The Fourth Amendment and the Cloud

CNET has up a blog post examining the question: does the Fourth Amendment apply to data stored in the Cloud? The US constitutional amendment forbidding unreasonable searches and seizures is well settled in regard to the physical world, but its application to electronic communications and computing lags behind. The post's argument outlines a law review article (PDF) from a University of Minnesota law student, David A. Couillard. "Hypothetically, if a briefcase is locked with a combination lock, the government could attempt to guess the combination until the briefcase unlocked; but because the briefcase is opaque, there is still a reasonable expectation of privacy in the unlocked container. In the context of virtual containers in the cloud...encryption is not simply a virtual lock and key; it is virtual opacity. ... [T]he service provider has a copy of the keys to a user's cloud 'storage unit,' much like a landlord or storage locker owner has keys to a tenant's space, a bank has the keys to a safe deposit box, and a postal carrier has the keys to a mailbox. Yet that does not give law enforcement the authority to use those third parties as a means to enter a private space. The same rationale should apply to the cloud." We might wish that the courts interpreted Fourth Amendment rights in this way, but so far they have not.

US Border Laptop Searches

[naz404]

Shouldn't the same privacy logic apply even more to your laptops and personal electronic devices when you're entering U.S. borders? Having these people search your hard drive is an invasion of privacy.

Re:US Border Laptop Searches

[FinchWorld]

The US is getting to the point were one should just ask "Does the Fourth Amendment apply anywhere now?".

Re:US Border Laptop Searches

[Calinous]

When you are a foreign citizen, searching laptops, personal electronic devices and so on is just a prerequisite for entering the country (if you don't want your laptops to be searched, you are free to leave, but if you want to enter we need to search your laptop).
      I don't know how this can be related to US citizens (as a country should not be/is not allowed to refuse entry to its citizens)

Remember that searching personal effects is rarely done, but entirely normal in border posts

Re:US Border Laptop Searches

[Tim+C]

if you don't want your laptops to be searched, you are free to leave, but if you want to enter we need to search your laptop

Need? Want I can see, and I appreciate that submitting to the search is a condition of being granted entry, but I really don't see where the need comes from.

I don't know how this can be related to US citizens (as a country should not be/is not allowed to refuse entry to its citizens)

So they can't refuse you entry; surely (assuming the law permits it) they can have you arrested and possibly charged for failing to comply?

Re:US Border Laptop Searches

[Attila+Dimedici]

Shouldn't the same privacy logic apply even more to your laptops and personal electronic devices when you're entering U.S. borders? Having these people search your hard drive is an invasion of privacy.

The logic has never applied when entering U.S. borders (or any other country for that matter). Searches that would be disallowed within the country have been ruled by the Supreme Court as allowed since the founding of the country. The people who wrote the Fourth Amendment did not question such border searches, which makes it hard to argue today that the Fourth Amendment was intended to apply.

Re:US Border Laptop Searches

[L4t3r4lu5]

They don't need to search my laptop at all. No picture, document, executable, or video on my laptop is a risk to the aircraft or any person on that aircraft.

The legality of the contents of the laptop can be contested if I am arrested within the US and the laptop seized as evidence. Until that point, that laptop is a sealed envelope; X-ray and perform a cursory physical examination all you like to ensure that it is a laptop computer, but like the documents inside the envelope, the content of the disk is not subject to being examined or duplicated.

Re:US Border Laptop Searches

[MrNaz]

I see your point and raise you a generalization; The US is getting to the point where one should just ask "do any of the amendments apply now?".

Re:US Border Laptop Searches

[MrNaz]

Hmm... perhaps you could just put your laptop in an envelope. I wonder if that would work.

Re:US Border Laptop Searches

[eln]

The Fourth Amendment has long been held to apply to all people under US jurisdiction, whether citizens or not. However, as stated by another reply to your post, the Supreme Court has ruled, rightly or wrongly, that it does not apply to border searches. So, by current law, the government is within its rights to search you at the border regardless of your citizenship status.

It's a fallacy to state that the rights outlined in the Constitution (particularly the Bill of Rights) are granted only to citizens. The Constitution makes distinctions between "citizens" and "persons" all over the place. When the Constitution refers to "persons" or "people" (as it does in the fourth amendment), it is referring to ALL people, citizen or not. The founders believed in the concept of inalienable rights, which are rights granted to all people (or at least all white males in their day) by their Creator. The purpose of enumerating some of the more important of those rights in the Constitution was not to grant them, but to prevent the government from infringing on them.

How much the government has infringed on them anyway is, of course, a matter of much debate.

Re:US Border Laptop Searches

[dollargonzo]

I think an easier way to look at it is that it applies to the government, in that the articles place restrictions on what agents of the government can and cannot it. e.g.:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated"

...by the government

Re:US Border Laptop Searches

[Animaether]

if you don't want your laptops to be searched, /you are free to leave/, but if you want to enter we need to search your laptop

(emphasis mine)
You don't honestly think that, do you?

I think you meant "you are free not to come here in the first place".

Re:US Border Laptop Searches

[31415926535897]

Yes, the one where the federal government gets to levy individual income tax.

Re:US Border Laptop Searches

[dkleinsc]

In the case of the Third Amendment, in its one and only significant use, it was upheld:
http://en.wikipedia.org/wiki/Engblom_v._Carey

It's very simple

[Shrike82]

If you want your data to be safe,especially when you plan to store it online in this new-fangled cloud thing, then encrypt it. You can't trust a service provider to stand up to a government access order, and you can't rely on the security of a storage system that you didn't make yourself.

Be responsible for your own data privacy instead of relying on an ambiguous interpretation of an ammendment written before the days of digital data.

Re:It's very simple

[khallow]

Like cracking the encryption will take long.

Using good encryption means the task is virtually impossible (even for someone like the NSA) unless they make a lucky guess or obtain the code key (via theft or subpoena).

Re:It's very simple

[jimicus]

http://xkcd.com/538/

Security is NOT an issue with The Cloud.

Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.

And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.

My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.

Re:Security is NOT an issue with The Cloud.

[L4t3r4lu5]

You'll want to upscale the downstream synergies of a Cloud Services 2.0 deployment to be an enabler of Top-Tier Blue-Sky processes to your Crowd-sourced resources. Otherwise you'll not be utilising the future-thinking operational motivators of time-shift market deployments, and that can seriously anti-creationalise your interstabularistic practicalularisation performocarbunkle cheesewozzles.

Hosting countries

And if the data center is in another country, would the 4th Amendment apply there?

If so, how would you enforce it? Soldiers with machine guns show up, grab all of your data, crack the encryption, and take what they want. And you'll do exactly what?

The data is gone and seen, so you're screwed. And even if you have super duper one hundred billion bit encryption, your data center and data are gone. So, you have up to the second back-ups?

Other than cost, I see no upside to cloud computing.

Re:Hosting countries

[betterunixthanunix]

"crack the encryption"

That is really nowhere near as easy as you make it sound, at least not with any modern cipher. Even the NSA, with the most vast computing resources in the entire world, would have a lot of difficulty cracking AES or Serpent, barring some completely novel attack that has eluded the crypto research community thus far.

If you want to break someone's crypto, you should not even think about attacking it directly. You should think about attacking the person, or at least planting recording devices in their home or on their computer, so that you can get the secret key. If a foreign government wanted to do this, they would have to either commit an act of war by attacking a US citizen on US soil, or wait until you enter their country and kidnap you (or if you bring your computer with you, plant a recording device or software).

The Fourth Amendment became a quaint notion

[Ellis+D.+Tripp]

at the point when urine drug testing was mandated by the government for any company receiving government contracts. You know back in the days of Ronnie Raygun and the "Just Say No" crusades?

If you aren't secure against government searches OF YOUR OWN BODILY FLUIDS, do you really think that they will respect your right of privacy regarding some random 1s and 0s stored on a private corporation's computers somewhere?

Part of the problem...

[Alarindris]

The US constitutional amendment forbidding unreasonable searches and seizures is well settled in regard to the physical world

Electrons in computers ARE part of the physical world.
Stop conceding that is it different!

IT'S NOT!

I have no problem testing my pee

[L4t3r4lu5]

They can scoop some out of the bowl when I'm done having my Morning Glory, if they're that bothered about how much I had to drink last night.

They can also just ask me. The answer is "If you haven't brought me some black coffee and dry toast in 5 minutes, I'm barfing on your shoes."

Dumb idea anyhow.

[lancejjj]

[T]he service provider has a copy of the keys to a user's cloud 'storage unit'

Why the hell would I want to give a copy of the keys to the service provider?

Just because you use the cloud to store bits of data doesn't mean that you'd want to store unencrypted bits of data there. Those that do risk distribution of your unencrypted data via a multitude of channels, including but certainly not limited to:

• Cloud configuration errors
• Service Policy changes
• Service Security failures
• Data theft by administrators
• Service scanning and reselling of your data

Why would anyone hand the keys to all their important data to a 3rd party that they don't personally know? Just because they're under a contract with that 3rd party? A contract drawn up exclusively by that 3rd party? With clauses designed to exclusively to protect that 3rd party?

Re:Dumb idea anyhow.

[Zerth]

Seriously, if you are going to do something important in the cloud, get data storage from a different cloud than the one you use for processing.

Even better, have the data only exist in an unencrypted form while it is in use on the zero-storage processing cloud and run the keyserver in a third location. Preferably somewhere you'd notice when the cops break the door.

The 4th amendment grants government.

[tjstork]

It is worth noting that under the Constitution, there is no federal power to search or seize, at all. Thus people who say that the 4th amendment doesn't list something as protected, like a computer file, miss that point. The 4th amendment is that the government is allowed to search mail, with a warrant, and nothing else.

Re:The 4th amendment grants government.

[edittard]

The actual text would appear to disagree.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The last bit seems to list a set of preconditions which, if met, do allow it.

Re:The 4th amendment grants government.

[tjstork]

The last bit seems to list a set of preconditions which, if met, do allow it.

Read this, and then you will see.

http://www.amazon.com/Republic-Letters-Correspondence-Between-Jefferson/dp/039303691X/ref=sr_1_3?ie=UTF8&s=books&qid=1263914845&sr=8-3

Uh not so fast.

[Geofferic]

This post starts with a false statement. 4th amendment rights are not well settled. They've been challenged and altered repeatedly within the last decade.

Only in america

[petes_PoV]

US freedoms, protections and liberties only apply within US borders. If you put your data in "the cloud" is there any guarantee that your data will stay with US borders, or is it free to float (as clouds do) to any other geographic location.

Specifically, would it be wise to assume that all, or any, backups will only be taken in america, or that the data won't get routed to or through another country.?

It's a big world out there and the USA is only a small part of it.

Stop insult people's intelligence

[Yvanhoe]

A bit offtopic but I think it is important for lawmakers : stop doing analogies. Cryptography does not work like a lock or like an opaque case, owning cryptographic keys does not make you the landlord of anything. Cryptography works by taking a clear message and a key and mix them in a way that produces a seemingly random information but that can be made sense of thanks to the decoding key and the decoding algorithm. It is not that hard to understand. It requires 30 secondes of focus to understand and twenty minutes of thinking about and around, and you have understood the basis of crypto.

Dear lawmakers, please make laws about cryptography, not about analogies of cryptography if you don't want me to just be an analogy of a law abiding citizen.

Thanks.

Donate to the EFF

[Blackbrain]

This is exactly why I donate to the Electronic Frontier Foundation every year. Until these rights are tested for the 'new' electronic medium in a court of law, we need a lobby group dedicated to securing them.