One of the more annoying things concerning the ever changing technology world is the trouble that the law has in keeping up. We're seeing that a lot lately. For example, a few months ago, we talked about 4th Amendment issues
when it comes to cloud data. There are a few different camps on this, with a few different thoughts -- and so far, no one's exactly sure who's right. We predicted the issue was going to come up more frequently... and we're already seeing that. A few months after that post, we had a court ruling that (on a questionable basis) found no 4th Amendment privacy protections for emails once delivered
, using similar logic to the debate over the cloud. And such cases are becoming more common.
The Citizen Media Law Project has a good discussion about the FBI getting access to documents stored in Google Docs
as part of a spam investigation
. In that case, the FBI did go through the process of getting a full search warrant (which should have satisfied some of the 4th Amendment concerns), but it's the first case on record of the FBI getting access to Google Docs.
Part of the problem here is that this sort of stuff is covered under a law that's nearly a quarter of a century old, and is not even remotely designed for a modern technology world:
The current federal statute on the issue, the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510, et seq., basically extended the rules regarding government access to older technologies like the telephone (e.g., wiretapping) to electronic communications. The USA Patriot Act, passed after the Sept. 11, 2001 attacks, modified these old rules a bit. But the basic, underlying statute was passed in 1986, before the advent and widespread use of email, text messaging, social networking websites, and the myriad other means of modern communications.
As others have explained at length, ECPA creates an exceedingly dense and confusing statutory framework, and relies on a series of archaic distinctions, such as whether a communication is "stored" or "in transit." This complexity creates uncertainty about what showing law enforcement has to make in order to access user materials stored in the cloud. Is a search warrant, a subpoena, or an informal request required? Under what circumstances can service providers voluntarily cooperate with law enforcement?
What's interesting is how little attention these issues seem to be getting -- even though they can have a pretty large impact. And, even though this may seem like legal details, it applies well outside the legal field as well. While it won't be the key focus, we're even going to include a short section on these kinds of legal issues in the cloud in our upcoming webinar
on cloud security (register here
). While this might not seem directly like a security issue, if you're in charge of keeping data secure, it's pretty important to know what it means when the feds knock on your door... or the door of the third party "cloud" provider to whom you outsourced your company's data.