According to Robert Gellman, a user’s privacy and confidentiality risks are “magnified when the cloud provider has reserved the right to change its terms and policies at will” (Gellman 6 ).
The location of data is vital in determining what type of protection and how much protection is provided to the party that processes or stores the data. Gellman states in Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing ,
However, complications arise in terms of legality when cloud providers decide to store data in different locations at the same time without notifying its user’s information. Since there are no explicit laws that regulate cloud computing services, cloud providers are not required to notify its user. In addition, since data can be located at more than one legal location at the same time, it will be complicated when subjected by law.
“Any information stored in the cloud eventually ends up on a physical machine owned by a particular company or person located in a specific country. That stored information may be subject to the laws of the country where the physical machine is located” (7 ).
The terms of service should state the amount of time the user should have access to the services. Generally, the user would have access until he decides to end its service with the cloud provider. However, it is important to note that the terms of service could give the cloud provider the permission to terminate services to a user at any time.
In addition, the terms of service may give the cloud provider various rights, including “the right to copy, use change, publish, display, distribute, and share with affiliates or with the world the user’s information” (17 ).
Interpretation and Application of Current Laws
Current Laws and Relevant Court Cases
Although there are currently no laws restricting users from sharing information to cloud providers, users need to understand that information released to third parties, such as cloud providers, do not have as much protection as information kept private to the respective users themselves. Therefore, it sometimes may be a lot easier for government agencies and private litigants to procure information about users without notifying the users themselves. Several court cases, such as the United States v. Miller and State v. Bellar , are important cases that are relevant to cloud computing. In addition, the Electronic Communications Privacy Act (ECPA) will be discussed in brief in terms of its relevance to cloud computing.
United States v. Miller
This court case is an example of how the government can initially bypass the law by obtaining evidence from third parties. In this case, the government obtained evidence against Miller for several federal crimes through banks via subpoenas. Miller argued that the government violated his Fourth Amendment rights by obtaining information from his bank. However, the Court dismissed that claim.
Although the Congress later overturned part of the Supreme Court’s decision, this case is still vital in terms of how there is little protection to information disclosed by third parties.
According to Gellman, “the case stands generally for the proposition that an individual’s personal records held by a third party does not have the same constitutional privacy protection as applies to the same record held by the individual” (12 ).
State v. Bellar
In a recent appeal in Oregon, the defendant, Bellar, argued for a motion to suppress evidence against his prosecution of 40 counts of encouraging child sexual abuse. Although this example does not involve cloud computing directly, it briefly mentions how current methods of data storage may not apply to current laws, but should still be protected for the privacy of its data owner (Legal Implications of Cloud Computing ). The court’s dissent is as followed:
“Nor are a person's privacy rights in electronically stored personal information lost because that data is retained in a medium owned by another. Again, in a practical sense, our social norms are evolving away from the storage of personal data on computer hard drives to retention of that information in the “cloud,” on servers owned by internet service providers. That information can then be generated and accessed by hand-carried personal computing devices. I suspect that most citizens would regard that data as no less confidential or private because it was stored on a server owned by someone else” (STATE OF OREGON v. DONALD LEE BELLAR ).
Electronic Communications Privacy Act (ECPA)
As we have learned in class, the Electronic Communications Privacy Act (ECPA) provides some privacy protection against government access to electronic mail held by third parties. However, with emerging technologies in data storage, the court has been having trouble in determining whether or not the ECPA applies to certain circumstances. This is best represented by the case of United States v. Miller, in which the court decided that there is no privacy protection of data shared to others by third parties. Robert Gellman listed some factors that could play a big role in determining the proper application of the ECPA in his World Privacy Forum report. They are as followed:
- The precise characterization of the activity as a communication or as storage (which itself may come in several flavors), complicated by the recognition that an activity can move from being a communication to being a stored communication depending on time and possibly other factors,
- Whether the information in question is content or non-content (e.g., header or transaction information),
- The nature of the service, e.g., whether it is an electronic communication service or a remote computing service,
- The terms of service established by the cloud provider,
- Any consent that the user has granted to the provider or others,
- The identity of the service provider, for example, if the cloud provider is itself a government agency, the provider’s obligation would be different from those of a nongovernmental cloud provider, and the rights of users would also be different. (Gellman 13 )
It is unpredictable as to whether or not there will be definitive conditions that will make the court’s decision on data disclosed by third parties to government agencies more pronounced in the future. However, we as well as other experts in the IT Security field feel that there would be more and more upcoming court cases or legality related situations that will be relevant to cloud computing in the near future. We will just have to wait and see how the court will react to these situations that will affects many of our privacy concerns.
Gellman, Robert. “Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing.” World Privacy Forum | Home. 23 Feb. 2009. Web. 6 Apr. 2010. <http://www.worldprivacyforum.org/cloudprivacy.html>.
"Legal Implications of Cloud Computing -- Part Four (E-Discovery and Digital Evidence) : Info Law Group." Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law. Nov. 2009. Web. 6 Apr. 2010. <http://www.infolawgroup.com/2009/11/articles/cloud-computing-1/legal-implications-of-cloud-computing-part-four-ediscovery-and-digital-evidence/>.
STATE OF OREGON v. DONALD LEE BELLAR. THE COURT OF APPEALS OF THE STATE OF OREGON. 30 Sept. 2009. < http://www.publications.ojd.state.or.us/A129493.htm>.