Court Rules Users Have Expectation of Privacy in the Cloud

gavel.jpg.scaled500 (1)

On December 14, 2010 the Sixth Circuit Court of Appeals ruled in U.S. v. Warshak that provisions of the Stored Communications Act (a part of the Electronic Communications Privacy Act) allowing law enforcement access to email without a warrant are unconstitutional. As ITIF and others have noted before the Electronic Communications Privacy Act (ECPA), enacted in 1986, has not kept pace with the advancement of technology. ECPA establishes standards for government access to email and other electronic communications in criminal investigations. Of particular concern is the fact that there are different levels of legal protection afforded to the privacy of an individual’s data based on where the data is stored and how long the data has been stored. This means that the privacy of a person’s email may be different if it is stored on his or her PC versus if it is stored with an ISP or a third-party provider in the cloud. These unresolved questions and others about the privacy of data in the cloud present a serious challenge to adoption by some users, especially businesses who wish to assure strong legal protections for their data.

The issue in this case was specific provisions of the Stored Communications Act (SCA) which authorize government investigators to require the disclosure of electronic communications from a third-party provider (e.g. an ISP or email service provider).  The SCA requires investigators to obtain a search warrant for electronic communication that has been stored for 180 days or less. However, after 180 days the government can obtain the data using only an administrative subpoena. There are important legal differences between a search warrant and a subpoena. A search warrant is issued by a judge and requires a law enforcement official to provide a sworn affidavit citing probable cause that criminal activity is occurring or that evidence of a crime may be found. In contrast, an administrative subpoena can be issued by a law enforcement investigator (e.g. an FBI agent) without prior judicial approval. Subpoenas can be challenged but since there is no requirement for the customer to be notified of the subpoena, there is often no opportunity to challenge it.  In addition, the SCA provides service providers legal immunity for complying with subpoenas thus giving service providers little incentive to challenge them.

This legal issue was addressed recently in U.S. v. Warshak. The case involved two individuals charged and convicted with running a fraudulent male sexual enhancement supplement distribution company. The defendants argued that the government’s warrantless seizure of 27,000 private emails violated their Fourth Amendment protections against unreasonable searches and seizures.  The court agreed striking a blow to the constitutionality of the SCA. In the ruling, Judge Danny Boggs writes, “Accordingly, we hold that a subscriber enjoys a reasonable expectation of privacy in the contents of emails ‘that are stored with, or sent or received through, a commercial ISP.’…The government may not compel a commercial ISP to turn over the contents of a subscriber’s emails without first obtaining a warrant based on probable cause.  Therefore, because they did not obtain a warrant, the government agents violated the Fourth Amendment when they obtained the contents of Warshak’s emails. Moreover, to the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional.”

While this case helps provide individuals assurance that their Fourth Amendment rights apply to emails stored both on a PC in their home and in the cloud, this ruling should not discourage Congress from providing a comprehensive update to ECPA. Government access to other data such as electronic documents, location data, text messages, Internet search queries and posts made on social networks must still be resolved. These steps are not about weakening the ability of law enforcement to take the steps they need to be able to take to protect Americans and fight crime and terrorism. They are about making sure that the rules law enforcement must abide by are technology neutral.

To read more about these issues, visit the Digital Due Process.

Photo credit: Flickr user bloomsberries

Print Friendly

About the author

Daniel Castro is a Senior Analyst with ITIF specializing in information technology (IT) policy. His research interests include health IT, data privacy, e-commerce, e-government, electronic voting, information security and accessibility. Before joining ITIF, Mr. Castro worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.