Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Saturday, August 28, 2010

Major cloud computing privacy legal issues remain unresolved

As momentum continues to build for the use of cloud computing services, some significant attention remains justifiably focused on addressing security concerns about the cloud. Valid questions asked about cloud security focus on whether cloud service providers will employ adequate security mechanisms that match or exceed what potential cloud customers might implement in their own environments, and that will satisfy legal requirements for public or private sector entities subject to regulation on security measures. It is against this backdrop that the media and industry point to achievements such as Google's successful certification and accreditation by the General Services Administration for its Google Apps for Government offerings, which offer at least one data point on the nature and extent of security controls a major cloud service provider is using. For organizations that may not be obligated to adhere to specific security provisions but still want to be reassured that cloud services have sufficiently robust protections afforded to them, another area of focus is what approaches to take when contracting for services in the cloud, as eloquently explained by attorney Tanya Forsheit in an article published by the Bureau of National Affairs. The legal analyses by Forsheit and her Information Law Group colleagues have, over the past several months, included a series of posts on various legal issues associated with cloud computing, especially in the area of privacy.

From a legal standpoint, it appears that while many opinions exist on how privacy can be protected in the cloud, who should ultimately be responsible for that protection, and how law enforcement agencies and other government entities should treat cloud environments, there are more unresolved issues than there are settled ones. One significant area that serves as an example of the inability of legislation and jurisprudence to keep up with the rapid pace of technological evolution is the extent to which reasonable expectations of privacy will apply to data stored in the cloud. A large proportion of seemingly relevant jurisprudence has considered privacy protections only in the context of emails, text messages, and other online methods of communication, but no substantial case law exists that addresses general personal information stored in the cloud, which by its nature cannot necessarily be viewed analogously to data stored in file folders on hard drives owned or maintained by the parties to whom the data belongs. One of the more comprehensive treatments of this topic comes in the form of an article published in the Minnesota Law Review last year by David A. Couillard, then a third-year law student, that provides an analysis of privacy expectations in the cloud in the context of Fourth Amendment principles and case law. Couillard's article examines the reasoning applied by various federal courts in determining the reasonableness of privacy expectations associated with personal possessions, computers, and various forms of communication, and concludes with a set of recommendations on how courts might apply Fourth Amendment precedents to cloud computing.

Key legal principles gleaned from precedent rulings applicable to cloud computing environments include the intent by at least some users of cloud services to keep private data that is stored in the cloud (satisfying a requirement for establishing a reasonable expectation of privacy following Katz v. United States), the idea that online environments where information is stored receive legal protection as "virtual containers" (following United States v. Andrea), and the limited impact on reasonable expectations of privacy that occurs simply because information is placed with a third-party intermediary such as a cloud service provider (following reasoning Courts applied in both Katz and D'Andrea). In the year since Couillard's article was published, his opinions with respect to expectations of privacy for information stored with intermediaries have been bolstered by additional rulings, particularly that of the 9th Circuit in Quon v. Arch Wireless, which found under the provisions of the Stored Communications Act (SCA) that a provider of text messaging pager services erred in turning over copies of messages stored on its servers to the City of Ontario (Calif.) police department, even though the department paid for the pager subscriptions of its employees. (The subsequent Supreme Court ruling that reversed the primary finding in Quon did not contradict the 9th Circuit's reasoning with respect to the service provider's actions and the protections afforded by the SCA).

Couillard argued in his article that courts should recognize society's reasonable expectation of privacy in the cloud as they have done previously with respect to other technologies and media of communication. He cites the increasing willingness of people and businesses to put their information in the cloud as evidence that there is some societal expectation that privacy can and will be protected in the cloud, and such societal expectations have been factored in to prior judicial decisions about expectations of privacy as other forms of technology matured and became pervasive. He also recommends that courts consider, as the court did in D'Andrea, online storage environments like web servers equivalent to physical containers when considering their protection from searches, including recognizing concealment mechanisms like passwords and encryption as satisfying individual expectations that privacy will be maintained. Finally, he posits that courts should treat cloud service providers as "virtual landlords" and apply third-party doctrine narrowly to data stored in the cloud.

The amorphous nature of cloud environments raises a challenge to conventional legal procedures such as obtaining search warrants, since the scope of the warrant has to be specified, which in online contexts means the boundary of virtual containers needs to be established. Delineating such boundaries is further complicated by the fact that in networked environments, data need not be uploaded to the cloud to be accessible via the cloud, but clearer legal precedents apply to data stored by businesses or individuals on local computer hardware than they do to data stored online by a third party. These boundaries are potentially least clear when data from multiple parties is collocated in the same storage environment, but courts have previously held different user accounts or even different file folders to be separate "containers" for the purposes of defining search boundaries, and the same sort of reasoning that would allow data belonging to different persons to be treated distinctly, even if it resided on a single hard drive.

With so much of the current privacy and Fourth Amendment debate centers on privacy of electronic communications such as emails (including the storage of those emails after they have been sent and received),  what remains to be seen is how general content stored in the cloud will be treated. The simple analogy applied to things like email communications is the sender and receiver information in an email are much like the destination and return address on an envelope (to which no reasonable expectation of privacy applies) but the contents of the envelope are subject to expectations of privacy, even if no stronger protective mechanism exists than that adhesive seal. The courts' recent distinctions between transactional information and content are not always straightforward to apply in cloud computing contexts, especially given the potential to describe common user interaction with online data sources, such as searches, as transactional exchanges. In addition, because many of the underlying statutes were written at a time when current communications technology did not exist or was not widely used, some aspects of the nature of those technologies are still openly debated. For example, when the Justice Department filed a Section 2703(d) order against Yahoo to get the company to turn over the contents of email messages, the government argued that "previously opened email is not in 'electronic storage'" and therefore did not deserve the protection of the SCA. (This seems to take the email-postal mail analogy to its logical extreme, implying that the greater privacy protections afforded communications contents evaporate once the envelope is opened.) On this point no authoritative ruling will be made, since the Justice Department withdrew its request for the emails, opting not to pursue the matter, perhaps in part due to the strong objections from both online service providers and consumer privacy advocates.

On balance, it seems entirely justified for current or prospective cloud service adopters to harbor concerns about the disposition of their data stored online, not just in the face of threats to data loss, theft, or corruption, but also to keep the data private from searches. Most major online service providers, including Microsoft and Google, have existing policies and procedures in place with respect to making customer data available to law enforcement, at least when presented with a subpoena or other valid legal order, but perhaps more important is understanding whether and under what circumstances warrantless searches of cloud environments might be allowed. For their part, cloud providers could do their customers and prospects a service by making explicity their practices and policies in this area. As the Yahoo scenario shows, such policies may not prevent attempts by government agencies to gain access to data stored in the cloud or other online environments, but they would help cloud users know where their providers stand.

No comments:

Post a Comment