Privacy protections vary for your data in the cloud
With the advent of Google Drive, we talk about cloud computing as if the bits and bytes of our lives are stored somewhere up in the air, but, really, the “clouds” are very terrestrial.
What’s more up in the air are the laws that govern who can access your stuff and how.
Originally a way for geeks to explain to the rest of us the notion of remote servers storing and serving up content, cloud computing can be defined several ways, depending on whom you ask. In some ways, even email is a form of cloud computing. (It really lives on a server somewhere out there and is served up wherever we desire.)
“The problem that cloud computing has, more generally, is that [the real world] assumes that rights are based geographically,” said Mark Radcliffe, senior partner at law firm DLA Piper. “That assumption is not realistic in the cloud.”
The servers may be in the United States, governed by American laws. Or they may be across the pond in Europe, where there are rather stringent privacy rules. Regardless of where the company is based, the location of the servers determines in some large part who can legally gain access to the content on them and how.
“The U.S. is more like the Wild West,” Radcliffe said. “It’s very heterogeneous,” with laws at the federal, state and sometimes the municipal level.
One concern some have expressed is how law enforcement could gain access to your digital life stored in a cloud.
With a computer in your home, you’d have to be served a warrant for legal access to your hard drive. But with remote storage, you may not know whether a subpoena or warrant has been served on the cloud service provider.
“Law enforcement can subpoena the service, but it depends on their contractual obligation,” Radcliffe said. In other words, what the companies spell out in their terms of service. Always remember, that’s a contract that you agree to by using the service.
All of the services include a clause expressing that they will act in accordance with legal requests for account information. Most have no specific mention of whether they would inform you, though.
“Like all law-abiding companies, we comply with valid legal process,” replied a Google spokesman. “Whenever we receive a request we make sure it meets both the letter and spirit of the law before complying.”
Similarly, business-focused cloud service Box replied to our query saying, “Our policy is to have any subpoena or court order reviewed by our outside privacy experts.”
The more pressing issue for some has been whether the companies are obligated in any way to tell the user that someone with a badge or authority wants to get a look at his or her content. The only instance The Times could find of this being addressed was in Dropbox’s terms of service.
It reads: “To be clear, aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won’t share your content with others, including law enforcement, for any purpose unless you direct us to.”
The Dropbox privacy policy section on compliance with laws and law enforcement, like most others, does say the company may disclose information it collects when there is a “good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) protect Dropbox’s property rights.”
When The Times asked Dropbox for a bit more clarity, the company issued this response: “Our policy is to provide notice to users about law-enforcement demands for data, except in the event where the law or highly compelling circumstances prohibit us from doing so.”
Cloud service providers Box and Google also responded that they would notify affected users, “when possible and legal to do so.” We did reach out to Apple about its iCloud service and are awaiting a reply.
Something for the privacy-conscious to note is that, generally, if you encrypt your stuff before storing it remotely, the company can’t undo that — but law enforcement may, of course.
So, the obligation to inform varies by company and the rules in general vary by jurisdiction. That’s a lot of variation to process.
Radcliffe said, “I think what’s going to happen over time, as more and more of these issues come up, people are going to demand more of these things and the terms will vary over time.”
Jeff Fowler, a partner at law firm O’Melveny & Myers, said that until the law catches up, a consumer really needs to be a good self-advocate, keeping track of terms of service and privacy policies.
“There is no easy way to wrap your arms around a cloud,” Fowler said. “The name is quite fitting. It will require a lot of creative thinking over the next few years.”
