Regulating the Cloud: Warshak v. United States
We are once again changing how we organize computers. In the past, we moved from mainframes to mini computers to freestanding personal computers. The introduction of ubiquitous networks tying together these computers has had important consequences in area after area (I discuss this generally here in the context of cyber-security and more specifically for copyright here).
We are now moving towards a cloud organization for data. Some content may be stored locally on your machine, while other content—content that you in some powerful sense think belongs to you—will be stored remotely. Where actually? You won’t have a clue. For those data—data stored in the cloud—we need to define the respective rights of all of those with access to the data. I have blogged on this before in the context of data portability. The recent tussle between Google and the European Union over how long Google would keep search data is another example (Google has revised its practices and will now keep data for only 18 months rather than two years). These are the front lines of the law of cloud computing.
Today, the Sixth Circuit issued a decision in Warshak v. United States that addresses Fourth Amendment rights for remotely stored e-mail. (Hat tip: Orin Kerr.) This is another step on what will be a path of increasing interest and difficulty: how will we regulate the cloud?
Piecemeal, I suspect, and Warshak represents one piece. In March 2005, the federal government launched a criminal investigation of Steven Warshak. As part of that, the government obtained a sealed order issued under the Stored Communications Act that required Warshak’s Internet service provider to disclose customer account information to the government as well as the contents of e-mail messages. The ISP was barred from disclosing the order to its customer. More than a year after the initial order, when the magistrate unsealed the order, the United States notified Warshak of the order as well as a second order that had been issued relating to Warshak’s Yahoo account.
Warshak filed a lawsuit claiming violations of both the Stored Communications Act and the Fourth Amendment. There is a lot of search-and-seizure inside baseball here, especially about the circumstances under which the government must proceed under the higher probable cause standard of the Fourth Amendment versus when it is allowed to compel disclosure from third parties such as an Internet service provider under the weaker standards of a subpoena.
For our purposes, the critical issue in the case is the expectation of privacy that is appropriate for e-mail. This takes us back to the question of computer organization and the emerging cloud. Presumably, I have my greatest expectation of privacy for e-mails stored locally on my home machine. Yes those e-mails were transmitted over the wires briefly, but just like telephone calls, I don’t lose my expectation of privacy merely because I am using the public phone network. So the Supreme Court held in the mid-1960s. Local storage should be where the expectation of privacy is greatest.
How does remote storage change this calculation? Here is what the Sixth Circuit says:
In instances where a user agreement explicitly provides that e-mails and other files will be monitored or audited ..., the user’s knowledge of this fact may well extinguish his reasonable expectation of privacy. Without such a statement, however, the service provider’s control over the files and ability to access them under certain limited circumstances will not be enough to overcome an expectation of privacy ... .
Now we can see how cloud organization matters. Absent remote storage, no other party would have access to the stored e-mails. The possibility of access through the ISP operates as a tax on remote storage. How that storage works may matter. Google’s e-mail service is free, but comes with ads, and those ads are keyed to the content of the e-mail.
This doesn’t mean that Sergey and Larry are reading my e-mail, but it does mean that Google operates as to the actual content of the e-mail. Does that give Google sufficient access such that I have given up my reasonable expectation of privacy? (And note we are operating in Fourth Amendment land: you might think that I could give up privacy as to one person and still claim it against the world, but I gather, as an outsider to the field, that even giving up privacy as to one person changes the Fourth Amendment analysis.)
The Sixth Circuit doesn’t quite get there. There is a discussion in the opinion of using technology to screen e-mail for viruses, spam and pornography. The Sixth Circuit makes clear that that sort of access is insufficient to give up the expectation of privacy because that is not tied to the content of the e-mail:
But the reasonable expectation of privacy of an e-mail user goes to the content of the e-mail message. The fact that a computer scans millions of e-mails for signs of pornography or a virus does not invade an individual’s content-based privacy interest in the e-mails and has little bearing on his expectation of privacy in the content.
The Sixth Circuit doesn’t take the next step, but I think that we should: even automated access ala Google e-mail shouldn’t change privacy expectations.
The cloud is coming and indeed may be here already. Regulation always lags technology and then catches up in fits and starts. Warshak makes clear that we will decide cases as we always have, one by one based on the closest available past practice. In doing that, short of legislation, we will decide how we are going to regulate the cloud.