Lost in the cloud: cloud storage, privacy, and suggestions for protecting users' data.

Author:Johnson, Eric

Table of Contents Introduction I. What Is Cloud Storage? II. What Laws Protect the Privacy of Data in the Cloud? A. The Stored Communications Act B. The Fourth Amendment 1. The third-party doctrine 2. A cloudy battleground: the third-party doctrine and the Internet III. Cloud Storage and the Fourth Amendment A. Applying Katz to Cloud Storage B. The Third-Party Doctrine and the Reasonable Expectation of Privacy in Cloud Storage C. Why the Third-Party Doctrine Does Not Fit Cloud Storage IV. Terms of Service and Privacy in Cloud Storage A. Historical Acceptance of Provider Access to User Data B. The Effect of Terms of Service Agreements C. Examples of Cloud Storage Providers' Terms of Service V. Possible Solutions to Problems Created by Terms of Service and Privacy Policies A. The Problem with Current Third-Party Doctrine Implications for the Cloud: An Example B. Better Business Practices to Help Cloud Storage Providers Protect User Data Conclusion Introduction

Imagine law enforcement believes that a suspect is storing pirated movies in a Dropbox cloud storage account. The investigation is still in its early stages, but officers are worried that if they wait to establish the probable cause necessary for a warrant, the suspect will continue to collect and distribute the movies. So the authorities send a subpoena to Dropbox demanding all information from the suspect's account, including subscriber information, metadata, and, most importantly, the digital contents. When the suspect signed up for a Dropbox account, he agreed to the "Dropbox Terms of Service," which allow Dropbox to "review [his] conduct and content for compliance with [its] Terms and [its] Acceptable Use Policy," (1) as well as turn over content information to third parties to "comply with the law" and "prevent fraud or abuse of Dropbox or [its] users." (2)

Is the government's subpoena sufficient to compel Dropbox to turn over the user's content information? Should Dropbox demand a warrant? Or has the user already given up his Fourth Amendment privacy rights by entrusting his information to a third party? Should Dropbox access the suspect's account to investigate the authorities' claims and determine whether the suspect has violated Dropbox's "Acceptable Use Policy," which expressly forbids "violat[ing] the law in any way"? (3) And if Dropbox decides to investigate, does accessing the user's stored information affect any reasonable expectation of privacy the user may have held in that information? Would Dropbox's actions make the subpoena sufficient?

If pirated movies seem of little concern, consider other instances of known law enforcement surveillance. In 1963, the Federal Bureau of Investigation wiretapped the phones of Martin Luther King, Jr. under the pretense of determining King's ties to members of the American Communist Party. (4) And after 9/11, the New York Police Department, with significant assistance from the Central Intelligence Agency, spent years monitoring Muslim neighborhoods and community centers. (5) Targets come in all forms.

The evolution of the Internet has presented people with new options for storing information, but the privacy provided by those options is questionable. Cloud storage, one such option, is a method of data storage wherein clients send data through the Internet for storage on one or (typically) multiple data servers, which are owned and operated by a company offering data storage services (a "cloud storage provider"). (6) Often, providers store information in a manner that allows them to access user information to conduct maintenance and ensure compliance with their terms of service. (7) Usually such access occurs through automated scans--scans that are fully computerized and do not involve a human personally accessing the data. (8)

As more information moves into the cloud and big data (9) quantifies our lives, questions about data privacy become increasingly common and important. Privacy in the modern world rests heavily on the decisions made by cloud storage providers, which find themselves in possession of a wealth of stored information--from personal e-mails and calendars to business files and correspondence. Much of this information likely would be considered "private" in common parlance, but the law may not recognize the privacy of that information. For while the Fourth Amendment protects against unreasonable searches and seizures, the Supreme Court, under the third-party doctrine, has traditionally considered warrantless searches and seizures of information entrusted to third parties to be reasonable. (10)

This Note argues that cloud storage users have a reasonable expectation of privacy in the information stored in their cloud storage accounts. This expectation persists in spite of automated scans that cloud storage providers may perform for the general maintenance of their networks.

But any further access to cloud storage a user grants a provider pursuant to the provider's terms of service can affect the user's reasonable expectation of privacy in two ways. First, the terms of service can grant the provider such sweeping access to, and use of, user information that the user's expectation of privacy is simply unreasonable. Second, and far more commonly, the user can, by agreeing to the provider's terms of service, contract to grant the provider access to and use of her information in its normal course of business under particular circumstances. For example, users may agree to human searches of their accounts to investigate potential violations of the terms of service. (11) But simple agreement to such a contract does not eliminate entirely the user's reasonable expectation of privacy. Rather, the user retains full Fourth Amendment privacy rights in her information until the contractually agreed-upon circumstances occur. At that point, the provider's access and use triggers the third-party doctrine and eliminates the user's reasonable expectation of privacy.

Because terms of service can drastically affect a user's privacy, cloud storage providers should protect user privacy by including provisions in their terms of service that formalize the standard for, and scope of, provider access and should promise notice to users when access that affects user privacy occurs. Of course, this risks exposing providers to greater liability because it means making additional promises to users that could be violated, intentionally or unintentionally. Providers should balance this risk with the competitive advantage they may gain in the marketplace given concerns about government access to data in the post-Snowden era. (12) Furthermore, users should keep privacy in mind when deciding which cloud storage service to use and should opt for a service that transparently limits the service provider's access to and use of user information. Together, providers and users can make a strong push for ensuring the privacy of data stored in the cloud.

This Note makes this argument in five Parts. Part I discusses how users interact with cloud storage services and how cloud storage providers can access users' data. Part II delves into the Stored Communications Act (SCA) and the Fourth Amendment to determine if they afford privacy protections to data stored in the cloud. It also discusses the development of the third-party doctrine and its unclear application to the Internet. Part III determines that users do have Fourth Amendment protection for information held in cloud storage and examines if, and when, the third-party doctrine should be applied to cloud storage. Part IV examines a select group of cloud storage providers' terms of service to find when providers can access users' data and how that access affects users' privacy. Finally, Part V shows the problem with the current state of access allowed by terms of service agreements and suggests reasonable solutions to help providers protect users' privacy.

  1. What Is Cloud Storage?

    Cloud storage services, which became available to mainstream consumers in the 2000s, (13) "allow[] users to store data and applications on remote servers owned by others." (14) These remote servers are essentially "global storage facilities [used] to store information electronically and grant access to uploaded information using any electronic device from any location at any time." (15) Users generally must consent to nonnegotiable terms of service when they sign up for an account with a cloud storage provider. (16) The terms of service govern the relationship between the service and user and usually contain terms regarding the provider's access to and use of information and the manner in which a user can and cannot use the service. (17)

    Different types of storage providers offer a range of different services. This Note addresses cloud storage services like Dropbox, (18) Carbonite, (19) and Google Drive, (20) which allow users to create an account and upload files to the cloud for perpetual storage (so long as the account remains open). Many services also offer collaboration tools that allow users to, for example, share files or extend invitations to edit files within the service. (21)

    Importantly, while nearly all cloud storage accounts are password protected, (22) most cloud storage services do not encrypt information uploaded by users in a manner that prevents the provider from accessing the content stored on its servers. (23) Even Apple, which famously encrypts iMessage data from end to end, (24) also backs up those messages by default on its iCloud servers in a manner that makes the content accessible to the company. (25)

    Usually, cloud storage providers retain access to user data due to concerns about security, stability, and control of their networks. (26) Cloud storage services employ different types of automated and human scanning. For example, information may go through automated scanning to detect malware and illegal content or to make sure that the service can properly transmit the...

To continue reading