Privacy in the Clouds: Consequences of Third Party Storage for Individuals and Businesses
Even when no laws or obligations block the ability of a user to disclose information to a cloud provider, disclosure may still not be free of consequences. Information stored with a third party (including a cloud computing provider) may have fewer or weaker privacy protections than information in the possession of the creator of the information. Government agencies and private litigants may be able to obtain information from a third party more easily than from the creator of the information. The expanded ability of the government and others to obtain information from a third party affects both businesses and individuals.
Compelled Disclosure to the Government
For information that would have otherwise been in the sole possession of a user, the transfer of the information to a cloud provider creates new opportunities for the information to end up in government hands without notice to the user and without the user having an opportunity to object. For many users, the loss of notice of a government demand for data is a significant reduction in rights.
United States v. Miller
A seminal court case about the privacy of information held by a third party is United States v. Miller. Miller was convicted of federal crimes based in part on evidence obtained from his banks. The government served subpoenas on the banks, and neither the banks nor the government notified Miller about the demand for or production of the records. Miller argued that the government’s obtaining and use of his bank records violated his Fourth Amendment rights against unreasonable searches and seizures.
The Supreme Court found that the government’s demand on the banks did not affect any Fourth Amendment interests of the depositor. The Court stated expressly that the records were not respondent’s private papers but were business records of the banks that were voluntarily conveyed to the banks and exposed to bank employees in the ordinary course of business. Thus, the records were not entitled to the Fourth Amendment’s protection against the compulsory production of private papers.
While there are some aspects of Miller that may be unique to banking, the case stands generally for the proposition that an individual’s personal record held by a third party does not have the same constitutional privacy protection as applies to the same record held by the individual. From a privacy perspective, this proposition is unsettling because of the volume of personal information necessarily held by third parties today. Third parties that maintain personal information include banks, credit card companies, utilities, health care providers, insurers, various kinds of websites, transit authorities, government agencies, and others.
Shortly after the Supreme Court decided Miller, the Congress took steps to overturn the decision in part. The Right to Financial Privacy Act limits the ability of the Federal Government to obtain customer financial records from banks. The Act requires the government to notify a bank customer of its subpoena, summons, or formal written request for the customer’s bank records and provides the customer with an opportunity to challenge the demand in court prior to disclosure. The law also allows for delay of notice under specified conditions, it includes numerous exceptions to notice, and it offers a customer limited grounds for challenging governmental process. The ultimate value to customers of the law’s notice and opportunity to challenge is debatable. Nevertheless, the law establishes a narrow statutory precedent that limits government access to third party records in the interest of privacy.
Electronic Communications Privacy Act (ECPA)
In an electronic environment, the Electronic Communications Privacy Act of 1986 (ECPA) provides some protections against government access to electronic mail and other computer records held by third parties (e.g., Internet service providers).
ECPA sought to bring the constitutional and statutory protections against the wiretapping of telephonic communications into the computer age. ECPA is a difficult law to understand and apply, in part because the law is old and relies on a model of electronic mail and Internet activity that is generations behind current practice and technology. Most observers agree that ECPA is significantly out-of-date in at least some ways. Nevertheless, ECPA reflects a legislative recognition that some Internet activities deserve protection from the Miller proposition that there is no reasonable expectation of privacy in records maintained by third parties. The difficulty with ECPA is figuring out what those protections apply to and when.
Distinctions recognized by ECPA include electronic mail in transit; electronic mail in storage for less than or more than 180 days; electronic mail in draft; opened vs. unopened electronic mail; electronic communication service; and remote computing service. Case law and scholarly discussions continue to address and debate the proper application of the ECPA’s distinctions to current Internet activities. The courts have struggled in applying ECPA to situations not contemplated by the law’s drafters.
The precise characterization of an activity can make a significant difference to the protections afforded under ECPA. For example, if an “electronic communications service” holds a text message in “electronic storage”, then law enforcement requires a probable cause warrant to obtain access. If a “remote computing service” stores the same text message on behalf of the subscriber, then law enforcement does not need a warrant, and a subpoena is sufficient. Whether a search engine or social networking site is a remote computing service remains in dispute.
The privacy protections available under ECPA for the wide range of cloud computing activities are difficult to predict. Indeed, simply identifying all cloud computing applications would be a significant challenge by itself. Factors that may affect the proper application of ECPA to cloud computing activities include:
1) The precise characterization of the activity as a communication or as storage (which itself may come in several flavors), complicated by the recognition that an activity can move from being a communication to being a stored communication depending on time and possibly other factors,
2) Whether the information in question is content or non-content (e.g., header or transaction information),
3) The nature of the service, e.g., whether it is an electronic communication service or a remote computing service,
4) The terms of service established by the cloud provider,
5) Any consent that the user has granted to the provider or others,
6) The identity of the service provider, for example, if the cloud provider is itself a government agency, the provider’s obligation would be different from those of a non- governmental cloud provider, and the rights of users would also be different.
It is unlikely that anyone could provide a definitive opinion about the privacy protections available for information in the cloud against a government or other demand for disclosure. The protections might or might not be greater than those otherwise available for records held by a third party. The significant uncertainty that surrounds protections against government demands for information held by cloud providers is the point here.
USA PATRIOT Act
The federal government’s authority to compel disclosure of records held by cloud providers extends beyond ECPA. The USA PATRIOT Act, as originally enacted in 2001 and amended in 2005, includes provisions allowing the FBI access to any business record. Although a court order is required, the FBI’s authority under the USA PATRIOT Act is sufficient to extend to a record maintained by a cloud provider.
Other provisions of the Act expanded the government’s ability to use a National Security Letter (a form of administrative subpoena) to obtain records. The authorities that are found in the USA PATRIOT Act weaken some of the privacy protections previously found in ECPA, and they generally expand the government’s ability to compel disclosure. Those who receive an order to disclose information under these authorities are highly limited in their ability to reveal that they received the order. That means that a user who provided records to a cloud provider for storage or processing is not likely to know that the government obtained the records.
Disclosure to Private Parties
The government is not the only entity that might seek to obtain a user’s record from a cloud provider. A private litigant or other party might seek records from a cloud provider rather than directly from a user because the cloud provider would not have the same motivation as the user to resist a subpoena or other demand. Disclosures to third parties by a cloud provider could create problems with other laws, principles, and interests.
HIPAA and compelled disclosures
The HIPAA health privacy rule imposes some limits on compelled disclosures. A legal demand by a private party to a cloud provider for disclosure of protected health information would have to follow the procedures set out in the rule governing judicial and administrative proceedings. In general, the rule means that anyone seeking access via a court order, subpoena, discovery request, or the like must notify the patient, and the patient has an opportunity to object to the disclosure. The necessity under HIPAA for a business associate agreement means that a cloud provider should be on notice that it maintains patient records to which specific procedures apply if the provider receives an order for disclosure of a record that the provider holds on behalf of a covered entity. While the burden of those procedures falls on the person seeking the records, demands for records held by a cloud provider for a covered entity can raise more complex problems of control and compliance.
In contrast to HIPAA, other personal information shared by a business with a cloud provider is not likely to have similar requirements for an agreement between the business and the provider. When a cloud provider allows anyone to use its facilities without any contractual or other prearrangement, the provider may know little or nothing about the information that a user puts in the cloud. If a cloud provider is not contractually obliged to consult with the user, is not motivated to consult with the user, or is actively prevented from notifying the user, any subsequent disclosure by way of court order or subpoena may have unwanted consequences for the user or for the ultimate data subject.
Fair Credit Reporting Act
The Fair Credit Reporting Act (FCRA) imposes limits on the use of credit reports by a user of credit report to a permissible purpose. If a creditor stores a credit report with a cloud provider, and a third party obtains the report from the cloud provider, the legal limit on use could be violated.
An FCRA violation could also occur if the cloud provider uses the stored credit report for an improper purpose. The FCRA imposes a restriction on credit report users, but it does not have a mandatory procedure comparable to the HIPAA business associate agreement that would inform a cloud provider that it has information subject to disclosure limits. Thus, a credit grantor that casually stores records with a cloud provider could unexpectedly confront a legal problem.
Other privacy laws
Other privacy laws that impose limits on the use and disclosure of personal information could also be violated by activities of a cloud provider. Consider a cloud provider that stores information on behalf of a company subject to a privacy law, such as the Video Privacy Protection Act that limits some disclosures of customer data. If the cloud provider’s terms of service allow the provider to see, use, or disclose the information, the cloud provider’s actions could result in a violation of the law.
For example, a cloud provider’s general reservation of rights might give the provider the ability to read records about a user’s customer, and then to use the information to market directly to the customer in violation of a privacy law applicable to the user. The cloud provider may have no notice or way to determine if information stored with it is subject to legal restrictions. It may not care. Use of information by a cloud provider could expose the user to liability because its actions resulted in an invasion of the privacy interests of individuals that a law obliged the user to protect.
These types of situations are more likely to arise when a cloud provider operates under terms of service that reserve for the provider broad rights to use or disclose information shared by a user. Problems may also arise when a user (e.g., corporate or government employee) makes an ad hoc decision to share data with a cloud provider without adequate legal review of the terms of service or consideration of any applicable restrictions on data.
Bankruptcy of a cloud provider
Storage of trade secrets with a cloud provider could have legal consequences. Consider a company that owns a trade secret and that places the trade secret in a document disclosed to a cloud provider. This scenario presents two different types of risks.
First, according to the Uniform Trade Secrets Act, a trade secret must be, among other things, “the subject of efforts that are reasonable under the circumstances to maintain its secrecy.” Whether disclosure of the trade secret to a cloud provider would violate the obligation to make reasonable effort to maintain secrecy is debatable. Arguably, even if the terms of service established by the cloud provider recognize the confidentiality of information given to the cloud provider, it might not be enough to avoid that debate. However, terms of service that give the cloud provider rights to see, use, or disclose information would provide a strong basis for an argument that the trade secret no longer exists.
Second, consider a private litigant that seeks to obtain records from a cloud provider rather than from the owner. The owner would be able to resist a subpoena for the trade secret by seeking to quash the subpoena. However, the cloud provider would not necessarily be under any obligation to resist a subpoena or to notify the main party at interest that it received a subpoena.