The cloud and the future of the Fourth Amendment

By David A. Couillard

In mid-April, a coalition of privacy groups filed a brief in federal district court in Colorado, defending Yahoo against attempts by the federal government to obtain the contents of Yahoo Mail messages without first obtaining a warrant. One month earlier, the Justice Department filed a 17-page brief arguing that Yahoo Mail messages do not fall under current statutory protection because, once opened, those messages are not considered to be in “electronic storage.”

The privacy coalition—which included Google—came to Yahoo’s defense, arguing that users with e-mail stored in the cloud have a reasonable expectation of privacy in the contents of that e-mail, and should thus be protected from warrantless searches by the government. (Hopefully the irony of Google opposing robust searches is not lost on Google’s attorneys.)

Unfortunately, the protections afforded by the warrant requirement have not yet been fully extended to the digital “cloud.” This handy metaphor for the ethereal Internet as a storage and access hub is coming to have other implications: can we really conceal our data inside this cloud, shielding it from government intrusion?

In fact, there is not even any guarantee that e-mails stored locally on a personal home computer will be afforded such protection. But as this novel question has remained unanswered by the sloth-like pace of legal innovation, a dozen more questions have cropped up. Meanwhile, the technological innovators are demanding faster answers.

The fourth amendment and reasonable expectations of privacy

The Fourth Amendment to the US Constitution provides that the people shall “be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…” The Fourth Amendment also provides a method by which an otherwise unreasonable search might be characterized as “reasonable” and, therefore, constitutionally valid: by aid of a warrant, issued “upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Requiring law enforcement to properly justify itself before conducting invasive searches offers an essential layer of constitutional privacy protection which, if breached, renders the improperly seized evidence inadmissible in court against the person whose privacy was violated. But a warrant is not always necessary to make a search reasonable. In some situations a search and seizure is reasonable without the need for a warrant, such as when items are in plain view, or when a person consents to being searched.

Over time, the courts have developed a standard for determining when a search requires a warrant and when it is reasonable on its own. This standard, which requires a warrant only if there exists a “reasonable expectation of privacy,” originated from a 1967 Supreme Court case involving the wiretapping of a phone booth. In that case, because the phone booth had a door which could be shut behind the user, he was deemed to have reasonably expected that nobody was listening in. The presence of a physical barrier also acted as a legal one.

The “reasonable expectation of privacy” test actually has two requirements. First, the person must have had a subjectively reasonable expectation that the item was private. Second, that item must also be something that society in general is willing to objectively recognize as reasonably private. In other words, it’s not enough that you think your fenced-in backyard is private if society as a whole would find it unreasonable to think so. Sunbathers beware.

Nuances in this standard have developed in the years since the phone booth case. One such nuance is the “third-party doctrine.” For example, the police do not need a warrant to obtain a list of the phone numbers you have dialed and when those calls were made, because, unlike the content of your calls, the transactional data is part of the business records of a third party—the service provider.

Similarly, receipts and checks exchanged with a bank or retailer are not considered to enjoy Fourth Amendment protection, because society is not prepared to reasonably expect privacy in those documents. This third-party doctrine has narrowed the situations in which a warrant is required to conduct a search.

Of course as the courts have narrowed these protections vis-à-vis the Constitution, Congress has passed legislation fortifying the constitutional protections and filling in the gaps created by new technologies. But there are two major problems with those fortifications. First, statutes can be overturned or repealed, whereas constitutional protections provide more permanent safeguards. Second, most of these laws are decades old and have hardly been updated to account for changing technologies.

Among these laws is the Stored Communications Act (SCA), which was passed in 1986. The SCA is at the heart of the dispute between Yahoo and the Justice Department, and the government’s position is that e-mails in the cloud that have already been opened are no longer in “electronic storage,” and thus fall outside the protection of the statute.

Updating these statutes is one short-term option. But, just as Google and the other groups defending Yahoo have argued, there is a basis for interpreting the “reasonable expectation of privacy” standard to cover these new cloud computing and storage uses, shielding at least parts of the cloud with the protection of the warrant requirement.

The differing evolutions of technology and law

The linchpin in extending Fourth Amendment protection to the cloud rests with the reasonableness of society’s expectations governing privacy in the cloud. But societal expectations change over time, especially as technology and our uses of that technology change.

With massive increases in bandwidth, wireless access, and mobile device use over the past decade, remote storage (and cloud computing generally) has changed the way in which the Internet is used. Rather than being a purely public medium, the Internet has become a means of private storage and mobile or remote access.

This is in stark contrast to ten or fifteen years ago, when data was often uploaded for the intended purpose of sharing it with a mass audience. Bandwidth and access limitations made it unfeasible for everyday Internet users to rely on the cloud to efficiently store and access their private files, and mobile devices were not yet powerful enough or pervasive enough for consumers to even need such “everywhere access.”

Unfortunately, the law generally does not evolve as quickly as technology. The 1967 phone booth case was the first time telephone conversations were recognized as constitutionally protected from unreasonable searches—nearly one hundred years after the telephone was invented. The Internet and cloud computing have taken a fraction of that time to reach wide market penetration, and show little sign of slowing down. But since Moore’s Law does not apply to legal innovation, the disparities between technology and the law are likely to become even greater.

Take, for example, the case City of Ontario v. Quon, currently pending before the US Supreme Court. Although the case is not precisely within the scope of what we often think of as “cloud computing” (online storage and manipulation of e-mails, photos, documents, and so on), it deals in a similar realm—the storage of text messages within the servers of a service provider. The city of Ontario, California, contracted with Arch Wireless to provide text messaging services for, among others, the city’s police department. Although the police department had no official policy regarding use of the pagers for personal versus work-related messaging, the unofficial policy was that if an officer went over the limit but paid the overcharge fee, their messages would not be audited.

The department later decided it would audit some of these texts and found a significant number of sexually explicit personal messages. Several officers sued, claiming their Fourth Amendment rights were violated because the department, being an agent of the government, should have been required to obtain a warrant first. The district court and the Ninth Circuit Court of Appeals both agreed that the officers had a reasonable expectation of privacy in the content of their texts, and analogized the stored text messages to e-mail, among other things.

The Supreme Court just heard oral arguments in Quon on April 19th, and based on the Justices’ questions and demeanors, they did not seem overly sympathetic to the officers’ privacy concerns—at least not enough to extend Fourth Amendment protections to their stored text messages. In part this may be because the facts in this case were simply not compelling enough; society is likely not prepared to recognize that police officers should have an expectation of privacy in their city-issued (and taxpayer-funded) work pagers.

Though the future of Fourth Amendment protection in the cloud will probably not be foreclosed by this case, it may create a hurdle for privacy groups and entities such as Yahoo and Google who are looking for more favorable Fourth Amendment treatment by the Supreme Court. The Court’s decision in Quon should come out later this summer. Whatever the ultimate decision may be, these groups will undoubtedly be looking for any……

Article Continues ->


TR10: Cloud Programming

Joseph Hellerstein wants cloud programmers to reach new heights.   Credit: Toby Burditt

A new language will improve online applications.

By Erica Naone

(From MIT Technology Review) This article is part of an annual list of what we believe are the 10 most important emerging technologies. See the full list here.

Cloud computing offers the promise of virtually unlimited processing and storage power, courtesy of vast data centers run by companies like Amazon and Google. But programmers don’t know how best to exploit this power.

Today, many developers are converting existing programs to run on clouds, rather than creating new types of applications that could work nowhere else. And they are held back by difficulties in keeping track of data and getting reliable information about what’s going on across a cloud. If programmers could solve those problems, they could start to really take advantage of what’s possible with a cloud. For example, an online music retailer could monitor popular social-media feeds; if a singer suddenly became a hot topic, advertising and special offers across the retailer’s site could be instantly reconfigured to make the most of the spike in interest.

At the University of California, Berkeley, Joseph Hellerstein thinks he can make it much easier to write complex cloud applications by developing software that takes over the job of tracking data and keeping tabs on what’s happening. His big idea is to modify database programming languages so that they can be used to quickly build any sort of application in the cloud–social networks, communication tools, games, and more. Such languages have been refined over the years to hide the complexities of shuffling information in and out of large databases. If one could be made cloud-friendly, programmers could just think about the results they want, rather than micromanaging data.

The challenge is that these languages process data in static batches. They can’t process data that is constantly changing, such as readings from a network of sensors. The solution, ­Hellerstein explains, is to build into the language the notion that data can be dynamic, changing as it’s being processed. This sense of time enables a program to make provisions for data that might be arriving later–or never.

The result is called Bloom. So far, Hellerstein’s group has used the Bloom language and its predecessors to quickly rebuild and add major features to popular cloud tools such as Hadoop, a platform used to manipulate very large amounts of data. By lowering the complexity barrier, these languages should increase the number of developers willing to tackle cloud programming, resulting in a wave of ideas for new types of powerful applications.

Hellerstein’s group is getting Bloom ready for a release in late 2010. They and others are also working on demonstrating how the techniques can be used for real-time applications such as online multiplayer games, or to watch for the warning signs of an earthquake or tsunami.

Drag-and-Drop into the Cloud

A startup promises a painless way to move existing software.

By Erica Naone

It’s one thing to design and build software to live in the cloud from scratch. It’s something else to move existing applications over to cloud-computing platforms, which many companies need to do. This often means completely rewriting parts of the code to make it compatible with a particular provider’s infrastructure. CloudSwitch, a startup based in Burlington, MA, has designed software that could make the transition almost as simple as dragging and dropping a file from one folder to another.

CloudSwitch offers software that acts as an intermediary layer between a cloud provider and a company’s applications. The software is installed at the company’s data center, and it handles the tricky task of transferring applications over to the cloud provider’s platform. The only catch is that customers must already use virtualization software–commonly used to make data centers more efficient by simulating multiple “virtual machines.”

Ellen Rubin, founder and vice president of products for CloudSwitch, explains that CloudSwitch’s software grabs information about the virtual machines running an application. It then runs a “cloud-fitting” algorithm that compares how the application works in the data center to how it would fit into the cloud provider’s infrastructure. Finally, CloudSwitch’s software translates commands between the two systems.

CloudSwitch Explorer, released as beta software last week, is a free version of the product. After downloading and installing it in a corporate data center, an administrator can move five Windows or Linux virtual machines into Amazon’s Elastic Compute Cloud, and then manage them as if they were still running locally. The company hopes that giving users a chance to try out the software this way will encourage them to buy the enterprise product, which allows for more users and more virtual machines, and will be available later this year. CloudSwitch also plans to add support for other cloud providers as it goes forward.

The company has attracted roughly $15.5 million in venture-capital funding from Matrix Ventures, Atlas Ventures, and Commonwealth Capital Ventures.

Story Continues –

Where Secrets Aren’t Safe – Cloud Computing

‘Cloud computing’ isn’t so secure.

We’re all moving to the clouds—that’s what tech pundits keep telling us. By this they mean cloud computing, a system in which we store data on remote servers rather than on our desktop computers. The cloud offers some advantages, chief among them the fact that you don’t have to keep track of which files are on your personal MacBook Pro and which ones are on the Dell at the office. But there is one big, glaring problem with cloud computing, and it just got laid bare in Google’s recent problems with China: your stuff isn’t safe.

Google insists that cloud computing is perfectly secure. But of course Google says that—it’s trying to build a business out of it. The company sells a suite of online programs called Google Apps, including a word processor and a spreadsheet, which store users’ data on its servers. It pitches Apps as a better and cheaper alternative to Microsoft’s Office suite. Google also pushes Gmail as a cheaper and better solution than running your own e-mail servers.

But if Google is so secure, how come Chinese hackers broke into its corporate servers and stole its intellectual property? Google won’t say exactly what information got filched, but if the company can’t protect its own intellectual property, how can it protect yours? A corporate spokesman claims the attacks have made customers more confident in Google: “We’ve spoken to many of our largest Apps customers, and they were pleased not only with our ability to handle such a sophisticated attack but also with the transparency we provided.”

Pretty much every big tech shop wants a piece of the cloud. Google has already won over more than 2 million businesses, including Motorola and the City of Los Angeles. IBM, EMC, and Oracle have cloud initiatives. Amazon operates a booming cloud-computing business called Amazon Web Services. Microsoft and HP are pushing cloud computing too, announcing a $250 million initiative on Jan. 14.

The idea is that these tech giants will rent out computer power and data—storage capacity over the Internet. That way companies won’t have to run their own data centers anymore and instead will purchase IT services the way they buy electricity from a utility. That comparison between electricity and IT (at one time every company ran its own power plant, but then they moved to centralized utilities) has been the overarching metaphor for cloud computing, promoted in books like The Big Switch by tech pundit Nicholas Carr.

Carr is a brilliant guy, but there is one obvious problem with his analogy: information is not at all like electric power. Electricity is a cheap, dumb commodity. Nobody wants to steal your electricity, and even if someone did, who cares? Information, on the other hand, may be the most precious thing your company has.

Article Continues –