A reader sends in a link to this recent post by law professor Orin Kerr, on a ruling about how 4th Amendment protections against "unreasonable search and seizure" apply to email. The central question is whether the government needs to inform individual email users when their messages are seized and read -- or whether it is sufficient to notify their internet service provider or mail service, like Google or Yahoo. According to the logic of the ruling, by the sheer act of sending email, a user has transferred custody of the messages to a third party. Thus notifying the third party -- Google, Yahoo, et al -- is enough, with the sender left in the dark.
As that post describes, the legal comparison-drawing goes in many directions. Is "giving" an email to Yahoo like putting a package in a public storage locker? Is it like putting an envelope in a regular mailbox? Does it matter if the message is encrypted? Etc. But the reader's point is less about the ins and outs of this ruling than about the broader legal/privacy implications of storing information "in the cloud." When you're working in Google Docs, as opposed to using a spreadsheet or document that lives on your computer, have you essentially surrendered custody and control of that information? What if you rely on online "cloud" systems -- Carbonite, SugarSync -- to back up or sync your files? Have you given up custody of those files too? The reader writes:
"Based, in part, on your fondness ["your" referring to me, JF] for storing your documents in "the cloud" via third-party services like Sugarsync, Google Docs, etc., I thought you would this link interesting. [It concerns an opinion] concluding that email messages - even if they are entitled to 4th Amendment protection - can be retrieved by federal law enforcement authorities WITHOUT NOTICE TO THE SUBSCRIBER. The court's rationale - that the ISP is a "third party" rather than a file cabinet inside the target's "home" - would seem to apply perfectly well to documents stored in the cloud.
"My concern about such matters is one big reason I do not rely much on "cloud" services of which you are so fond. It's not that I have much about myself that is all that interesting to third parties. It's that, as a lawyer, I have an ethical obligation to protect client confidences. And - if [this] reasoning prevails nationwide - this becomes impossible to do if I were to receive no "notice" from the ISP that they had received a search (or already complied with) a warrant for my clients' personal stuff.
"To be clear, my clients are mostly indigent disabled people rather than individuals accused of criminal conduct, but - still - these sort of "big picture" issues are what a lawyer thinks about when he or she is deciding whether to make a wholesale migration to Sugarsync or Google Docs. And, for what it's worth, it is why I think Google and Sugarsync would be well served in joining together to lobby FOR a federal statute imposing strict privacy protection on documents stored in the cloud.
"There is no way I'm putting my business docs permanently online until this issue is clearly settled in favor of privacy. It would, in fact, be unethical for me to do so.... While having copies of all your stuff stored in the cloud may be vastly more convenient than having it in your home-office file cabinet - it is a vastly less safe "place" from a privacy standpoint."
I am not equipped to say more about the legal aspects here. But as a matter of politics and policy, I think the reader's recommendation is exactly right. All parties with a stake in developing cloud-based computing -- Google and Microsoft, IBM and Apple, Yahoo and anyone else you can name -- should push for clearer policy statements about keeping things private even in the cloud. People simply are going to store and share more information this way. That shouldn't mean a further, big, automatic, unintended surrender of privacy, and it would be better to set up rules to that effect before there's a big scandal or problem.