Tuesday, June 8, 2010

Privacy in the Clouds

In the last few years cloud computing technology has growing in popularity. From communications network to computing network it is the next step in the development of the function of the internet. Cloud computing technology uses the internet and central remote servers (the ’cloud’) to maintain data and applications. It allows consumers and businesses to use applications without installation, enabling them to access their personal files at any computer with internet access. For IT departments which are faced with increasing IT costs (capacity increase, time consuming implementation, maintenance, and upgrade projects, new software licenses, personnel training, etc.) cloud computing technology offers great advantages. It allows for much more efficient computing by centralizing storage, memory, processing and bandwidth. You simply log in, customize an application, and start using it. Cloud computing services exist in many variations, including web-based email services, data storage sites, personal health record websites, photography and/or video websites, social networking sites, and many more.

Cloud computing offers not only advantages, but it also has significant consequences for the privacy and confidentiality of your personal or business information. Cloud computing, or any form of storage on line, is and will be accessible by anyone who has the capability to access the information. There is no true verification of the integrity of the people behind the storage, it is not known what is actually happening with your information behind the scenes, and there is no immediate control of it. There are many other questions which need to be answered. Questions concerning ownership of information in the cloud; user access denial to one’s own private data; what happens to the data in the case of bankruptcy of the host; is there a legal right to privacy for online stored information, etc.

Currently a constitutional debate is ongoing in the United States over whether or not the
Fourth Amendment covers information stored in the cloud. The Fourth Amendment provides “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”. Provided there is probable cause the government or a law enforcement agency needs a judicial warrant to search your home or office, read your mail and seize your personal papers. Since a 1967 Supreme Court case involving the wiretapping of a phone booth (Katz v. United States), courts have developed the “reasonable expectation of privacy” test determining whether a search requires a warrant. The test has two requirements: 1) there must be a subjectively reasonable expectation that the item was private and 2) the item must be something that society in general objectively recognizes as reasonably private.

The “third-party doctrine” (a person sharing information with a third party cannot make a Fourth Amendment claim to protection of that information) narrows the situations in which a warrant is required to conduct a search. Cloud-stored information is repeatedly not considered to be falling under the “reasonable expectation of privacy” doctrine as the information has been ‘handed’ over to third parties and is no longer considered to be private. In a way the ‘third-party” doctrine is undermining the “reasonable expectation of privacy” doctrine. Personal items such as photographs, letters and papers carried around in our bags or briefcases have a reasonable expectation of privacy, while identical personal items stored and virtually accessed via the cloud have not, even if the items concerned are secured by password or a form of encryption.

In the short term, with the law trailing technology by miles, many constitutional issues concerning cloud computing and the “reasonable expectation of privacy” doctrine remain unclear. This could impede the growth of cloud computing. If you still want to make use of a cloud computing service, be aware of the risks and read the privacy policy of the service provider carefully to become aware of your rights. For the time being if you want to be safe and do not want it discovered, then do not put it on line.

- Cavoukian, Ann: Privacy in the Clouds : A White Paper on Privacy and Digital Identity: Implications for the Internet.
-
Couillard, David A.: The Cloud and the future of the Fourth Amendment.
-
Couillard, David A.: Defogging the Cloud : Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing. Minnesota Law Review, 93 (2008-2009), pp. 2205-2239
- Katz v. United States,
389 U.S. 347
-
Kerr, Orin S.: The case for the third party doctrine. Michigan Law Review, 107(2008-2009), pp. 561-601
-
Urquhart, James: Does the Fourth Amendment cover ‘the cloud’?

No comments: