Does the Fourth Amendment cover 'the cloud'?

A University of Minnesota law student has written what may be a seminal paper laying out a clear and workable framework for applying the Fourth Amendment to the data stored and manipulated in "the cloud."

James Urquhart
James Urquhart is a field technologist with almost 20 years of experience in distributed-systems development and deployment, focusing on service-oriented architectures, cloud computing, and virtualization. James is a market strategist for cloud computing at Cisco Systems and an adviser to EnStratus, though the opinions expressed here are strictly his own. He is a member of the CNET Blog Network and is not an employee of CNET.
James Urquhart
5 min read

One of the biggest issues facing individuals and corporations choosing to adopt public cloud computing (or any Internet service, for that matter) is the relative lack of clarity with respect to legal rights over data stored online. I've reported on this early legal landscape a couple of times, looking at decisions to relax expectations of privacy for e-mail stored online and the decision to allow the FBI to confiscate servers belonging to dozens of companies from a co-location facility whose owners were suspected of fraud.

However, while I've argued before that the government has yet to apply the right metaphor to the modern world of networked applications and data, there has been little literature that has actually dissected the problem in detail. Even worse, I've seen almost no analysis of how the United States Constitution's Fourth Amendment, which guards against unreasonable searches and seizures, applies to Internet-housed data.

Flickr/Thorne Enterprises

However, I just had the pleasure of reading an extremely well-written note in the June 2009 edition of the Minnesota Law Review titled "Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing (PDF)." Written by David A. Couillard, a student at the University of Minnesota Law School expected to graduate this year, the paper is a concise but thorough outline of where we stand with respect to the application of Fourth Amendment law to Internet computing. It finishes by introducing a highly logical framework for evaluating the application of the Fourth Amendment to cases involving cloud-based data.

According to Coulliard, we aren't very far along at all today:

Under a rubric of "reasonable expectations of privacy," the Court has since defined the contours of the Fourth Amendment's application in varying circumstances. But technology and society's expectations are evolving faster than the law. Although statutory schemes exist, some argue that these laws are outdated. Meanwhile, the Supreme Court has not even addressed the Fourth Amendment's application to e-mail, let alone the expanding uses of cloud-computing platforms. Thus, Fourth Amendment law needs a framework that will adapt more quickly in order to keep pace with evolving technology.

I stated essentially the same thing in my Cloud Computing Bill of Rights back in 2008:

In order for enough trust to be built into the online cloud economy, however, governments should endeavor to build a legal framework that respects corporate and individual privacy, and overall data security. While national security is important, governments must be careful not to create an atmosphere in which the customers and vendors of the cloud distrust their ability to securely conduct business within the jurisdiction, either directly or indirectly.

Coulliard starts his analysis with how legal precedent for telephonic communications may or may not apply to the cloud. He notes that all such law is evaluated under a "reasonable expectation of privacy" test:

The reasonable-expectation-of-privacy test arose out of Katz v. United States, where Justice Harlan, concurring, outlined a two-part requirement: (1) that the person demonstrated a subjective expectation of privacy over the object and (2) that the expectation was reasonable. This test can be applied to both tangible and intangible objects. However, when the object of a search--tangible or not--is voluntarily turned over to a third party, the Supreme Court has held that a person loses their reasonable expectation of privacy in that object.

Much of the legal confusion in cases involving any form of data or transaction on the Internet since has revolved around considering whether storing your data in a third-party data center is in fact subject to the so-called "third-party doctrine." This includes cases like Smith v. Maryland, in which the courts argued that people generally gave up an expectation of privacy with regard to their phone records simply through the act of dialing their phone--as the phone company receives and processes the phone numbers, thereby becoming a party in the transaction.

Coulliard argues, however, that while Smith v. Maryland applies to the phone numbers dialed, it does not apply to the contents of the conversation, as noted in Katz v. United States. Thus, the courts should adopt a framework in which the third-party doctrine is applied much more narrowly to online content (including cloud-based data), according to Coulliard.

Coulliard goes on to discuss legal analogies of virtual containers, encryption and password protection to briefcases, locks, and keys. The argument is complex, but it turns out that in the physical world, the combination of security and opacity of a container used to store an object both affect the "reasonable expectation of privacy" test:

Hypothetically, if a briefcase is locked with a combination lock, the government could attempt to guess the combination until the briefcase unlocked; but because the briefcase is opaque, there is still a reasonable expectation of privacy in the unlocked container. In the context of virtual containers in the cloud...encryption is not simply a virtual lock and key; it is virtual opacity.

So, if the courts were to interpret digital assets in the same way Coulliard does, you could virtually (no pun intended) assure your Fourth Amendment protections, even in the cloud, if you simply encrypted your data. Cloud vendors, are you listening?

Coulliard wraps up with a suggested framework for applying the Fourth Amendment to "the cloud" that is very much in line with my own thinking. Treat digital assets on third-party sites not as transactions (like phone numbers dialed), but in the same way you would treat physical assets kept in an apartment or storage locker:

[T]he service provider has a copy of the keys to a user's cloud "storage unit," much like a landlord or storage locker owner has keys to a tenant's space, a bank has the keys to a safe deposit box, and a postal carrier has the keys to a mailbox. Yet that does not give law enforcement the authority to use those third parties as a means to enter a private space.

The same rationale should apply to the cloud. In some circumstances, such as search engine queries, the third party is clearly an interested party to the communication. But when content data, passwords, or URLs are maintained by a service provider in a relationship more akin to that of landlord-tenant, such as private Google accounts, any such data that the provider is not directly interested in should not be understood to be open to search via consent or a waiver of Fourth Amendment protection.

Amen, Mr. Coulliard. Personally, I hope the courts note this framework, and begin applying it to Fourth Amendment cases arising from Internet-based computing immediately. Furthermore, I call for Congress to explicitly codify a similar framework with laws that clearly and unequivocally state the rights of users with respect to their data in the cloud.

Then again, given the track record of our state and federal legislative bodies with respect to technology law, maybe not...