evolutions of technology and law
The linchpin in extending Fourth Amendment protection to the cloud rests with the reasonableness of society’s expectations governing privacy in the cloud. But societal expectations change over time, especially as technology and our uses of that technology change.
With massive increases in bandwidth, wireless access, and mobile device use over the past decade, remote storage (and cloud computing generally) has changed the way in which the Internet is used. Rather than being a purely public medium, the Internet has become a means of private storage and mobile or remote access.
This is in stark contrast to ten or fifteen years ago, when data was often uploaded for the intended purpose of sharing it with a mass audience. Bandwidth and access limitations made it unfeasible for everyday Internet users to rely on the cloud to efficiently store and access their private files, and mobile devices were not yet powerful enough or pervasive enough for consumers to even need such “everywhere access.”
Unfortunately, the law generally does not evolve as quickly as technology. The 1967 phone booth case was the first time telephone conversations were recognized as constitutionally protected from unreasonable searches—nearly one hundred years after the telephone was invented. The Internet and cloud computing have taken a fraction of that time to reach wide market penetration, and show little sign of slowing down. But since Moore’s Law does not apply to legal innovation, the disparities between technology and the law are likely to become even greater.
Take, for example, the case City of Ontario v. Quon, currently pending before the US Supreme Court. Although the case is not precisely within the scope of what we often think of as “cloud computing” (online storage and manipulation of e-mails, photos, documents, and so on), it deals in a similar realm—the storage of text messages within the servers of a service provider. The city of Ontario, California, contracted with Arch Wireless to provide text messaging services for, among others, the city’s police department. Although the police department had no official policy regarding use of the pagers for personal versus work-related messaging, the unofficial policy was that if an officer went over the limit but paid the overcharge fee, their messages would not be audited.
The department later decided it would audit some of these texts and found a significant number of sexually explicit personal messages. Several officers sued, claiming their Fourth Amendment rights were violated because the department, being an agent of the government, should have been required to obtain a warrant first. The district court and the Ninth Circuit Court of Appeals both agreed that the officers had a reasonable expectation of privacy in the content of their texts, and analogized the stored text messages to e-mail, among other things.
The Supreme Court just heard oral arguments in Quon on April 19th, and based on the Justices’ questions and demeanors, they did not seem overly sympathetic to the officers’ privacy concerns—at least not enough to extend Fourth Amendment protections to their stored text messages. In part this may be because the facts in this case were simply not compelling enough; society is likely not prepared to recognize that police officers should have an expectation of privacy in their city-issued (and taxpayer-funded) work pagers.
Though the future of Fourth Amendment protection in the cloud will probably not be foreclosed by this case, it may create a hurdle for privacy groups and entities such as Yahoo and Google who are looking for more favorable Fourth Amendment treatment by the Supreme Court. The Court’s decision in Quon should come out later this summer. Whatever the ultimate decision may be, these groups will undoubtedly be looking for any……