We are once again changing how we organize computers. In the past, we moved from mainframes to mini computers to freestanding personal computers. The introduction of ubiquitous networks tying together these computers has had important consequences in area after area (I discuss this generally here in the context of cyber-security and more specifically for copyright here).
We are now moving towards a cloud organization for data. Some content may be stored locally on your machine, while other content—content that you in some powerful sense think belongs to you—will be stored remotely. Where actually? You won’t have a clue. For those data—data stored in the cloud—we need to define the respective rights of all of those with access to the data. I have blogged on this before in the context of data portability. The recent tussle between Google and the European Union over how long Google would keep search data is another example (Google has revised its practices and will now keep data for only 18 months rather than two years). These are the front lines of the law of cloud computing.
Today, the Sixth Circuit issued a decision in Warshak v. United States that addresses Fourth Amendment rights for remotely stored e-mail. (Hat tip: Orin Kerr.) This is another step on what will be a path of increasing interest and difficulty: how will we regulate the cloud?
Piecemeal, I suspect, and Warshak represents one piece. In March 2005, the federal government launched a criminal investigation of Steven Warshak. As part of that, the government obtained a sealed order issued under the Stored Communications Act that required Warshak’s Internet service provider to disclose customer account information to the government as well as the contents of e-mail messages. The ISP was barred from disclosing the order to its customer. More than a year after the initial order, when the magistrate unsealed the order, the United States notified Warshak of the order as well as a second order that had been issued relating to Warshak’s Yahoo account.
Warshak filed a lawsuit claiming violations of both the Stored Communications Act and the Fourth Amendment. There is a lot of search-and-seizure inside baseball here, especially about the circumstances under which the government must proceed under the higher probable cause standard of the Fourth Amendment versus when it is allowed to compel disclosure from third parties such as an Internet service provider under the weaker standards of a subpoena.
For our purposes, the critical issue in the case is the expectation of privacy that is appropriate for e-mail. This takes us back to the question of computer organization and the emerging cloud. Presumably, I have my greatest expectation of privacy for e-mails stored locally on my home machine. Yes those e-mails were transmitted over the wires briefly, but just like telephone calls, I don’t lose my expectation of privacy merely because I am using the public phone network. So the Supreme Court held in the mid-1960s. Local storage should be where the expectation of privacy is greatest.
How does remote storage change this calculation? Here is what the Sixth Circuit says:
In instances where a user agreement explicitly provides that e-mails and other files will be monitored or audited ..., the user’s knowledge of this fact may well extinguish his reasonable expectation of privacy. Without such a statement, however, the service provider’s control over the files and ability to access them under certain limited circumstances will not be enough to overcome an expectation of privacy ... .
Now we can see how cloud organization matters. Absent remote storage, no other party would have access to the stored e-mails. The possibility of access through the ISP operates as a tax on remote storage. How that storage works may matter. Google’s e-mail service is free, but comes with ads, and those ads are keyed to the content of the e-mail.
This doesn’t mean that Sergey and Larry are reading my e-mail, but it does mean that Google operates as to the actual content of the e-mail. Does that give Google sufficient access such that I have given up my reasonable expectation of privacy? (And note we are operating in Fourth Amendment land: you might think that I could give up privacy as to one person and still claim it against the world, but I gather, as an outsider to the field, that even giving up privacy as to one person changes the Fourth Amendment analysis.)
The Sixth Circuit doesn’t quite get there. There is a discussion in the opinion of using technology to screen e-mail for viruses, spam and pornography. The Sixth Circuit makes clear that that sort of access is insufficient to give up the expectation of privacy because that is not tied to the content of the e-mail:
But the reasonable expectation of privacy of an e-mail user goes to the content of the e-mail message. The fact that a computer scans millions of e-mails for signs of pornography or a virus does not invade an individual’s content-based privacy interest in the e-mails and has little bearing on his expectation of privacy in the content.
The Sixth Circuit doesn’t take the next step, but I think that we should: even automated access ala Google e-mail shouldn’t change privacy expectations.
The cloud is coming and indeed may be here already. Regulation always lags technology and then catches up in fits and starts. Warshak makes clear that we will decide cases as we always have, one by one based on the closest available past practice. In doing that, short of legislation, we will decide how we are going to regulate the cloud.
Egad. It's "those data."
Posted by: jimbino | June 18, 2007 at 05:43 PM
thanks. fixed.
Posted by: Randy Picker | June 18, 2007 at 05:45 PM
From what I have been told by most sys admins, you should operate under the assumption that all e-mail is being read.
Posted by: nessy | June 18, 2007 at 07:46 PM
Email isn't quite like sending a phone conversation across a wire. Normally, your ISP holds a copy of your email on their remote server until you download it. And then, usually the email remains on the server unless your email program asks the server to delete the email. This may or may not be the default; it depends on your software. (The exception is if you are running your own server, which most people are not.) So for a certain period of time at least, almost everyone's email is stored on a remote server.
I don't know if that really changes anything you've said (probably not).
Posted by: Stephen | June 18, 2007 at 08:40 PM
Depending on how this case ultimately goes, this is one of the reasons I've been watching the growth of the whole "web services" sector with such ambivalence. Once your documents are somewhere out there in the cloud, especially (in the US) under the current trend toward authoritarianism and data mining, it's much easier for prosecutors and courts to make and sustain the argument that there really isn't an expectation of privacy.
The third-party aspects also change the calculations for a subpoena, because the third party holding the data has only indirect and second-order interests in attempting to quash even the flimsiest request. (They might not want to spend the money on an infrastructure for compliance, or they might think, in the few competitive situations left, that a reputation for too-easy compliance will lose them subscribers, but otherwise why buy trouble?)
Posted by: paul | June 19, 2007 at 10:55 AM
Can George Soros' Open Society be far off?
Posted by: Joan A. Conway, | June 19, 2007 at 01:46 PM
When sending an e-mail, it is generally intended for review by a person or company of your choice. When you postal mail a letter to someone, you are not expecting (and would not desire) a multitude of unknown persons to open your letter and read or photocopy it's contents. E-mails should have the same expectations. I dont know anyone who would knowingly sign on with an e-mail provider that would specialize in distributing your e-mails to thousands of people so they could read them, and that you would agree to that up front. So clearly, we have an expectation of privacy with our mail and our e-mails. E-mails are simply "inaudible communications" that should enjoy the same protections that telephone conversations and postal mail have. We need to stop being duped by the argument that e-mails transmission method somehow makes it ok that we should not have an expectation of privacy because it travels through so many places and we seemingly have no control over it.
Posted by: DigitalCommando | June 27, 2007 at 09:51 AM
I am bit late with my comments, however, I wonder if someone who understands what the Sixth Circuit was doing here can answer my question. It appeared to me that the court relied on US v. Simons to say that a user's reasonable expectation of privacy may be extinguished by a user agreement which explicitly provides that emails and other files will be monitonered or audited. My understanding was that Simons applied to service provider functions and duties, where monitoring, auditing and inspecting are allowed for the protection of and to ensure an employee's appropriate use of an employer's computer network/system. In Warshak, the acquisition of email content and other information was done at the request of a law enforcement agency. This activity includes the identification and targeting of a person as a subject of investigation for crimnal prosecution. This differs from the service provider's function and purpose. Should that distinction not make a difference under the fourth amendment?
If I understand the court's opinion correctly, I agree the Miller line of cases should not apply to electronic communications; but then to say law enforcement agencies can get around the fourth amendment simply by an ISP's use of a banner or user agreement, seem to fly in the face of societal expectation of what is private and what is not. Please help.
Posted by: CCM | October 02, 2007 at 01:10 AM