Cloud cover: privacy protections and the Stored Communications Act in the age of cloud computing.

• Author: Nguyen, Hien Timothy M.

INTRODUCTION

Internet technology has completely revolutionized the way people interact, how companies transact business, and the type and amount of information that is available to the public. From its beginnings as a forum for users to transmit messages to the emergence of social networking and media services, each stage of development has transformed the way we live. Cloud computing has been heralded as the next stage in this evolution, with the potential to transform how both individual users and companies use computers and the Internet. Yet, what is cloud computing and what are the privacy implications for its users?

Cloud computing concerns "both the applications delivered as services over the Internet and the hardware and systems software in the datacenters that provide those services." (1) The basis of "the cloud is a collection of [interconnected] computers and servers that are publicly accessible via the Internet." (2) Individual users connect to the cloud from their own computing devices, over the Internet, and "the cloud is seen as a single application, device, or document." (3) The hardware in the cloud, which is the collection of computers and servers, is invisible to the end user. (4) For example, a cloud service such as Google Docs allows me to create documents from my home by logging into Google's website. I, or other authorized users, can then edit that same document while at school, at the airport, or at the library. If someone steals my laptop or if its hard drive crashes, I will still have a copy on the cloud service (and perhaps multiple backups of older versions). Similar services exist for users to purchase computing power (5) or storage space (6) that is accessible on any computer. In the case of computing power, a user developing an application would save on physical space, avoid the cost of buying, maintaining, and operating the servers, and benefit from scalability.

As with most technological advancements, the law is often slow to catch up. While users might have an expectation that the files or applications they store on the cloud are private, the reality is that they may not have as much privacy as they would like to believe. (7) The architecture of the Internet and the way cloud computing services operate means that courts are unlikely to apply Fourth Amendment protections. The current federal statutory framework governing stored electronic communications, the Stored Communications Act (8) (SCA) remains frozen in a 1980s conception of electronic communications. It is a confusing statute (9) that the courts have interpreted in an inconsistent and unclear manner. (10)

This Note argues that the Stored Communications Act and its privacy protections are inadequate in the modern age of cloud computing, especially where users of cloud services might naturally have an expectation of such protection. The Internet has proven itself to be a driving force for economic and technological growth, and cloud computing promises to be the next step in its evolution. However, one legal obstacle to the widespread adoption of cloud computing technologies, especially among corporate users, is that the current legal framework offers inadequate privacy protections. As a result, I propose several amendments to the SCA to bring it up to date with modern technology. In Part I, this Note examines the current state of legal protections for online privacy. I start with the Fourth Amendment and explain how, as it is currently interpreted, Fourth Amendment protections are unlikely to apply to Internet communications because of the third-party doctrine, which holds that users do not have a reasonable expectation of privacy for information disclosed to third parties. Then, I consider the Stored Communications Act, which was Congress's attempt to fill the void of privacy protections for stored electronic communications. In Part II, I discuss the advancements in technology since the SCA, especially the trend towards increased use of cloud computing services. In Part III, I address why the SCA may not be applicable to many of these cloud services. Finally, in Part IV, I discuss expectations of privacy in the cloud and why Congress ought to enhance the SCA's privacy protections. I also propose three modifications to the SCA to achieve this aim of greater privacy protections in the cloud computing age. I will argue that Congress should eliminate the distinction between electronic communications services and remote computing services, that the statute should include a suppression remedy, and that Congress should clarify the limits of voluntary disclosures. I justify these changes based on the privacy interest that users retain in their use of cloud services.

1. LEGAL PROTECTIONS FOR ONLINE PRIVACY

   The right to privacy has been described as "the most comprehensive of rights and the right most valued by civilized men." (11) However, conceptualizing this right has been a "contested endeavor." (12) Some scholars contend that protection of privacy promotes individual autonomy and is essential to deliberative democracy, (13) while others argue for privacy based on economic efficiency. (14) One scholar, Ken Gormley, identified four major approaches to privacy: (1) Roscoe Pound and Paul Freund's view that privacy was "an expression of one's personality or personhood, focusing upon the right of the individual to define his or her essence as a human being"; (15) (2) scholarship like Louis Henkin's marking of privacy "within the boundaries of autonomy--the moral freedom of the individual to engage in his or her own thoughts, actions and decisions"; (16) (3) scholarship such as Alan Westin and Charles Fried's understanding of privacy "in terms of citizens' ability to regulate information about themselves, and thus control their relationships with other human beings, such that individuals have the right to decide 'when, how, and to what extent information about them is communicated to others'"; (17) and (4) the view of scholars like Ruth Gavison who have "taken a more noncommittal, mix-and-match approach, breaking down privacy into two or three essential components," such as "secrecy, anonymity and solitude" (18) or "repose, sanctuary and intimate decision." (19)

   With these often intertwined understandings (20) in mind, the rapid development of new technologies--particularly in the area of the Internet--has presented many new and unforeseen challenges for the protection of privacy, (21) especially since there is a tension in information privacy law between privacy and security. (22) The proliferation of new technologies also brings with it more elaborate record-keeping systems that can reveal the most intimate details of a person's life. (23) Yet, new ways of conducting business and social interactions on the Internet also allow for additional threats to citizens and the State. Security involves society's interest in protecting against these threats, which often includes monitoring and information-gathering activities. (24) These activities also often pose a serious threat to citizens' privacy, because of the vast amount of information that they can reveal. (25) Much of privacy law seeks to provide some sort of balance between these competing interests. This Part examines the primary constitutional mechanism for protecting privacy, the Fourth Amendment, as well as the relevant statute for protecting one's privacy in stored electronic communications--the Stored Communications Act.

   1. The Fourth Amendment and Its Limits

      The Fourth Amendment provides that "It] he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated." (26) The Supreme Court has recognized that "[t]he overriding function of the Fourth Amendment is to protect personal privacy and dignity against unwarranted intrusion by the State." (27) Although this has been interpreted to allow for strong protections for a person in his or her physical home, (28) the architecture of the Internet and the way users create, store, and access information on their computers means that Fourth Amendment protections for Internet communications are either unclear or may not exist at all. (29) A typical Internet user does not have a physical "home" or any truly private space on the Internet, but rather different types of accounts with different service providers that are used to store information. (30) These accounts consist of data that is stored on remote servers and the user's private information is sent to private third parties through their remote computers. (31)

      With this in mind, the biggest difficulty in applying current Fourth Amendment doctrine to Internet communications is the courts' narrow interpretation of the Fourth Amendment's reasonable expectation of privacy test in communication networks. (32) Because an individual does not have a reasonable expectation of privacy in information revealed to third parties, (33) and since the architecture of the Internet necessitates data transfers to third-party servers, courts have traditionally been reluctant to find that Internet users retain a reasonable expectation of privacy in information they send over the Internet. (34) Furthermore, "the Fourth Amendment does not apply to a search or seizure ... effected by a private party on his own initiative ... [unless] the private party acted as an instrument or agent of the Government." (35) As most Internet communications services are private actors, there would be no Fourth Amendment protection when a provider searches its own servers for a user's data and discloses it to the government or a third party. (36) Thus, although the Fourth Amendment provides citizens with strong protections from government intrusion into physical spaces, its protections are much more limited in the context of cyber spaces on the Internet. (37)

   2. The Stored Communications Act

      To address the uncertainty in the...