Online Privacy
Do Americans need better protection?
By Patrick Marshall

The Internet has become not only a primary means of communication but a place where millions of Americans store important personal data, from credit-card numbers and bank account information to family photos and histories of their online purchases. But that data does not have the same legal protection as data that Americans store in their homes. What's more, powerful new technologies are creating unexpected. . . .

Read the Full Report (Subscription Required)
Buy Report PDF

• Should advertisers' collection of data on Web users be regulated?
• Are social networking sites doing enough to protect users' privacy?
• Do federal privacy policies regarding the Internet need to be updated?

Should Congress regulate online behavioral advertising?

Jeff Chester Executive Director, Center for Digital Democracy. From testimony before House Subcommittee on Communications, Technology and the Internet, June 18, 2009	Berin Szoka (left), Adam Thierer Director, Center for Internet Freedom. Director, Center for Digital Media Freedom. Progress & Freedom Foundation. From “Online Advertising and User Privacy: Principles to Guide the Debate,” September 2008

Is Data Storage ‘in the Cloud’ Safe?

Back in the early days of the Internet, users stored their personal information on floppy discs and the hard drives of their computers.

That's all changed now. Increasing numbers of users are storing data on the Internet — or “in the cloud” — and using cloud applications, such as Google Apps, or cloud data storage like Microsoft LiveMesh. The convenience is obvious: Once data is stored online, it can be accessed from any Internet-connected computer.

But privacy advocates warn that the legislation protecting the privacy of users' data hasn't changed to keep up. As a recent story on National Public Radio noted, while the checkbook sitting in your desk at home is protected by the Fourth Amendment from being accessed by government agents without a warrant, that protection may not apply to data you keep in an online checking account.

And since the data is stored remotely it may be difficult for users to even know how vulnerable it is. Is the third-party server holding the data reliable? Is the data encrypted, or is it susceptible to theft by hackers? Are there assurances the storage company will not share the data with others? What if the company shuts down the service, or the government asks the company for access to a customer's stored data or a party to a lawsuit demands the data?

Privacy advocates warn, for example, that some cloud service providers claim to “support” various security technologies — such as data encryption — when those technologies may not be enabled by default (automatically) and may require the user to request them.

Indeed, in June 38 researchers and academics in computer science, information security and privacy law signed a letter to Google asking the company to follow through on protecting the data of users of its cloud applications by turning on the supported HTTPS Web-encryption technology. Google engineer Alma Whitten replied, “We're currently looking into whether it would make sense to turn on HTTPS as the default for all G-mail users,” as well as for users of other Google cloud applications.

While no major problems have occurred thus far with cloud storage, privacy advocates say clear, legal protections for stored data don't exist. In fact, according to a recent report by the World Privacy Foundation, data stored in the cloud may have more than one legal location, with differing legal consequences depending upon the location.

“A cloud provider may, without notice to a user, move the user's information from jurisdiction to jurisdiction, from provider to provider or from machine to machine,” the report notes. “The legal location of information placed in a cloud could be one or more places of business of the cloud provider, the location of the computer on which the information is stored, the location of a communication that transmits the information from user to provider and from provider to user, a location where the user has communicated or could communicate with the provider, and possibly other locations.”

The foundation cautions users that the application of current privacy law to the data stored in the cloud is “unpredictable,” in that the courts, without clear direction from Congress, are applying the laws inconsistently. What's more, it warns, “The government is not the only entity that might seek to obtain a user's record from a cloud provider. A private litigant or other party might seek records from a cloud provider rather than directly from a user because the cloud provider would not have the same motivation as the user to resist a subpoena or other demand.”

— Patrick Marshall

[1] Martin Kaste, “Online Data Present A Privacy Minefield,” “All Things Considered,” National Public Radio, Nov. 4, 2009, www.npr.org/templates/story/story.php?storyId=114163862.

Footnote: 1. Martin Kaste, “Online Data Present A Privacy Minefield,” “All Things Considered,” National Public Radio, Nov. 4, 2009, www.npr.org/templates/story/story.php?storyId=114163862.

[2] http://files.cloudprivacy.net/google-letter-final.pdf.

Footnote: 2. http://files.cloudprivacy.net/google-letter-final.pdf.

[3] http://googleonlinesecurity.blogspot.com/2009/06/https-security-for-web-applications.html.

Footnote: 3. http://googleonlinesecurity.blogspot.com/2009/06/https-security-for-web-applications.html.

[4] Robert Gelman, “Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing,” World Privacy Forum, Feb. 23, 2009, p. 7.

Footnote: 4. Robert Gelman, “Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing,” World Privacy Forum, Feb. 23, 2009, p. 7.