Bert van Uitert The Nebulous Privacy Rights of Cloud Computing I.

Introduction It is widely acknowledged that the cloud is among the most significant innovations to ever hit the technology industry.1 Some have even gone so far as to label cloud computing the next evolution of the Internet.2 In fact, cloud computing is becoming an important part of how we interact with each other, conduct our business, spend our money, and many other daily activities. As cloud computing becomes more and more ubiquitous, it becomes ever more important to understand what rights are associated with content in the cloud. The Internet has been and always will be an indisputably public medium3 and cloud computing is still in its technological infancy. This paper will define cloud computing and give a brief history of computers through the recent rise of the cloud. The discussion will then cover the clouds constitutional and statutory frameworks for privacy protection and give suggestions for future judicial and legislative decisions. II. What is Cloud Computing? The definition of cloud computing is a matter of considerable debate.4 While many definitions exist, simply put, cloud computing is the ability to run applications and store data on

Nicole D. Galli & Edward Gevovich. Cloud Computing and the Doctrine of Joint Infringement: Current Impact and Future Possibilities. 11 J. Marshall Rev. Intell Prop. L 673, 674. (2012). 2 Barry Reingold & Ryan Mrazik. Cloud Computing: The Interesction of Massive Scalability, Data Security, and Privacy (Part 1), 14 No 5 Cyberspace Law 1 (2009). 3 David A. Coulliard, Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing. 93 Minn. L. Rev 2205, 2231. (2009). (quoting U.S. v. Gines-Perez, 214 F. Supp. 2d 205, 225 (D.P.R. 2002)). 4 Ilana R. Kattan. Cloudy Privacy Protections: Why The Stored Communications Act Fails to Protect the Privacy of Communications Stored in the Cloud, 13 Vand J. Ent. & Tech. L. 617, 620 (2011).
1

Bert van Uitert a service providers computer over the Internet, rather than on ones personal computer.5 This takes the processing, storage, and other computational activities out of the confines of the home or business and into the nebulous backbone of the worlds servers and datacenters. Many people use cloud technology every day without realizing or understanding the technology behind the scenes. A concrete example helps to illustrate the difference between traditional and cloud computing. In a traditional word processing program (such as Microsoft Word), a user must purchase, install, and run a program locally on their computer. When the document is saved, it is to the local hard drive. Unless the computer is attached to a network, this saved document can only be accessed when someone is physically at the computer. Conversely, when word processing is done in the cloud (with services such as Microsoft Office 365 or Google Docs) usually no software is ever installed and the software is accessed through a web browser. All of the information processing and other services are performed on a server (a powerful computer at a remote location) in a datacenter (a facility filled with thousands of servers) and are then transmitted over the Internet to the users computer. These data and programs can be accessed from any internet-enabled computer, phone, or tablet. Cloud computing leverages economies of scale to bring massive computational power to the masses quickly, cheaply, and efficiently.6 As cloud computing has become a part of daily life, nearly every piece of traditional software has a cloud-based version, with services such as email, data storage, photo editing, online video rental, virtual computer systems, and nearly anything else imaginable.7

William Jeremy Robinson, Free at What Cost?: Cloud Computing Privacy Under The Store Communications Act, 98 Geo. L.J. 1195, 1199. (2010). 6 See Kattan, Supra, at 621-622. 7 A fairly comprehensive list of cloud-based services can be accessed at http://www.cloudxl.com/.
2

Bert van Uitert III. A Brief History of Computers and Networking To understand relevant privacy legislation, court precedent, and their relationship to cloud computing, one must be briefly informed of the history of computers and networking. When computers first became available in the 1960s, they were prohibitively expensive for individuals and could only be purchased by large institutions such as NASA, the IRS, and other similarly situated government agencies.8 Advances over the next two decades decreased the overall size of computers (the system originally would fill up a large room) and increased their individual processing power.9 Computers also saw advances in usability when companies such as Apple and Microsoft released intuitive personal computers that replaced the techniciancontrolled mainframes of the past.10 By the mid 1980s, stand-alone personal computers (PCs) became prevalent in homes and businesses throughout the United States.11 Soon, floppy disks and other storage devices became insufficient to handle many businesses need to pass data quickly between PCs. In response to this need, companies started connecting their computers with intra-office networks.12 In the 1990s, these networks began connecting with each other to form the Internet13 and the World Wide Web.14 The rapid expansion of the Internet (and the speed at which it can be accessed) soon led to the growth of cloud computing during the late 1990s and early 2000s. The first widely used cloud services were web-hosted email systems (webmail).15 In traditional email systems of the 1980s and early 1990s, emails were sent to a

See Robinson, Supra, at 1197. Id. 10 Id. 11 http://en.wikipedia.org/wiki/History_of_computer_hardware 12 See Robinson, Supra, at 1198; This topic alone is quite expansive. For more information, start here: http://en.wikipedia.org/wiki/Computer_network - Intranets_and_extranets 13 Inter-net. Get it? 14 See Robinson, Supra, at 1198. 15 Id. at 1203.
9

Bert van Uitert target computer and then stored on the local hard drive.16 In contrast, webmail systems store emails remotely on the providers servers, allowing users to access emails from any Internetenabled computer on the planetnot just from home or the workplace.17 The webmail model has been replicated in many other services over the years. Starting around 2004, streaming music services became an alternative to local MP3 storage.18 Online video streaming and storage exploded in 2006 when YouTube became a household name. Netflix furthered this trend by replacing physical DVD rentals with streaming TV and movie downloads.19 Recently, the cloud data storage/backup market has erupted with dozens of companies creating services to backup personal files to the cloud, synchronize files across multiple computers, and allow mobile access to important documents.20 Presently, almost any program or service available on traditional computer systems is now available in the cloud.21 IV. Constitutional Protections a. The Fourth Amendment and The Katz Test The Fourth Amendment of the Constitution provides the basic framework for nearly all privacy protection in the United States. The amendment says, in relevant part, that the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable

http://en.wikipedia.org/wiki/Webmail Id. 18 Some of the most popular services are Pandora Radio, Spotify, and Google Music. 19 Similar services are provided by Netflixs competitors Amazon Prime Instant Video, iTunes TV and Movie Rental, and Hulu Plus. 20 For a comprehensive list of cloud storage services, as well as their advantages and disadvantages, visit http://www.zdnet.com/the-top-10-personal-cloud-storage-services7000011729/ 21 See Robinson, Supra, at 1204.
17

16

Bert van Uitert searches and seizures, shall not be violated[.]22 It also states that searches may only be conducted with a warrant supported by probable cause.23 To determine what constitutes a search under the 4th amendment, the Supreme Court formulated a reasonable-expectation-of-privacy test. This test, first articulated in Katz v. United States, has two requirements: (1) that the person demonstrated a subjective expectation of privacy over the object and (2) that the expectation was reasonable according to societal expectations.24 Katz is notable to cloud computing because it extends privacy protection to intangible communications. The Court in Katz ruled, specifically, that the defendant retained privacy rights in the content of his telephone conversation.25 Katz entered a telephone booth, closed the door, and made a telephone call which the police recorded.26 This evidence was later used in court to convict him of his crime.27 Justice Harlan noted that (1) by closing the door behind him, Katz demonstrated a subjective expectation that his call would not be intercepted and (2) that his temporary expectation of privacy is reasonable under societal standards.28 Applying this test, Courts have also found a reasonable expectation of privacy in many other containers such as luggage, backpacks, purses, and lockers.29 As well, there have been several cases where courts have applied 4th Amendment principles and the reasonable-expectation-of-privacy to traditional (i.e. non-cloud-based) pieces United States Const. amend IV Richard M. Thompson II, Cloud Computing: Constitutional and Statutory Privacy Protections. Congressional Research Service. Accessed at http://www.fas.org/sgp/crs/misc/R43015.pdf. Note also that there are numerous instances where searches are conducted without a warrant through an exception or the police conduct is not considered a search. See http://www.nolo.com/legalencyclopedia/search-seizure-criminal-law-30183.html for more information. 24 389 U.S. 347, 361 (1967) (Harlan, J., Concurring). 25 See Katz, 389 U.S. at 352. 26 Id. at 361. 27 Id. 28 Id. 29 See Coulliard, Supra, at 2208-09.
23 22

Bert van Uitert of information technology. In one such case, a Pennsylvania district court held that removing and copying a hard drive from a computer and creating a duplicate image of the stored data constituted a search under the Fourth Amendment, despite the fact that the original hard drive was never accessed or compromised.30 The Court held that by saving the data on his personal computer in his home, the defendant demonstrated that he expected the data to remain private an expectation shared by society at large.31 This made the copying of his hard drive an unreasonable search.32 Along these lines, Courts have generally held that people have legitimate expectation of privacy in their home computers.33 However, these rulings focused on searches of locally stored information and not to any remotely stored content as would be seen in cloud computing. The Katz test has some notable limits and exceptions. Most relevant to cloud computing is the third party doctrine exception. In Katz concurrence, Justice White said that [w]hen one man speaks to another, he takes all the risks ordinarily inherent in so doing, including the risk that the man to whom he speaks will make public what he has heard. The Fourth Amendment does not protect against unreliable (or law-abiding) associates.34 This associate is considered a party to the communication and police may use this third party to obtain the information without a warrant. Courts have held that a person doesnt have legitimate expectations of privacy in what he or she voluntarily turns over to third parties.35 Some have characterized this doctrine as either the waiver of a reasonable expectation of privacy or an implied consent to be searched.36 United States v. Crist, No. 1:07-cr-211, 2008 WL 4682806, at 9 (M.D. Pa. Oct. 22, 2008). Id. 32 Id. 33 See United States v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004); Guest v. Leis, 355 F.3d 325, 333 (6th Cir. 2001). 34 Katz, 389 U.S. at 363 (White, J. concurring). 35 United States v. Miller, 425 U.S. 435, 442-44 (1976). 36 See Coulliard, Supra, at 2215.
31 30

Bert van Uitert b. Limited Interpretations of Katz in the Cloud Context As discussed above, Applying Katz to the cloud context requires an individual analysis of the defendants subjective and objective expectation of privacy. In other words, the defendant must have taken some action to demonstrate that he intended his information to be private and society at large must acknowledge the defendants privacy right. 37 Few courts have applied the reasonable expectation of privacy test to cloud computing, but these sparse rulings have established themes that can be applied across the entire cloud context. In Forrester v. United States, the Ninth Circuit Court of Appeals held that the government did not perform an unreasonable search by obtaining non-content information from the defendants Internet service provider.38 That is, the police installed a device to learn the to/from addresses of his emails, the IP addresses of the websites he visited, and the total amount of data sent to or from his computer without the ability to see what was written in the emails or contained on the websites he visited.39 The Court analogized this non-content information to the transactional information needed to make a phone call or send a letter in the postal service. For example, while a defendant would have a reasonable expectation of privacy in the contents of a physical, sealed envelope, it is not reasonable to expect that the address and return information on the outside of the envelope are equally private.40 By sharing this routing information with the postal service, the sender loses his reasonable expectation of privacy under the third party doctrine.41 Using similar logic, the Third Circuit held that no reasonable expectation of privacy exists in an IP address, because that information is also conveyed to and, indeed, from third parties, including [Internet service providers]. IP addresses are not merely
37 38

Katz, 389 U.S. at 361. United States v. Forrester, 512 F.3d 500, 509 (9th Cir. 2007). 39 See Thompson, Supra, at 8. 40 See Ex Parte Jackson, 96 U.S. 727, 732 (1878); Smith v. Maryland, 442 U.S. 735 (1979). 41 Id.
7

Bert van Uitert passively conveyed through third party equipment, but rather are voluntarily turned over in order to direct the third partys servers.42 In other words, an IP address in an Internet page request is analogous to a street address on a physical letter: you must volunteer the information to a third party before it can be delivered and thereby waive any expectation of privacy to it. The Sixth Circuit further reinforced this content vs. non-content framework in United States v. Warshak.43 In this case, the government compelled the defendants Internet service provider to make copies of all of his emails so the government could look at them later without providing a search warrant.44 The government was given access to over 27,000 total emails, which the defendant later moved to suppress.45 Comparing email to physical mail, and relying on the content/non-content distinction seen above, the Court said that because of the similarities between e-mail and traditional forms of communication, it would defy common sense to afford emails lesser Fourth Amendment protections. Email is the technological scion of tangible mail, and it plays an indispensible part in the Information Age. As some forms of communication begin to diminish, the Fourth Amendment must recognize and protect nascent ones that arise.46 Further, the Sixth Circuit expressly rejected the idea that the third party doctrine applied to the content of emails shared with Internet service providers.47 Thus, there are three principles that can be gleaned from these cases. First, the government may obtain non-content information (such as IP addresses, to/from addresses from email communications, subscriber information, etc.) from Internet service Providers without See Thompson, Supra, at 8 (quoting United States v. Christie, 624 F.3d 558, 674 (3d Cir. 2010). 43 United States v. Warshak, 631 F.3d 266 (6th Cir. 2010). 44 Id. 45 Id. 46 Id. at 286. 47 Note, however, that the Sixth Circuits holding is not accepted in all jurisdictions and has been expressly rejected by certain arms of the government.
8
42

Bert van Uitert violating the Fourth Amendment. Second, courts put substantial weight behind non-digital analogues to cloud services. Third, at least in relation to email, the actual content of the data can be protected from government intrusion in some jurisdictions unless it first obtains a warrant. These limited cases form a framework for future cloud computing cases and should form at least a minimum standard for Fourth Amendment cloud computing analysis. c. How Courts Should Apply Fourth Amendment Principles to the Cloud. In 1985, the Supreme Court said that calendars, photographs, address books, correspondence, and diaries are highly personal items that warrant privacy protection.48 There is little doubt that society at large recognizes the need to protect the privacy of these items in their physical form. Why then, should their digital forms not warrant the same protection? The largest hurdle to ensuring that cloud computing is protected by the Fourth Amendment is the uncertainty surrounding how the judiciary will apply the third party doctrine to data stored in the cloud.49 A pair of analogies illustrate the competing paradigms for and against application of the third party rule in cloud computing. First, imagine the cloud as a safety deposit box in a bank. Any time a client chooses, he may come into the bank and gain access to his personal belongings, as long as the bank teller opens the box and displays the content for him. By so doing, the teller will see the contents of the box, and the clients expectation of privacy will have vanished because a third party is now privy to the same information. This analogy relates because when a user uploads data into the cloud, they can only

Doe ex rel Doe v. Little Rock Sch. Dist., 380 F.3d 349, 353 (8th Cir. 2004) (citing New Jersey v. T.L.O., 469 U.S. 325, 339 (1985)). 49 http://news.cnet.com/8301-13578_3-57368025-38/supremes-to-congress-bring-privacy-lawinto-21st-century/ (The Court has in the past held that, as soon as you share information with any third party, youve given up any expectation of privacy. Thus, while the Fourth Amendment applies to digital files on your computer, it may not protect the same file stored on Dropbox or in your Gmail.)
9

48

Bert van Uitert re-access the data when the third party presents it to him through a web browser or other application. A competing analogy would be to compare cloud computing to renting a self-service storage space. The manager need only register the client and open the gate during the initial visit. After that, the client does the rest. The manager, who would only enter a storage space under the direst of circumstances, would likely never see the contents of the storage unit. The client comes and goes as he pleases and can store whatever he wants in his allotted space and would only talk to the manager if he sought more space or to close his account. The manager never sees what is inside the storage shed; hence the client maintains a reasonable expectation of privacy because the information hasnt been shared with a third party. This analogy highlights the fact that data uploaded into the cloud rarely, if ever, are accessed by a human on the other end. In cloud computing, the third party with which information is shared is generally a server and nothing more. Users may expect to have a high level of privacy protection with information that it shares with an inanimate object, like a storage unit or a server, far more than if they share the information directly with another person. As well, the evolving nature of the web has created a societal expectation that there can be private spheres inside of the Internet. Just ten years ago, it would have been unfathomable to think about posting something online and expecting it to remain private. However, the amounts and kinds of data that society uploads everyday indicate that the publics perception of the Internet has evolved tremendously over time.50 Just as public perception has evolved on its expectations of Internet privacy, the courts should update the reasonable expectation of privacy test to accommodate our changing digital age. The test should still require defendants to demonstrate the subjective expectation of
50

See Coulliard, Supra, at 2232-33.

10

Bert van Uitert privacy, but change how third party interactions are construed. For example, a blogger clearly couldnt have a reasonable expectation of privacy in a public post. But if a user encrypts their uploaded data, password protects an account, turns a YouTube videos settings to private, or other similar technique, the subjective element of the Katz test should be met.51 If courts will then update the objective element to incorporate modern views on digital content and privacy, users will be able to compute in the cloud without fear for their personal privacy. These privacy standards should also be changed for policy reasons. If Fourth Amendment protections are not provided to cloud computing with broad latitude, there could be serious negative ramifications for the international economy. Cloud computing is no passing fad.52 Some analyst predict that the personal cloud will replace the personal computer and the mobile device as the center of consumers digital lives by the year 2014.53 A recent forecast from the International Data Corporation predicts that in the year 2016 worldwide spending on cloud computing will be roughly twenty-four billion dollars.54 While some individual consumers will continue to use cloud services regardless of the privacy implications, businesses would not follow suit if putting an email or other document in the cloud means that it loses its Fourth Amendment protection. One-third of all spending in Information Technology is going towards cloud computing.55 Directing this money someplace else will stifle innovation and stunt the United States dominance in this market. If companies in other countries with more comprehensive privacy laws are given an advantage, it could have serious long-term effects on the United States economy. Id. at 2233-2236. http://www.storagecraft.com/blog/cloud-computing-forecast-a-chance-of-reign/ 53 http://www.gartner.com/newsroom/id/1947315 54 http://www.businesswire.com/news/home/20130228005032/en/IDC-Forecasts-WorldwideSpending-Hosted-Private-Cloud 55 http://www.forbes.com/sites/joemckendrick/2012/04/11/more-than-one-third-of-it-budgetsnow-spent-on-cloud-survey/
52 51

11

Bert van Uitert Fortunately, at least one Justice of the Supreme Court is skeptical of the applicability of the third party doctrine in the modern information age. In her concurrence to the recent Fourth Amendment case United States v. Jones, Justice Sotomayor called into question the premise that an individual has no reasonable expectation of privacy in information that he chooses to give to third parties.56 Justice Sotomayor asserted: [the third party doctrine] is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the [websites] that they visit and the e-mail addresses with which they correspond to their internet service providers; and the books, groceries, and medications they purchase to online retailers. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment Protection.57 Justice Sotomayors dicta gives hope to businesses, tech enthusiasts, and average users everywhere that the reasonable expectation of privacy test will be upgraded to meet the demands of cloud computing. V. Statutory Protections a. The Stored Communications Act In the1980s, Congress was concerned that privacy protections under the Fourth Amendment and Katz would not provide sufficient protection to users of the newfangled Internet
56 57

United States v. Jones, 132 S. Ct. 945, 957 (2012) (Sotomayor, J. Concurring). Id.
12

Bert van Uitert that was growing in popularity.58 To address these and other problems, Congress overhauled federal communication laws in the Electronic Communications Privacy Act of 1986 (ECPA).59 Title II of the act, dubbed the Store Communication Act (SCA), was crafted specifically to address privacy concerns with the access and dissemination of electronic information stored on computers.60 The SCA defined and protected the two primary uses of computer networks that existed at that time: (1) the electronic communication service (ECS) and (2) the remote computing service (RCS).61 Under the SCA, Electronic communication systems are systems that receive data transmissions and electronic mail,62 and in order to be classified as an ECS, the system must meet two requirements. First, the service must offer the ability to send or receive electronic communications.63 Second, service provider must keep the communication in electronic storage, which is defined as either temporary, intermediate storageof an electronic communication incidental to the electronic transmission or as a backup of the original copy.64 This confusing statute was crafted to protect email systems based on the technological standards that were in place at the time.65 When stored in an ECS, the government needs a warrant in order to obtain information that is in temporary electronic storage and has been there for less than 180 days.66 After 180 days, the government can access communications with a subpoena or

58 59

See Thompson, Supra, at 6. Electronic Communications Privacy Act of 1986, P.L. 99-508, 100 Stat. 1848. 60 18 U.S.C. 2701 2712. 61 See Robinson, Supra, at 1205. 62 Id. 63 18 U.S.C. 2510(15). 64 18 U.S.C. 2510(17). 65 See Robinson, Supra, at 1205. 66 18 U.S.C. 2703(a).
13

Bert van Uitert court order if the government has shown reasonable grounds to believe that the contents . . . .are relevant and material to an ongoing criminal investigation.67 Remote computing systems are systems that provide computing services to users from remote facilities. There are four requirements that a service must meet before it can be classified as an RCS. First, the provider must offer computer storage or processing services.68 Second, the user has to give the data to the RCS electronically.69 Third, the electronic data must be maintained solely for the purpose of providing storage or computer processing services to users.70 Lastly, the provider cant be allowed to access the data to provide any services other than storage or computer processing.71 RCSs were included to ensure the privacy of outsourced data from third-party service providers. All data contained in an RCS is subject to the same lower standard as an email stored for over 180 days: the government must only show that it has reasonable grounds to believe that the contents are relevant to an ongoing investigation.72 2. The Stored Communications Act and the Cloud The SCA does not provide sufficient privacy protection for the new digital age in the cloud because it rarely provides protection to email users and few if any systems can qualify for the weak protections of the RCS. The statutory language provides no protection to the vast majority of email users in this day and age. In one recent ruling, the Court found that once an email had been opened it was not necessary to obtain a warrant before compelling the service provider to turn over the information.73 Another court determined that if the only copy of an email is in the cloud, then it didnt constitute a backup of an original and therefore was not in
67 68

18 U.S.C. 2703(d) 18 U.S.C. 2510(10). 69 18 U.S.C. 2702(a)(2)(A). 70 18 U.S.C. 2702(a)(2)(B). 71 Id. 72 18 U.S.C. 2703(d) 73 United State v. Weaver, 636 F. Supp 2d 769 (C.D. Ill. 2009).
14

Bert van Uitert the statutory definition of a ECS.74 One of the great advantages of webmail is that it provides increasingly large storage quotas that eliminate the need to individually download and store email content on local hard drives. Consequently, few users ever download emails onto their computers, a seemingly necessary element for SCA protection to apply. As well, with the ability to check email on mobile devices, few people leave emails in their system unopened for very long, meaning that emails lose the other mechanism for ensuring heightened protection. These outdated requirements essentially preclude any regular email user from having the increased statutory protections of the SCA. The outlook for cloud computing to be considered an RCS is even more foreboding. First, the belief of relevance standard do little to prevent the government from being able to access any information it wants inside of an RCS . In fact, the police would never need a warrant to obtain information from any system deemed an RCS. Second, the requirements to designate a system as an RCS are so restrictive that almost no cloud computing system could qualify for its increased protections. Because the statute demands that the information be accessed solely for the purposes of storage and processing, few systems could meet this qualification. The vast majority of cloud services are offered for free to consumers in exchange for being able to access their content to provide targeted ads to customers.75 Other services need to access the content in order to perform their services and provide value.76 Thus, while the SCA adequately protecedt the electronic communications of the 80s, Congress couldnt foresee where technological advances would end up and crafted a bill that is poorly suited for the evolving nature of the Internet.

74 75

Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2003). See Robinson, Supra, at 1213-14. 76 Id.
15

Bert van Uitert 3. Proposed Statutory Amendments to the Stored Communications Act In the most recent Congresses, numerous proposals have been offered to clarify and strengthen the protections preventing the government from performing searches under the loose rules of the SCA. These bills hope to, inter alia, (1) bring the standard required for a government entity to obtain a warrant in an RCS equal to the higher standard needed for an ECS, (2) completely eliminate the 180-day abandonment rule to better align with current thinking on electronic storage, (3) amend the statute to cover electronic storage (presumably emails) that are being held or maintained by the service even after they have been read, (4) require the government to notify users within three days if a warrant has been executed and user content has been searched, and (5) prevent service providers from being able to voluntarily share user information with the government without a warrant.77 Some proposals also ask for increased reporting to Congress on how often and under what circumstances warrants are sought and issued so that Congress can update laws accordingly.78 These proposals would better align the SCA with its original intended purpose of the statute back in 1986. As discussed above, so little of the information transfer that takes place on the Internet is actually covered by the SCA that the statute has not been able to provide the protection Congress intended. While these proposals are an excellent first step towards bringing statutory privacy into the age of the cloud, Congress should also put a plan in place to frequently audit and update privacy laws related to the use of Internet. As the SCA aptly demonstrates, laws that are structured around current technological standards dont stay up-to-date for very long. The updated proposal will work towards helping the current privacy issues in the cloud, but they will surely be outdated within a few years, potentially stifling innovation and economic
77 78

See Thompson, Supra, at 17. Id. at 17-18; See also:

16

Bert van Uitert output. If a framework is put in place to mandate frequent tweaks to policyperhaps by a nonpartisan group composed of legislators, business representative, privacy advocates, etc.it will increase the likelihood that Congress doesnt wait another 27 years before updating laws to conform to technological advances. VI. Implications for Businesses and Professionals As should be clear, everyone has a personal interest in understanding how his or her personal privacy is affected by using the cloud. However, these laws and principles are of particular importance to several professional industries. Generally, any profession that has a general or ethical responsibility to keep information confidential should be particularly wary of using cloud computing in their business practices. Specifically, medical doctors and psychologists have an ethical duty to keep medical information private (including mental health) as well as a legal duty under the Health Insurance Portability and Accountability Act. As well, lawyers and accountants have ethical responsibilities to maintain the confidentiality of legal and financial information respectively. Consequently, local and national ethics committees from each of these fields have issued guidelines to practitioners who seek to use the cloud in their businesses. Although each varies in its specificity, they consistently recommend a few general principles.79 First, the professional must ensure that the cloud provider has an enforceable obligation to preserve confidentiality and security and that the professional will be notified if the provider is served with process regarding the production of client information.80 Second, the professional must investigate the online data storage providers security measures, policies, backup methodologies, and other procedures http://www.mondaq.com/x/170266/Privacy/Lawyers+And+Technology+New+Threats+To+Ke eping+Client+Information+Confidential 80 For example, many sites have certificates proving that they are HIPAA complaint. http://www.onlinetech.com/compliant-hosting/hipaa-compliant-hosting/resources/what-is-hipaacompliance.
17
79

Bert van Uitert determine if they are adequate. Finally, the professional must employ available technology to guard against reasonably foreseeable attempts to infiltrate stored data. These guidelines will be frequently updated to ensure that ethical standards keep up with the rapid pace of technology. VII. Conclusion As more and more of the world becomes digitized, it is increasingly important for individuals to understand the privacy implications of cloud computing. The Fourth Amendment and the Katz test generally protect information in the cloud. However, because the nature of cloud computing involves sharing information with a service provider, the third party doctrine limits the protections afforded by those safeguards. Many, including Supreme Court Justice Sonia Sotomayor, believe that the third party doctrine should be reevaluated because of our everchanging digital society. In addition to the Constitutional safeguards, Congress has passed statutory privacy protections for digital information with the Stored Communication Act. Unfortunately, the act was narrowly tailored to the technology standards of the mid-1980s and provides little protection in modern day scenarios. To address the outdated law, numerous legislators have proposed amendments to update the language to cover cloud technologies. As judges and legislators approach solutions to cloud privacy problems, they should be careful to craft rulings and statutes that address current issues without limiting future innovation and technological advances. In sum, because privacy rights in the cloud remain nebulous, users must tread with caution.

18