Hey, feds, get off of my cloud

Our jury’s still out, and there’s so much stuff to catch up on.  There’s the 5th Circuit’s denial of Jeff Skilling’s appeal, even though the Supreme Court had struck down the “honest services fraud” charge last summer.  We were so ready to write something about it yesterday, but work intervened, and now we’re not in the mood.  Maybe this weekend.

Instead, we’re all intrigued about the Senate hearings earlier this week on whether federal law enforcement ought to get a warrant before doing any search and seizure out there in the cloud.  Apparently, the Obama administration says the warrant requirement is just too much of a hassle.

The term “cloud computing” covers a lot of things, but for these purposes we’re talking about people storing data not on their own hard drives, but out there somewhere in the ether of the internet.  Of course, “out there somewhere” means “stored on someone else’s servers.”  Which means it’s there for the taking (or destruction) if those remote servers were to be compromised.  And of course, that means it’s out there for the seeing if law enforcement decides to go poking around in the cloud.

As the law currently stands, if an email is more than 180 days old, the feds are allowed to snag it without a warrant, under the 1986 Electronic Communications Privacy Act.  In yet another bit of Orwellian fractal weirdness, the ECPA was designed to ensure that online communications had just as much privacy protection as anything in the offline world.  (Given the erosion of Fourth Amendment protections in the brick-and-mortar world, a cynic might be tempted to crack that the ECPA has lived up to its expectations.)

As Vermont senator Patrick Leahy put it last September, when the Senate first starting considering changes to the ECPA, the statute

was a careful, bipartisan law designed in part to protect electronic communications from real-time monitoring or interception by the Government, as emails were being delivered and from searches when these communications were stored electronically. At the time, ECPA was a cutting-edge piece of legislation. But, the many advances in communication technologies since have outpaced the privacy protections that Congress put in place.

Today, ECPA is a law that is often hampered by conflicting privacy standards that create uncertainty and confusion for law enforcement, the business community and American consumers.

For example, the content of a single e-mail could be subject to as many as four different levels of privacy protections under ECPA, depending on where it is stored, and when it is sent. There are also no clear standards under that law for how and under what circumstances the Government can access cell phone, or other mobile location information when investigating crime or national security matters. In addition, the growing popularity of social networking sites, such as Facebook and MySpace, present new privacy challenges that were not envisioned when ECPA was passed.

Simply put, the times have changed, and so ECPA must be updated to keep up with the times

Think of it this way:  You’re storing your emails on a third party’s servers.  Isn’t there some lessening of your privacy expectations in that situation?  And on top of that, until maybe six or seven years ago, it wasn’t that outrageous to deem emails left on a third party’s servers for more than six months — instead of storing them to one’s own hard drive or local server for preservation — to be “abandoned.”  AOL users lost their emails after just a month or so.  If you didn’t actively save it to your hard drive, you didn’t want it.  (Forget, of course, the user’s reasonable expectation that the email would no longer exist in the first place.  Do not waste brain cells wondering whether one can abandon something that one believes to have already been destroyed.)

The point is, the law sort of made sense back in the 80s.  And it still kinda made sense when Google was new and Facebook was still in the future.

But now, things have changed.  In ways that are both dramatic and obvious to anyone who might be reading this post.  Now, by default, the vast majority of users do not store their emails locally (if they even know how to do so).  Emails are almost always accessed through a third party’s servers.  Almost nobody downloads their emails — and even if they do, the original remains on the server.

The vast majority of users expect that their emails, protected by their usernames and passwords, will remain private.  Even though the emails are stored out there in the cloud, the ordinary reasonable expectation is that they are private.

As we all know, the Fourth Amendment prohibits the search and seizure of stuff where there is a reasonable expectation of privacy, unless law enforcement gets a warrant based on a showing of probable cause to believe that particular evidence of a particular crime will be discovered by the search.  (For those of you desiring a quick primer on the various exceptions that apply, you can certainly do worse than to listen to N. Burney and G. Mehler’s brilliant CLE lecture, “Search and Seizure in 60 Minutes“)

The exceptions to the Fourth Amendment essentially boil down to situations where the evidence would cease to exist if a warrant were sought, or there’s some other thing we want the police to be able to do (such as make sure people are safe) that might be deterred if they weren’t allowed to use evidence observed in the process.  None of the exceptions are based on a policy of “we probably wouldn’t have probable cause to search in the first place.”

But that is precisely the policy offered by the Obama administration this week.  We kid you not.  Here’s associate deputy attorney general James A. Baker, testifying on why the administration doesn’t want to have to get a warrant to search the cloud:

In order to obtain a search warrant for a particular e-mail account, law enforcement has to establish probable cause to believe that evidence will be found in that particular account. In some cases, this link can be hard to establish.

And if they aren’t allowed to search in cases where they cannot establish probable cause in the first place?  The consequences would be dire, he says.

The government’s ability to access, review, analyze and act promptly upon the communications of criminals that we acquire lawfully, as well as data pertaining to such communications, is vital to our mission to protect the public from terrorists, spies, organized criminals, kidnappers and other malicious actors.

They’ve gotta be kidding.  This is about as outrageous a policy as we’ve come across.  Justifying it because “omigod, think of the horrible things that could happen if we had to comply with the law” is something we’d have little patience for if uttered by a sophomore in college.  Hearing it from the Justice Department is not amusing.

Fortunately, the at least one of the courts doesn’t seem to be in agreement with the administration on this one.  The 6th Circuit ruled a few months ago that a warrant is, indeed, required for a search of cloud-based emails.  Here’s hoping that others follow.

Of course, what would be better would be for Congress to amend the ECPA so people don’t have to get convicted based on illegally-seized evidence first, and incur the expense of a trial and a couple appeals, before the other circuits are able to weigh in.

Tags: , ,

Get a Trackback link

1 Trackbacks/Pingbacks

  1. Pingback: Hey feds, get off of my cloud (Followup) - The Criminal Lawyer - Commentary on Law and Policy on May 17, 2011

2 Comments

  1. James Greenier, April 12, 2011:

    I love the design and content layout. Your slogan is a trip as well.
    I nominated your site for a webby in the legal category.

    James

  2. Alan Ringwald, April 15, 2011:

    this really needs to get to the supreme court already… there’s way too much up in the air in terms of internet privacy

Leave a comment

Time limit is exhausted. Please reload the CAPTCHA.