Does Storing Your Documents In 'The Cloud' Mean The Gov't Has Easier Access To It?

from the privacy-concerns dept

One of the more annoying things concerning the ever changing technology world is the trouble that the law has in keeping up. We're seeing that a lot lately. For example, a few months ago, we talked about 4th Amendment issues when it comes to cloud data. There are a few different camps on this, with a few different thoughts -- and so far, no one's exactly sure who's right. We predicted the issue was going to come up more frequently... and we're already seeing that. A few months after that post, we had a court ruling that (on a questionable basis) found no 4th Amendment privacy protections for emails once delivered, using similar logic to the debate over the cloud. And such cases are becoming more common.

The Citizen Media Law Project has a good discussion about the FBI getting access to documents stored in Google Docs as part of a spam investigation. In that case, the FBI did go through the process of getting a full search warrant (which should have satisfied some of the 4th Amendment concerns), but it's the first case on record of the FBI getting access to Google Docs.

Part of the problem here is that this sort of stuff is covered under a law that's nearly a quarter of a century old, and is not even remotely designed for a modern technology world:
The current federal statute on the issue, the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510, et seq., basically extended the rules regarding government access to older technologies like the telephone (e.g., wiretapping) to electronic communications. The USA Patriot Act, passed after the Sept. 11, 2001 attacks, modified these old rules a bit.  But the basic, underlying statute was passed in 1986, before the advent and widespread use of email, text messaging, social networking websites, and the myriad other means of modern communications.

As others have explained at length, ECPA creates an exceedingly dense and confusing statutory framework, and relies on a series of archaic distinctions, such as whether a communication is "stored" or "in transit."  This complexity creates uncertainty about what showing law enforcement has to make in order to access user materials stored in the cloud. Is a search warrant, a subpoena, or an informal request required?  Under what circumstances can service providers voluntarily cooperate with law enforcement?
What's interesting is how little attention these issues seem to be getting -- even though they can have a pretty large impact. And, even though this may seem like legal details, it applies well outside the legal field as well. While it won't be the key focus, we're even going to include a short section on these kinds of legal issues in the cloud in our upcoming webinar on cloud security (register here). While this might not seem directly like a security issue, if you're in charge of keeping data secure, it's pretty important to know what it means when the feds knock on your door... or the door of the third party "cloud" provider to whom you outsourced your company's data.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    abc gum, May 5th, 2010 @ 5:47pm

    "Does Storing Your Documents In 'The Cloud' Mean The Gov't Has Easier Access To It?"

    Duh ...
    Them any anyone else with either money or skill.
    You think the gov will store top secret stuff in the cloud, I think not.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    radjin, May 5th, 2010 @ 7:01pm

    You are worried about legal access?

    What about the company that holds that data, its marketing department, or it's affiliates? All of whom would profit greatly at perusing your information, and we have seen it many times will push the law to the limit to do so, then claim it was a mistake when they get caught, however they already have your info, and I doubt they are going to eliminate it. No, the cloud is no place for anything you wish to be private. With deep packet inspection on the rise, little but 250bit or better encryption is the only way to move sensitive data on the net, and never store it there on a public service.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    radjin, May 5th, 2010 @ 7:01pm

    You are worried about legal access?

    What about the company that holds that data, its marketing department, or it's affiliates? All of whom would profit greatly at perusing your information, and we have seen it many times will push the law to the limit to do so, then claim it was a mistake when they get caught, however they already have your info, and I doubt they are going to eliminate it. No, the cloud is no place for anything you wish to be private. With deep packet inspection on the rise, little but 250bit or better encryption is the only way to move sensitive data on the net, and never store it there on a public service.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, May 5th, 2010 @ 7:29pm

    "This post is ... sponsored by Oracle & Intel."

    Good bye negative stories related to Oracle and Intel. Way to sell out guys. I seriously thought that you had a small amount of credibility left, but I guess not.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    MadderMak (profile), May 5th, 2010 @ 7:55pm

    Re:

    Funny... I never found being paid by my boss kept me from pointing out his more idiotic moments - or indeed those of our clients. Yet I appear to still be employed.

    The point??

    (you can be sponsored and remain objective - or true to your ideals)

    Why don't we wait and see how it pans out :)

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, May 5th, 2010 @ 9:52pm

    Re: Re:

    You're making a straw man argument here. You didn't publicly announce your boss's mistakes using his, or your, real name. Secondly, there are laws against firing people for certain reasons that may very well have applied in your case. You may have been protected by some laws that don't apply here.

    Here we have two companies sponsoring a blog which often writes about subjects directly pertaining to these companies. There's no law against these companies withdrawing their sponsorship if they don't like something the authors write about them.

    Now sure, maybe the authors are completely impartial and will be willing to write negative comments about the companies even if it means loosing money. However, to pretend that a conflict of interest doesn't exist is beyond naive.

    Furthermore, you still aren't taking into account anyone above the authors that has the authority to pull a negative article before it's posted to avoid loosing sponsorship.

    This isn't just putting some random ads on a website, this is allowing two companies to sponsor articles. This is clearly improper.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, May 5th, 2010 @ 11:08pm

    Re: You are worried about legal access?

    "What about the company that holds that data, its marketing department, or it's affiliates?"

    I agree, on many of these issues the government is the least of ones concern. Any random bank teller has access to a plethora of information on anyone (sure, if you try to look up information on some famous celebrity then the computer will raise a red flag, but on any Joe Blow down the street they can have access) and, when it comes to many corporations that anyone does business with that has sensitive information on you, most employees openly have access to that information. The level of access is incredible (and often scary), heck, pretty much anyone can google their own name and find ALL SORTS of information on themselves on the Internet that they never even put up and have no clue how anyone got a hold of, all of which is allegedly "public record."

    and I'm sure that many employees at these "cloud" companies have tons of access to your data just as well, even if they tell you otherwise. Heck, I'm sure many Google employees have access to all your E - Mail data that you use. Everyone keeps worrying about the government but often times it's also people who run these cloud services that are a problem (and don't think that a robots.txt will necessarily protect you from some company that runs their own private search engine in the case of hosting your own content for others to privately use and not have it shown on search engines).

    I'm not saying that we shouldn't be worried about the government, just that we also have other things to worry about just as well. When you store unencrypted data onto a cloud system it should go without saying that other people may have access to it, just like when you send someone an E - Mail it can go without saying that everyone you know could wind up getting a forwarded copy of that E - Mail.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    MadderMak (profile), May 5th, 2010 @ 11:55pm

    Re: Re: Re:

    OK on some of that I agree with you (well the first 2 points at least). Mea Culpa if I made a strawman, that was not my intention.

    On your third point I again agree - I never said there was no conflict of interest. But the open disclosure indicates that the authors are aware of the conflict and intended to inform their community of this. Indeed were it not for that we would not be having this discussion :)

    I was of the impression that the authors were in fact at the top of the tree - but I have done no research so could be wrong. Your point is valid but I am unsure it is fully relevant in this case.

    "This isn't just putting some random ads on a website, this is allowing two companies to sponsor articles. This is clearly improper." I have to laugh! Sorry :) but this exactly describes lobby groups.
    Seriously - there should be nothing wrong or improper with companies sponsoring articles (even directly) if that fact is disclosed. I can think of several examples (which may not be totally relevant either) such as Open Source, Editorials in publications, Reviews etc. The problem is if that sponsership is allowed to affect/restrict the free expression of the content, or the sponsorship is not disclosed.

    All I say is the sponsorship itself is not improper. If Techdirt allow it to "colour" their reporting/discussions then that would be improper.

    But have they? I think we have to wait and see - since there are so many sources for "news" about both the sponsors I am sure the community here will notice if some egregious behaviour by them either fails to be reopted on, or the "voice" of that report is out of character.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Mike Masnick (profile), May 6th, 2010 @ 12:31am

    Re: Re:

    Why don't we wait and see how it pans out :)


    Must you wait? Whoever the anonymous commenter is, he apparently doesn't realize that this site has taken on sponsorships for years, and I don't think anyone can say our level of coverage has changed in any way.

    This particular deal is not a new one. Oracle is new, but only picking up where Sun left off. Sun and Intel began sponsoring posts on IT-related topics in the fall last year, and since that time, you can see for yourself that there are articles critical of Intel:

    http://www.techdirt.com/articles/20100405/1818058887.shtml

    and Sun:

    http://www.techdirt.com/articles/20091023/1804116661.shtml

    The fact is that companies who sponsor have no control or input into the content of the posts, and the decision to add the little sponsorship blurb is done by someone else in the company who is not on the editorial side. The posts are not written up with any knowledge or thought of the fact that they're sponsoring certain topics.

    And there is no conflict of interest or worry over offending them, because frankly, I don't care. We have plenty of sponsors and advertisers, and we've probably offended most of them. But those who sign up know that Techdirt is known for its writers speaking their minds and sticking up for their positions, and they know damn well that we don't compromise positions on posts depending on who sponsors. If they don't like it, go elsewhere. We've got plenty of other sponsors. But they tend to sponsor it because they KNOW we speak our mind and they know that we can't be compromised and they want to support that.

    But, in the end, you judge for yourself. Frankly, it's obnoxious to insist that there's no credibility just because of an advertiser or sponsor, without actually finding a single piece of commentary that you feel was compromised (good luck finding it -- it doesn't exist). If you honestly believe that way, then pretty much all of the internet has no credibility in your book.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Mike Masnick (profile), May 6th, 2010 @ 12:36am

    Re: Re: Re: Re:

    But have they? I think we have to wait and see - since there are so many sources for "news" about both the sponsors I am sure the community here will notice if some egregious behaviour by them either fails to be reopted on, or the "voice" of that report is out of character

    Indeed. Again, this particular deal has been going on since last year, and I defy you to point to any example of our coverage that has been compromised.

    The blurb is there on top to be totally upfront about disclosure. Sun (now Oracle) and Intel chose to sponsor a *topic*. That is, posts about IT get that treatment, but that's it. They have no say on content and we have total editorial control. They just want to support what we do here and get some recognition for supporting a good community -- which many of our readers seem to appreciate.

    And, again, if they get offended and go away, there are plenty of other companies to replace them.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Mike Masnick (profile), May 6th, 2010 @ 12:39am

    Re: Re: Re:

    This isn't just putting some random ads on a website, this is allowing two companies to sponsor articles. This is clearly improper.

    No, they are not sponsoring "articles." They have sponsored the topic. And it is not at all improper. It is blatantly disclosed. I find that a hell of a lot better than most content sites that run ads with specific content, but which don't disclose it.

    Sun (now Oracle) and Intel chose to sponsor this topic because they felt we had a strong and vibrant voice and community here, and that deal is clear that they have no input into editorial and they knew that going in. They did this because they know that our voice is one that people pay attention to and that's because we will be critical of their actions should they do something stupid. As I pointed out, we have, in fact, been critical of both of these companies during the sponsorship, and we will do so again (actually... you'll see an article very soon that's critical of one of those companies).

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    RobShaver, May 6th, 2010 @ 8:52am

    Sponsors + What was this post about?

    If anything the fact that Oracle is sponsoring Techdirt raises my opinion of Oracle ... slightly, which is still quite low.

    Oh yeah. The best defense against anybody reading your documents anywhere is strong encryption. It should be maintained automatically. The data must never be cached to disk unencrypted. The decryption key must never stored or cached on the computer. It should be kept on an external flash drive that is removed and locked away.

    Just a thought ...

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Justa Comment, May 6th, 2010 @ 8:59am

    The Answer = YES

    Just to review:
    * Internet - a public access network where you can try to attempt privacy... Good Luck !
    * Communications - company owned networks working with the government, the companies have proprietary access to their systems/software and allow the government access and recording... like or not !
    * Companies - use open-ended 'agreements' to do whatever they want with any data they get (which becomes their data). They are also legally harrassed/exploited/covered to do whatever more powerful companies tell them to do with 'their' data... Obviously !
    * 'Security' - a goverment workaround or black market business model/hobby that's hacked in two minutes or less. Otherwise, your data is open and accessed by foreign processors.

    If you're on-line, learn to assume access by anyone with technology and time.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Epicurious Synonymous, May 6th, 2010 @ 9:35am

    Bias? we ALL have it...

    I hope the majority of TechDirt readers are intelligent enough to discern that Mike saying he's not biased, and there being actual bias are two exclusive items of contention. Nobody should be using Techdirt (or any other source) as a sole source of tech information.
    Nobody should assume that articles critical of Oracle or Intel aren't even SLIGHTLY impacted by editorial judgement. His three top sponsors, Intel, Amex, Oracle, all have been criticized in their fields, and each has elements of corporate monopolistic tendencies. (Amex with exorbitant rates charged merchants, Intel with obvious price fixing, and Oracle with Big Iron Strongarming in the enterprise world.)

    Also still haven't seen an article recently on Google and the "Gaia" breach in early 2010. That seems like the most significant article of 2010 with regards to privacy and technology, but it remains ignored by most of the mainstream press.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Epicurious Synonymous, May 6th, 2010 @ 11:40am

    Cloud

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This