Back in the early days of the Internet, users stored their personal information on floppy discs and the hard drives of their computers.
That's all changed now. Increasing numbers of users are storing data on the Internet — or “in the cloud” — and using cloud applications, such as Google Apps, or cloud data storage like Microsoft LiveMesh. The convenience is obvious: Once data is stored online, it can be accessed from any Internet-connected computer.
But privacy advocates warn that the legislation protecting the privacy of users' data hasn't changed to keep up. As a recent story on National Public Radio noted, while the checkbook sitting in your desk at home is protected by the Fourth Amendment from being accessed by government agents without a warrant, that protection may not apply to data you keep in an online checking account.
And since the data is stored remotely it may be difficult for users to even know how vulnerable it is. Is the third-party server holding the data reliable? Is the data encrypted, or is it susceptible to theft by hackers? Are there assurances the storage company will not share the data with others? What if the company shuts down the service, or the government asks the company for access to a customer's stored data or a party to a lawsuit demands the data?
Privacy advocates warn, for example, that some cloud service providers claim to “support” various security technologies — such as data encryption — when those technologies may not be enabled by default (automatically) and may require the user to request them.
Indeed, in June 38 researchers and academics in computer science, information security and privacy law signed a letter to Google asking the company to follow through on protecting the data of users of its cloud applications by turning on the supported HTTPS Web-encryption technology. Google engineer Alma Whitten replied, “We're currently looking into whether it would make sense to turn on HTTPS as the default for all G-mail users,” as well as for users of other Google cloud applications.
While no major problems have occurred thus far with cloud storage, privacy advocates say clear, legal protections for stored data don't exist. In fact, according to a recent report by the World Privacy Foundation, data stored in the cloud may have more than one legal location, with differing legal consequences depending upon the location.
“A cloud provider may, without notice to a user, move the user's information from jurisdiction to jurisdiction, from provider to provider or from machine to machine,” the report notes. “The legal location of information placed in a cloud could be one or more places of business of the cloud provider, the location of the computer on which the information is stored, the location of a communication that transmits the information from user to provider and from provider to user, a location where the user has communicated or could communicate with the provider, and possibly other locations.”
The foundation cautions users that the application of current privacy law to the data stored in the cloud is “unpredictable,” in that the courts, without clear direction from Congress, are applying the laws inconsistently. What's more, it warns, “The government is not the only entity that might seek to obtain a user's record from a cloud provider. A private litigant or other party might seek records from a cloud provider rather than directly from a user because the cloud provider would not have the same motivation as the user to resist a subpoena or other demand.”
— Patrick Marshall