In prior posts we discussed the ethical and security issues that lawyers should consider when deciding whether to use cloud computing platforms in their law practice. In this post we’ll discuss one pressing legal issue that remains unsettled: whether law enforcement must obtain a warrant before accessing data stored in the cloud.
Currently, the Electronic Communications Privacy Act (ECPA) dictates when and how law enforcement agents can access electronic data. This statute has not been significantly revised since 1986 and many argue that it provides little, if any guidance, regarding governmental access to data stored online, given that technology has changed so drastically since the ECPA was enacted.
To that end, the search giant, Google, recently joined the Digital Due Process coalition, a newly formed organization that supports the revision of the ECPA to reflect current technology standards. As explained on the DDP’s website:
(The) ECPA is a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for both service providers and law enforcement agencies. ECPA can no longer be applied in a clear and consistent way, and, consequently, the vast amount of personal information generated by today’s digital communication services may no longer be adequately protected.
Very few courts have addressed the Fourth Amendment issues presented by cloud computing and those that have done so have issued conflicting decisions regarding whether law enforcement may access electronically stored data in the absence of a warrant, as explained more fully in this Minnesota Law Review article. The article provides a constitutional framework for the legal analysis of the issues presented, as explained in the summary of the article:
This Note argues that because the Internet has evolved to allow new uses, data placed in the cloud merit some level of Fourth Amendment privacy protection. Fourth Amendment protection requires a subjectively reasonable expectation of privacy. Because limited means exist to conceal virtual containers in the cloud, methods such as encryption and password protection should be analogized to virtual opacity rather than the lock-and-key analogy that has been dismissed by some scholars. Finally, courts should acknowledge the landlord-tenant nature of the relationship between the cloud service provider and the user, and thus the use of cloud platforms should not create a categorical waiver of Fourth Amendment protection under the third-party doctrine.
As of now, these important constitutional questions remain unresolved, but there is a pressing need for our legal system to confront these issues head on and create clear cut, flexible legal standards that will adequately protect our privacy rights from unlawful governmental intrusions in the face of ever evolving technologies.