Applying the Fourth Amendment to data in the cloud

By Kristopher A. Nelson
in January 2010

600 words / 3 min.
Tweet Share In a Note called Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing, David A. Couillard explores the potential applicability of the Fourth Amendment to data stored in offsite servers: spreadsheets in Google Docs, accounting data hosted on FreshBooks, and pretty much everything synced through DropBox, just to name three example services.

Please note that this post is from 2010. Evaluate with care and in light of later events.

Constitution in the National Archives In a Note called Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing, David A. Couillard explores the potential applicability of the Fourth Amendment to data stored in offsite servers: spreadsheets in Google Docs, accounting data hosted on FreshBooks, and pretty much everything synced through DropBox, just to name three example services.

So far the courts — who, absent on-point statutes, pretty much always reason by analogy when presented with novel situations — have not yet come to a conclusion about how to treat such data. Drawing on analogies to telephones, combined guidance from statutes like ECPA, the courts have pretty much settled on their treatment of email:

The to/from addresses on e-mails have also been considered transactional data, akin to an addressed envelope. However, the contents of an e-mail have been properly classified as content data. A service provider, even if it has the capability of accessing the contents of an e-mail, is not a party to the information.

However, the status of data stored in the cloud, that is, on the servers of a third-party provider, is much less clear. Couillard must treat this is a normative rather than descriptive fashion, suggesting that the courts “should treat cloud service providers as virtual landlords” (emphasis mine).

Similarly, access to the content of a calendar, address book, photo album, text document, or private blog is not given to the service provider. Although the user might be interacting with a cloud-based word processor or spreadsheet, the content of those documents is not intended to be shared with the provider; the provider is merely providing a platform for using and storing the content via the cloud. Whatever minimal right the service provider reserves to access the contents of those files or containers, the service provider is not a party to the contents any more than a landlord is a party to what goes on behind his tenants’ closed doors due to his limited right of entry.

Couillard’s landlord-tenant analogy is a useful and necessary one. In an earlier discussions, Couillard suggested that encryption and passwords could provide the “opacity” that leads to a reasonable expectation of privacy and thus Fourth Amendment protection. Unfortunately, there is no current way for users of Google Docs, as a representative example, to take advantage of encryption or password protection to limit access by Google. Similarly, a tenant does not expect a lock fitted by a landlord to keep the landlord out — that’s the role of the law.

So, there are two takeaway’s from Couillard’s piece. First, the landlord-tenant relationship is a good one to look for when considering an analogy for the provider-user relationship when it comes to Fourth Amendment protections. Second, the data you keep in the cloud may or may not be subject to a warrant requirement before the government accesses it. Keep this in mind when you balance the pros and cons of storing your data with third parties.

Related articles by Zemanta