Does Storing Your Documents In 'The Cloud' Mean The Gov't Has Easier Access To It?
from the privacy-concerns dept
The Citizen Media Law Project has a good discussion about the FBI getting access to documents stored in Google Docs as part of a spam investigation. In that case, the FBI did go through the process of getting a full search warrant (which should have satisfied some of the 4th Amendment concerns), but it's the first case on record of the FBI getting access to Google Docs.
Part of the problem here is that this sort of stuff is covered under a law that's nearly a quarter of a century old, and is not even remotely designed for a modern technology world:
The current federal statute on the issue, the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510, et seq., basically extended the rules regarding government access to older technologies like the telephone (e.g., wiretapping) to electronic communications. The USA Patriot Act, passed after the Sept. 11, 2001 attacks, modified these old rules a bit. But the basic, underlying statute was passed in 1986, before the advent and widespread use of email, text messaging, social networking websites, and the myriad other means of modern communications.What's interesting is how little attention these issues seem to be getting -- even though they can have a pretty large impact. And, even though this may seem like legal details, it applies well outside the legal field as well. While it won't be the key focus, we're even going to include a short section on these kinds of legal issues in the cloud in our upcoming webinar on cloud security (register here). While this might not seem directly like a security issue, if you're in charge of keeping data secure, it's pretty important to know what it means when the feds knock on your door... or the door of the third party "cloud" provider to whom you outsourced your company's data.
As others have explained at length, ECPA creates an exceedingly dense and confusing statutory framework, and relies on a series of archaic distinctions, such as whether a communication is "stored" or "in transit." This complexity creates uncertainty about what showing law enforcement has to make in order to access user materials stored in the cloud. Is a search warrant, a subpoena, or an informal request required? Under what circumstances can service providers voluntarily cooperate with law enforcement?