The Fourth Amendment to the U.S. Constitution protects our private telephone conversations—but it took nearly a century after the invention of the telephone for the Supreme Court to recognize that. 

Now the question is whether and how the Fourth Amendment should cover another new invention that involves private communications as well as data: cloud computing.

The Fourth Amendment was designed to protect citizens against warrantless searches and seizures. Specifically, it states: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

However, there is an exception to the Fourth Amendment, called the "third-party doctrine," which contends that a person can't expect privacy when information is disclosed to a third party—such as, arguably, a cloud services provider. Currently the government can search information stored in the cloud and keep the search under gag order, sometimes indefinitely.

This raises important questions for all businesses, including healthcare organizations, that store sensitive data in the cloud. Is the data you manage safe? Can you promise your consumers and your patients that their information will be kept private? And are you prepared to explain to consumers and patients (if not prevented by gag order) that their data has been copied, read, or seized by the government?

Microsoft leads the fight

Companies such as Microsoft that provide cloud services are deeply concerned that customers’ cloud data may not be protected from the “unreasonable searches and seizures” described in the Fourth Amendment.

In response to these concerns, Microsoft has moved its cloud services to data centers in Germany, where privacy protections are stronger than in the U.S. To further ensure that Microsoft will have extremely limited access to its customer data, the company is handing over the physical and logical keys to the cloud to a German company called T-Systems, which will act as the data trustee.

To understand why Microsoft chose to move its data to a country in the EU, it’s helpful to remember that the Court of Justice of the EU struck down the so-called Safe Harbor agreement in October 2015. In effect, the court ruled that the agreement did not provide the eponymous “safe harbor” to personal data of EU citizens. In fact, under Safe Harbor, U.S. government authorities maintained unfettered access to the data, and EU citizens lacked legal protection or recourse.

Four months after the Safe Harbor agreement was struck down, a replacement framework called the Privacy Shield was announced in February 2016. The Privacy Shield is designed to “protect the fundamental rights of Europeans where their data is transferred to the U.S. and ensure legal certainty for businesses.” It includes higher standards and obligations for U.S. companies to protect the personal data of Europeans, and it requires stronger monitoring and enforcement by U.S. and EU agencies. 

Microsoft is also waging its fight for greater privacy protections and transparency in a lawsuit against the U.S. government. The lawsuit argues that Microsoft should have the right to tell its customers when a federal agency is looking at their emails and other documents. With wiretaps and other traditional searches, the government is typically required to notify people that they have been searched. But right now the U.S. government can request indefinite gag orders on the warrants they issue for suspects’ emails.

According to Microsoft’s lawsuit, over the past 18 months, the government has forced the company to comply with more than 5,600 legal demands, nearly half involving gag orders, and 1,752 of them involving indefinite gag orders. The lawsuit focuses specifically on access to data stored on remote servers.

“People do not give up their rights when they move their private information from physical storage to the cloud,” Microsoft states in its filings, adding that the government “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”

What is the appropriate level of privacy? The debate continues

The debate about the proper level of privacy for cloud data is playing out in Congress and the courts, as well as in continuing arguments about Privacy Shield. Right now Congress is considering passage of the Email Privacy Act, which would amend the Electronic Communications Privacy Act of 1986. Companies including Amazon, Apple, eBay, Google, Intel, Microsoft, and Twitter have asked Congress to update ECPA.

The Email Privacy Act would require that law enforcement obtain a warrant before demanding that a technology company provide the content of customer communications, including emails as well as information stored on the cloud. Currently law enforcement only needs a subpoena to access electronic communications that are more than 180 days old.

In May 2016, five bipartisan members of the U.S. House of Representatives signed on to a bill that would require law enforcement officials to obtain a warrant before using so-called “StingRay” devices that track individuals by the cellphone towers to which their phones connect. Ted Poe (R-Texas) argued in a statement that, “Americans have the right to privacy, regardless if the information is in the cloud, our computers or in our cellphones.”

The problem is that as the debate continues — as it likely will for many months and even years to come — companies that store sensitive data in the cloud have to wonder whether that data is private and secure. How should healthcare and other companies that store vast amounts of private data in the cloud respond?

Removing all data from the cloud is likely too difficult and expensive to consider, and it would only return companies to the traditional security and financial challenges of on-premises data storage. An alternative would be to rely solely on cloud services providers like Microsoft that store data in the EU. While the debate rages on about how protected the cloud should be from government intrusion, that may be a move worth making.

photo credit: The pumping station via photopin (license)