The ACLU of Northern California has released an issue paper, “Cloud Computing: Storm Warning for Privacy?” The group says this is the first in a series of issue papers discussing the implications for individuals of new technology trends. (For more on cloud computing, here’s a previous post about the privacy implications.) From the introduction:
“Cloud computing” services—tools accessed via the Internet that allow consumers to create, edit, and store documents (such as private photos and videos, calendars and address books, diaries and journals, and budgets and financial spreadsheets) online—are growing in popularity as Internet speeds increase and the cost of data storage drops. Companies are offering a wide range of cloud computing services, ranging from “free” basic applications for the general public to sophisticated and well-supported services designed for corporations and even governments. Many popular offline applications, including Microsoft Office and Adobe Photoshop, now offer cloud computing editions with familiar interfaces. Other tools allow consumers to “drag and drop” files to or from online storage exactly as though the storage site were just another folder or hard drive. Once documents are online, consumers can access and share them from any Internet-enabled device. From the consumer perspective, cloud computing services make the transition from offline to online activities increasingly seamless.
Unfortunately, while consumers can easily carry their information into the cloud, the privacy protections for that personal information may not transition as easily. The Fourth Amendment requires law enforcement officials to obtain a warrant from a judge before entering a person’s home and searching her file cabinet or computer hard drive for documents and related information, but courts have yet to definitively determine how these privacy protections apply to cloud computing documents. Furthermore, many existing privacy statutes were written decades ago and may not apply to documents stored with online services like cloud computing that were not anticipated when these laws were drafted. In addition, when documents are stored in a filing cabinet or on a home computer, the owner of the documents often has the opportunity to challenge a demand to hand over those documents—but a cloud computing service may not have the ability or incentive to resist such demands or even to notify the document owner if her documents are demanded by a third party.
As cloud computing becomes increasingly popular and the boundary between personal devices and the Internet “cloud” becomes less meaningful, consumers and companies alike will benefit from protections that ensure that documents created and stored using cloud computing services carry the same rights and protections as documents created or stored elsewhere. These rights and protections will preserve the privacy of consumers, strengthen loyalty and trust in cloud computing services, prevent costly litigation, and encourage the use of beneficial technologies like cloud computing to create, edit, share, and store documents.
Part I of this paper provides background information on cloud computing. Part II examines the privacy concerns that arise from the use of cloud computing services and Part III surveys the current state of privacy protections for consumers of these services. Finally, Part IV identifies opportunities for legal, technological, and social mechanisms to be reinforced so that Internet consumers are not forced to lose control of their information when they use cloud computing services.
In several areas of the paper we have more questions than answers. It is our hope that this issue paper will help to support a robust conversation between consumers, businesses, and policymakers to address these important questions about cloud computing and develop plans to address potential gaps in the existing legal framework for protecting privacy and freedom of expression.