THE CONSTITUTIONAL ISSUES OF CLOUD COMPUTING

What would the Founding Fathers think about Internet-based “cloud” computing?

Would James Madison, for example, agree with some current interpretations of the Fourth Amendment, which hold that old-fashioned letters stored in a dresser drawer enjoy stronger legal protection against search and seizure than an e-mail stored on the Web or a private post left for a friend on Facebook?
In a world where every computer is connected, where it doesn't matter whether your e-mail is on the hard drive in your bedroom or a server half a world away, where your critical company documents can be viewed from anywhere, where would the Founding Fathers draw the line for law enforcement? The "cloud," already well formed with Hotmail and Google docs, is a potential treasure trove for police investigators. But how can we make sure the cloud doesn't rain all over Americans' Fourth Amendment rights to avoid unfair searches?


That's the goal of a new coalition behind the Web site DigitalDueProcess.org. The group includes strange bedfellows, ranging from the right-leaning Americans for Tax Reform and the Competitive Enterprise Institute to the liberal American Civil Liberties Union. Google, Microsoft, Intel and a host of other technology companies are also involved. Their main goal is a rewrite of the outdated Electronic Privacy Communications Act of 1986 for the 21st Century.
“Technology has changed dramatically in the last 20 years, but the law has not,” said Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, another member of the coalition. “The traditional standard for the government to search your home or office and read your mail or seize your personal papers is a judicial warrant. The law needs to be clear that the same standard applies to email and documents stored with a service provider while at the same time be flexible enough to meet law enforcement needs.”
Descriptions vary, but cloud computing generally refers to storing information or software on computer servers that can be accessed from multiple locations around the world – Gmail is a good example -- as opposed to data that must be accessed by someone who has physical access to a local computer or hard drive. Today, the rules of evidence gathering apply differently to data in the cloud.
Ryan Radia, a spokesman for the libertarian think tank the Competitive Enterprise Institute, said that there is plenty of judicial confusion about application of search and seizure laws to electronic communication -- in fact, federal courts have issued contradictory rulings. But in general, many Internet service providers turn over electronic records to investigators in response to a simple subpoena, while old-fashioned paper records require the higher standard of a judge-issued warrant. Just because information travels over a wire and sits on a server doesn't mean it should be less protected by the Constitution, Radia argued.
"If you get a letter from a friend of relative in the mail and leave it in the file cabinet in the basement, if law enforcement wants to read it they have to get a search warrant," he said. "But with cloud computing … judges have interpreted that the information has been handed over to third parties and is no longer considered to be private. Federal law ought to protect that information in the modern age."
More than theoretical constitutional issues are at stake. There's also real money. Tech companies like Microsoft and Intel are worried that concerns about privacy could stunt the growth of cloud computing, and recent research by the Pew Internet and American Life Project seems to validate this concern.
The report found that 69 percent of online Americans use at least one cloud service, such as Web-based e-mail, and 64 percent of them said they were concerned that law enforcement agencies could access their files. Only 22 percent said they weren't concerned.
"We run the risk of users lacking trust in cloud computing and in many information services if a user cannot be confident their information will remain secure," Radia said. "If cloud computing is going to realize its full potential, if the industry is going to succeed, we need to be sure there is privacy protection. We can't expect the technology to work around the limitations of federal law."
Among the groups' top goals: members want federal law to be "technologically neutral," meaning that search and seizure requirement would apply uniformly, regardless of the technology involved. That would mean a private communication -- be it handwritten or electronic -- would be governed by the same rules of evidence gathering. They also want to clear up inconsistencies in the application of federal law. Currently, in some cases, there's a lower legal standard for law enforcement to intercept an e-mail in transit than for that same agencies to read an e-mail stored on a recipient's computer. In other words, a single e-mail can be governed by various different legal standards during its life-cycle.
"A particular category of information should be afforded the same level of protection whether it is in transit or in storage," the group says in its "guiding principles."
While the group has gone to some pains to avoid sounding as if they are attacking law enforcement agencies, don’t expect them to hop on board the effort. Updates to the Electronics Communications Privacy Act would almost certainly curtail use of some evidence-gathering tools, such as the FBI’s much-maligned Carnivore software, which was designed to capture e-mail and Web transmissions going into and out of Internet Service Provider servers.

The group has already received a relatively warm welcome on Capitol Hill. House Judiciary Committee Chairman John Conyers, D-Michigan, has said he would hold hearings this spring on potential updates to the Electronic Communications Privacy Act.
“Many Americans take for granted the protections of the Bill of Rights that prevent the government from coming into people’s homes without a valid search warrant. The rise of cloud computing should not diminish these privacy safeguards,” said Mike Hintze, Microsoft’s associate general counsel, in a blog post.
Change will not be easy, however, and isn't expected this year. Americans have a rather tortured relationship with privacy. They often say one thing ("Privacy is important to me") but do another ("Sure, thanks for the coupon, here's my Social Security Number") noted Lee Rainie, head of the Pew Internet and American Life Project. And when it comes to law enforcement issues, their opinions are even more contradictory, particularly since Sept. 11, 2001.
"Americans are concerned with bad actors doing bad things, and if you ask them if they are comfortable with law enforcement checking (online data) related to people who, for example, are going to hurt children, by and large they are," he said. On the other hand, they really value privacy, and are not comfortable with government agents having broad access to their data, he said. "The way people think about privacy is very context sensitive," he added.