The Fourth Amendment to the U.S. Constitution protects our private telephone conversations—but it took nearly a century after the invention of the telephone for the Supreme Court to recognize that.
Now the question is whether and how the Fourth Amendment should cover another new invention that involves private communications as well as data: cloud computing.
The Fourth Amendment was designed to protect citizens against warrantless searches and seizures. Specifically, it states: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
However, there is an exception to the Fourth Amendment, called the "third-party doctrine," which contends that a person can't expect privacy when information is disclosed to a third party—such as, arguably, a cloud services provider. Currently the government can search information stored in the cloud and keep the search under gag order, sometimes indefinitely.
This raises important questions for all businesses, including healthcare organizations, that store sensitive data in the cloud. Is the data you manage safe? Can you promise your consumers and your patients that their information will be kept private? And are you prepared to explain to consumers and patients (if not prevented by gag order) that their data has been copied, read, or seized by the government?
Microsoft leads the fight
Companies such as Microsoft that provide cloud services are deeply concerned that customers’ cloud data may not be protected from the “unreasonable searches and seizures” described in the Fourth Amendment.
In response to these concerns, Microsoft has moved its cloud services to data centers in Germany, where privacy protections are stronger than in the U.S. To further ensure that Microsoft will have extremely limited access to its customer data, the company is handing over the physical and logical keys to the cloud to a German company called T-Systems, which will act as the data trustee.
To understand why Microsoft chose to move its data to a country in the EU, it’s helpful to remember that the Court of Justice of the EU struck down the so-called Safe Harbor agreement in October 2015. In effect, the court ruled that the agreement did not provide the eponymous “safe harbor” to personal data of EU citizens. In fact, under Safe Harbor, U.S. government authorities maintained unfettered access to the data, and EU citizens lacked legal protection or recourse.
Four months after the Safe Harbor agreement was struck down, a replacement framework called the Privacy Shield was announced in February 2016. The Privacy Shield is designed to “protect the fundamental rights of Europeans where their data is transferred to the U.S. and ensure legal certainty for businesses.” It includes higher standards and obligations for U.S. companies to protect the personal data of Europeans, and it requires stronger monitoring and enforcement by U.S. and EU agencies.
Microsoft is also waging its fight for greater privacy protections and transparency in a lawsuit against the U.S. government. The lawsuit argues that Microsoft should have the right to tell its customers when a federal agency is looking at their emails and other documents. With wiretaps and other traditional searches, the government is typically required to notify people that they have been searched. But right now the U.S. government can request indefinite gag orders on the warrants they issue for suspects’ emails.
According to Microsoft’s lawsuit, over the past 18 months, the government has forced the company to comply with more than 5,600 legal demands, nearly half involving gag orders, and 1,752 of them involving indefinite gag orders. The lawsuit focuses specifically on access to data stored on remote servers.
“People do not give up their rights when they move their private information from physical storage to the cloud,” debate about the proper level of privacy for cloud data is playing out in Congress and the courts, as well as in a bill that would require law enforcement officials to obtain a warrant before using so-called “StingRay” devices that track individuals by the cellphone towers to which their phones connect. Ted Poe (R-Texas) The pumping station via photopin