Christopher Soghoian, Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era
Comment by: Michelle Finneran Dennedy
PLSC 2009
Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1421553
Workshop draft abstract:
For the last twenty years, users have largely maintained digital possession of their own writings. Consumers would use programs like Microsoft Word and Corel’s WordPerfect to draft letters, and programs like Microsoft Excel or Intuit’s Quicken to manage their own finances. Were the government to take an interest in a document produced by one of these PC owners, law enforcement would have to first obtain a search warrant, and then later visit the person’s home in order to seize their computer. Cloud computing has changed everything. Companies like Google, Microsoft and Adobe provide free access to fully functioning word processing, spreadsheet, presentation and image manipulation software, all through a web browser. End-users can collaborate with others, access their own files from any computer around the world, and not have to worry about the problems of data loss or backups — as the files are automatically backed up, and stored “in the cloud.” While this shift to cloud computing (and in particular, “software as a service”) has brought significant benefits to consumers, it has also come with a hidden cost — their privacy, and the evisceration of traditional Fourth Amendment protections. Because users no longer hold the only copy of their files, law enforcement agents are no longer required to seek a warrant in order to obtain those personal documents. Now, thanks to the third party doctrine, law enforcement can use turn to a subpoena to force Microsoft, Google and the other service providers to turn over user’s private files.
This raises a number of significant privacy issues, such as the far lower evidentiary threshold required for a subpoena, the fact that the service providers often have little to no incentive to fight the request as well as the lack of notification provided to the end user.
Furthermore, this shift provides both law enforcement and intelligence agencies with significant economies of scale in surveillance — that is, instead of obtaining and serving individual warrants on hundreds (or thousands) of users, they can now go to a handful of service providers to obtain that same private information.
This article will examine these an other privacy issues related to cloud computing. First, it will trace the legal history of the third party doctrine, and explore its impact upon cloud based services. It will also explore key cases in which law enforcement agencies were able to force technology companies to modify their products in order to better surveill end-users.
Moving on, it will explore the development and widespread adoption of key cloud computing services. It will highlight some likely future trends which may impact users’ expectation of privacy, including the placement of cloud-based product icons on the desktops of new computers and the development of single-site browsers which may make it difficult for naive users to be aware that they are using an Internet-based product. The article will then trace out a series of “what ifs” to explore potential future pro-privacy developments in cloud computing, such as the local encryption of user’s documents before storing them online, and highlight how even these efforts could be frustrated by law enforcement. Finally, it will conclude with a set of policy and technology recommendations that could help to tip the privacy scales back towards the end-user.