Cloud Computing: Constitutional and Statutory Privacy Protections (CRS Report for Congress)
Premium Purchase PDF for $24.95 (20 pages)
add to cart or
subscribe for unlimited access
Pro Premium subscribers have free access to our full library of CRS reports.
Subscribe today, or
request a demo to learn more.
Release Date |
March 22, 2013 |
Report Number |
R43015 |
Report Type |
Report |
Authors |
Richard M. Thompson II, Legislative Attorney |
Source Agency |
Congressional Research Service |
Summary:
Cloud computing is fast becoming an integral part of how we communicate with one another, buy music, share photos, conduct business, pay our bills, shop, and bank. Many of the activities that once occurred solely in the physical world, including communications with one another, are increasingly moving to the digital world. What was once a letter to a friend is now a Facebook message; a call to a loved one is now a Skype chat; a private meeting with a business partner is now a video conference call. In short, the cloud is revolutionizing not only how we compute, but also how we live. Where individuals once locked personal or business papers solely in a desk drawer or filing cabinet, they now also store them on someone else's computer.
In short, cloud computing is a web-based service that allows users to access anything from e-mail to social media on a third-party computer. For instance, Gmail and Yahoo are cloud-based email services that allow users to access and store emails that are saved on each respective service's computer, rather than on the individual's computer. As more communications are facilitated through these cloud-based programs, it is no surprise that government and law enforcement would seek to access this stored information to conduct criminal investigations, prevent cyber threats, and thwart terrorist attacks, among other purposes. This prompts the following questions: (1) What legal protections are in place for information shared and stored in the cloud? (2) What legal process must the government follow to obtain this information? and (3) How do these rules differ from those applied in the physical world?
Protections of communications in the physical world flow from the Fourth Amendment and various federal statutes such as the Electronic Communications Privacy Act of 1986 (ECPA), which includes the Stored Communications Act (SCA). Under the Fourth Amendment, government officials are generally prohibited from accessing an individual's communication, such as tapping into a telephone call or opening a postal letter, without first obtaining judicial approval. In the digital world, courts have by and large required law enforcement to acquire a warrant before accessing the contents of electronic communications, but have permitted law enforcement to access non-content information such as routing data with lesser process. These cases do not seem to distinguish between cloud-based and traditional forms of Internet services.
Federal courts have applied the SCA to various electronic communications including e-mails, messages sent on social networking sites like Facebook and MySpace, and movies posted on video-sharing sites like YouTube. The process for obtaining these communications under the SCA depends on how long the information has been stored with the service provider and how the provider is classified under the SCA. The relatively few cases dealing with cloud computing have required lesser legal process for accessing electronic communications sent via cloud-based services than traditional forms of Internet computing.
In light of this rapidly changing technology, there have been several legislative proposals to augment the Fourth Amendment's protections for digital communications and update existing statutory protections like the SCA for information shared and stored in the cloud.