Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
The Courts United States IT

The Fourth Amendment and the Cloud 174

Posted by kdawson
from the reasonable-expectation dept.
CNET has up a blog post examining the question: does the Fourth Amendment apply to data stored in the Cloud? The US constitutional amendment forbidding unreasonable searches and seizures is well settled in regard to the physical world, but its application to electronic communications and computing lags behind. The post's argument outlines a law review article (PDF) from a University of Minnesota law student, David A. Couillard. "Hypothetically, if a briefcase is locked with a combination lock, the government could attempt to guess the combination until the briefcase unlocked; but because the briefcase is opaque, there is still a reasonable expectation of privacy in the unlocked container. In the context of virtual containers in the cloud...encryption is not simply a virtual lock and key; it is virtual opacity. ... [T]he service provider has a copy of the keys to a user's cloud 'storage unit,' much like a landlord or storage locker owner has keys to a tenant's space, a bank has the keys to a safe deposit box, and a postal carrier has the keys to a mailbox. Yet that does not give law enforcement the authority to use those third parties as a means to enter a private space. The same rationale should apply to the cloud." We might wish that the courts interpreted Fourth Amendment rights in this way, but so far they have not.
This discussion has been archived. No new comments can be posted.

The Fourth Amendment and the Cloud

Comments Filter:
  • by naz404 (1282810) on Tuesday January 19, 2010 @08:13AM (#30818300) Homepage
    Shouldn't the same privacy logic apply even more to your laptops and personal electronic devices when you're entering U.S. borders? Having these people search your hard drive is an invasion of privacy.
    • by FinchWorld (845331) on Tuesday January 19, 2010 @08:16AM (#30818316) Homepage
      The US is getting to the point were one should just ask "Does the Fourth Amendment apply anywhere now?".
    • by Calinous (985536) on Tuesday January 19, 2010 @08:17AM (#30818332)

      When you are a foreign citizen, searching laptops, personal electronic devices and so on is just a prerequisite for entering the country (if you don't want your laptops to be searched, you are free to leave, but if you want to enter we need to search your laptop).
            I don't know how this can be related to US citizens (as a country should not be/is not allowed to refuse entry to its citizens)

      Remember that searching personal effects is rarely done, but entirely normal in border posts

      • Re: (Score:3, Insightful)

        by Tim C (15259)

        if you don't want your laptops to be searched, you are free to leave, but if you want to enter we need to search your laptop

        Need? Want I can see, and I appreciate that submitting to the search is a condition of being granted entry, but I really don't see where the need comes from.

        I don't know how this can be related to US citizens (as a country should not be/is not allowed to refuse entry to its citizens)

        So they can't refuse you entry; surely (assuming the law permits it) they can have you arrested and poss

      • by L4t3r4lu5 (1216702) on Tuesday January 19, 2010 @08:38AM (#30818434)
        They don't need to search my laptop at all. No picture, document, executable, or video on my laptop is a risk to the aircraft or any person on that aircraft.

        The legality of the contents of the laptop can be contested if I am arrested within the US and the laptop seized as evidence. Until that point, that laptop is a sealed envelope; X-ray and perform a cursory physical examination all you like to ensure that it is a laptop computer, but like the documents inside the envelope, the content of the disk is not subject to being examined or duplicated.
        • Re: (Score:3, Interesting)

          by MrNaz (730548) *

          Hmm... perhaps you could just put your laptop in an envelope. I wonder if that would work.

        • by Kjella (173770)

          Try applying that to say, driving across the border where you're no more a hazard than anywhere else on the road. Right or wrong, countries have asserted the right to search anyone and anything on the border before letting them into the country.

      • I don't know how this can be related to US citizens

        You don't say it explicitly, but I get the feeling that you believe the Bill of Rights and the other rights enumerated in the US Constitution only applies to US Citizens. If so, I urge you and others that believe this to take a closer look at the document. The Founders were extrememly careful and deliberate. If it were the case surely the Preamble would begin "We the citizens...." It does not.

      • by eln (21727) on Tuesday January 19, 2010 @09:43AM (#30819052) Homepage
        The Fourth Amendment has long been held to apply to all people under US jurisdiction, whether citizens or not. However, as stated by another reply to your post, the Supreme Court has ruled, rightly or wrongly, that it does not apply to border searches. So, by current law, the government is within its rights to search you at the border regardless of your citizenship status.

        It's a fallacy to state that the rights outlined in the Constitution (particularly the Bill of Rights) are granted only to citizens. The Constitution makes distinctions between "citizens" and "persons" all over the place. When the Constitution refers to "persons" or "people" (as it does in the fourth amendment), it is referring to ALL people, citizen or not. The founders believed in the concept of inalienable rights, which are rights granted to all people (or at least all white males in their day) by their Creator. The purpose of enumerating some of the more important of those rights in the Constitution was not to grant them, but to prevent the government from infringing on them.

        How much the government has infringed on them anyway is, of course, a matter of much debate.
        • by dollargonzo (519030) on Tuesday January 19, 2010 @09:53AM (#30819152) Homepage
          I think an easier way to look at it is that it applies to the government, in that the articles place restrictions on what agents of the government can and cannot it. e.g.:

          "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated"

          ...by the government
        • The Fourth Amendment has long been held to apply to all people under US jurisdiction, whether citizens or not. However, as stated by another reply to your post, the Supreme Court has ruled, rightly or wrongly, that it does not apply to border searches. So, by current law, the government is within its rights to search you at the border regardless of your citizenship status. It's a fallacy to state that the rights outlined in the Constitution (particularly the Bill of Rights) are granted only to citizens. The Constitution makes distinctions between "citizens" and "persons" all over the place. When the Constitution refers to "persons" or "people" (as it does in the fourth amendment), it is referring to ALL people, citizen or not. The founders believed in the concept of inalienable rights, which are rights granted to all people (or at least all white males in their day) by their Creator. The purpose of enumerating some of the more important of those rights in the Constitution was not to grant them, but to prevent the government from infringing on them.

          Isn't it amazing that 218 years later even "activist judges" would consider the constitution a radical document with respect to "inalienable rights"? I fear that reflects more on the current society than on the wisdom of the founding fathers.

      • Re: (Score:3, Insightful)

        by Animaether (411575)

        if you don't want your laptops to be searched, /you are free to leave/, but if you want to enter we need to search your laptop

        (emphasis mine)
        You don't honestly think that, do you?

        I think you meant "you are free not to come here in the first place".

    • by Attila Dimedici (1036002) on Tuesday January 19, 2010 @08:28AM (#30818384)

      Shouldn't the same privacy logic apply even more to your laptops and personal electronic devices when you're entering U.S. borders? Having these people search your hard drive is an invasion of privacy.

      The logic has never applied when entering U.S. borders (or any other country for that matter). Searches that would be disallowed within the country have been ruled by the Supreme Court as allowed since the founding of the country. The people who wrote the Fourth Amendment did not question such border searches, which makes it hard to argue today that the Fourth Amendment was intended to apply.

    • by alen (225700)

      being searched at any border crossing in almost any country is normal. if you want to enter a country you have to agree to a search if they ask. same applies in the free loving europe as well. when i was in the military and we would return to the US after a deployment, they would take every 10th person and tear apart their stuff looking for contraband.

    • Shouldn't the same privacy logic apply even more to your laptops and personal electronic devices when you're entering U.S. borders? Having these people search your hard drive is an invasion of privacy.

      Not really - at least not for US citizens, IMHO. Non-citizens are requesting to enter the country, a prerequisite to such permission is to search items being brought in. You should be able to refuse a search and leave on the next flight; entrance is a not a right. It's the same traveling to any country; you either meet their entrance requirements or don't enter.

    • by Eskarel (565631)

      Not that I'm agreeing with the laptop searches, but borders are funny places and the usual rules don't always apply. Customs officials can already search your belongings and/or your person(including rather invasive search procedures) with very little cause and certainly without a warrant. If they couldn't they couldn't do their jobs. To use the example from the summary, if you walk through customs with your locked briefcase you're expected to open it if they ask you. If it contained your confidential medica

    • by Dan541 (1032000)

      My hard drive is full of what appears to be random data. Search away.

  • It's very simple (Score:5, Insightful)

    by Shrike82 (1471633) on Tuesday January 19, 2010 @08:16AM (#30818320)

    If you want your data to be safe,especially when you plan to store it online in this new-fangled cloud thing, then encrypt it. You can't trust a service provider to stand up to a government access order, and you can't rely on the security of a storage system that you didn't make yourself.

    Be responsible for your own data privacy instead of relying on an ambiguous interpretation of an ammendment written before the days of digital data.

  • by Anonymous Coward on Tuesday January 19, 2010 @08:17AM (#30818328)

    Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

    The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.

    And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.

    My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.

    • by L4t3r4lu5 (1216702) on Tuesday January 19, 2010 @08:47AM (#30818512)
      You'll want to upscale the downstream synergies of a Cloud Services 2.0 deployment to be an enabler of Top-Tier Blue-Sky processes to your Crowd-sourced resources. Otherwise you'll not be utilising the future-thinking operational motivators of time-shift market deployments, and that can seriously anti-creationalise your interstabularistic practicalularisation performocarbunkle cheesewozzles.
      • by 2names (531755)
        "Practicalularisation" is not a word, dumbass.
      • by Daimanta (1140543)

        "Otherwise you'll not be utilising the future-thinking operational motivators of time-shift market deployments, and that can seriously anti-creationalise your interstabularistic practicalularisation performocarbunkle cheesewozzles."

        Won't someone please think of the cheesewozzles!

  • Hosting countries (Score:5, Insightful)

    by Anonymous Coward on Tuesday January 19, 2010 @08:19AM (#30818338)

    And if the data center is in another country, would the 4th Amendment apply there?

    If so, how would you enforce it? Soldiers with machine guns show up, grab all of your data, crack the encryption, and take what they want. And you'll do exactly what?

    The data is gone and seen, so you're screwed. And even if you have super duper one hundred billion bit encryption, your data center and data are gone. So, you have up to the second back-ups?

    Other than cost, I see no upside to cloud computing.

    • by IBBoard (1128019)

      Or any law on the Internet, for that matter. I'm in the UK but the servers I rent are in the US, so I'm aware that the American government may have no qualms at all about implementing their (stupid or otherwise) legislation on my site and it is reasonable enough, since that is where the server sits.

      The problem comes if I had a server in the UK and they try the same thing - they'll sure as hell feel that they have a right to enforce their laws (because it is relevant to an American citizen, damnit) but if my

    • Re: (Score:3, Interesting)

      "crack the encryption"

      That is really nowhere near as easy as you make it sound, at least not with any modern cipher. Even the NSA, with the most vast computing resources in the entire world, would have a lot of difficulty cracking AES or Serpent, barring some completely novel attack that has eluded the crypto research community thus far.

      If you want to break someone's crypto, you should not even think about attacking it directly. You should think about attacking the person, or at least planting recor
    • by bschorr (1316501)
      No, and that is exactly what I consider to be one of the biggest issues of the Cloud. The Terms of Service of many, if not most, Cloud Computing/SaaS providers explicitly allow them to outsource their storage (or either primary data or backups or both) to unnamed 3rd parties. Where are these mysterious 3rd parties located?

      Like all businesses keeping costs down helps them keep profits up and since Cloud Computing IS largely sold as a low-cost solution (we can discuss price vs. cost later) we know that keep
      • by ckaminski (82854)
        These clauses are so they can use facilities and services like Iron Mountain and it's ilk to secure store data offsite. Iron Mountain has been doing this for banks and hospitals for years with few issues - ideally your Cloud vendor encrypts their backups before the tapes get shipped offsite.
        • by bschorr (1316501)
          Yes, I know why they have these clauses. My point is that these clauses specifically allow them to ship your data off to unnamed third-parties who may be located anywhere in the world.

          And that is a potentially serious issue for people storing confidential and/or mission-critical data in the cloud. Especially when they thought they were storing it with a domestic provider, only to discover later perhaps that their data was actually shipped off to a 3rd party in another part of the world.
  • by Ellis D. Tripp (755736) on Tuesday January 19, 2010 @08:28AM (#30818382) Homepage

    at the point when urine drug testing was mandated by the government for any company receiving government contracts. You know back in the days of Ronnie Raygun and the "Just Say No" crusades?

    If you aren't secure against government searches OF YOUR OWN BODILY FLUIDS, do you really think that they will respect your right of privacy regarding some random 1s and 0s stored on a private corporation's computers somewhere?

  • Wasn't it a core value of the Internet that it was abstracted above limitations of juridical boundaries, political division and secular belief systems to provide redundant fail-safe communication world wide enabling human progress in the face of systemic failed governance?

    How does advocating _for_ juridical application of the 4th virutally annexing "the cloud" as the 51st state... tell me again how that abstracts the medium above the landscape.

    • by bschorr (1316501)
      The problem is that the abstracting ends when and where the government of the country wherein the server exists decides it does. Note the whole China/Google kerfluffle. In the utopian view of the Internet Google and their searches roam freely across the landscape, unencumbered by quaint political systems.

      In reality the Chinese government actively restricts (or at least tries to) what passes into and out of their country by land, sea, air and cyberspace. Other countries have intervened on the Internet as
  • by Alarindris (1253418) on Tuesday January 19, 2010 @08:50AM (#30818524)

    The US constitutional amendment forbidding unreasonable searches and seizures is well settled in regard to the physical world

    Electrons in computers ARE part of the physical world.
    Stop conceding that is it different!

    IT'S NOT!

    • and therefore, it makes sense that it is also different legally

      moving bits around is completely unlike moving pieces of paper around, in all sorts of fundamentally significant ways, with all sort of implications and ramifications for how society does work, could work, and should work

  • Dumb idea anyhow. (Score:5, Insightful)

    by lancejjj (924211) on Tuesday January 19, 2010 @08:52AM (#30818540) Homepage

    [T]he service provider has a copy of the keys to a user's cloud 'storage unit'

    Why the hell would I want to give a copy of the keys to the service provider?

    Just because you use the cloud to store bits of data doesn't mean that you'd want to store unencrypted bits of data there. Those that do risk distribution of your unencrypted data via a multitude of channels, including but certainly not limited to:

    • Cloud configuration errors
    • Service Policy changes
    • Service Security failures
    • Data theft by administrators
    • Service scanning and reselling of your data

    Why would anyone hand the keys to all their important data to a 3rd party that they don't personally know? Just because they're under a contract with that 3rd party? A contract drawn up exclusively by that 3rd party? With clauses designed to exclusively to protect that 3rd party?

    • Re: (Score:3, Interesting)

      by Zerth (26112)

      Seriously, if you are going to do something important in the cloud, get data storage from a different cloud than the one you use for processing.

      Even better, have the data only exist in an unencrypted form while it is in use on the zero-storage processing cloud and run the keyserver in a third location. Preferably somewhere you'd notice when the cops break the door.

      • by bschorr (1316501)
        But now that I have THREE(?) separate cloud providers to run a single application, where is my advantage over just hosting it in my own data center? How many different 3rd parties am I going to pay to touch my confidential data before all of the promised cost-benefits of the cloud disappear?

        And if something goes wrong in my 3-headed cloud won't each provider just point at one (or both) of the other two and claim it's their problem?
    • by PTBarnum (233319)

      Why would anyone hand the keys to all their important data to an employee they don't personally know? Why do you assume that your data will be perfectly safe as long as the people with access to it are direct employees rather than employees of a contractor?

      • by bschorr (1316501)
        It's true that keeping your data in-house doesn't guarantee it's security. However...I'd suggest that the more layers and people you put between you and your data the inherently less secure it becomes. The employee may not be 100% trustworthy but at least I know who they are. I have personally met each and every person with a key to our datacenter because I'm the one who handed them their keys.

        Every additional contractor, sub-contractor, sub-sub-contractor means more hands and eyes with access to my data
  • It is worth noting that under the Constitution, there is no federal power to search or seize, at all. Thus people who say that the 4th amendment doesn't list something as protected, like a computer file, miss that point. The 4th amendment is that the government is allowed to search mail, with a warrant, and nothing else.

  • Uh not so fast. (Score:2, Insightful)

    by Geofferic (1091731)
    This post starts with a false statement. 4th amendment rights are not well settled. They've been challenged and altered repeatedly within the last decade.
    • by stocke2 (600251)
      you would think we could settle something like that inside of 200 years though, wouldn't you?
  • If you know anything at all about security, you won't let your data be stored on someone else's computers and travel on someone else's network in the first place. (Spoken in the voice of Fat Tony [wikipedia.org]) Off-site storage is absolutely necessary, but there are other, more expensive, more tedious, but far more secure methods of keeping your data off site. And please don't keep a paper trail.

  • Only in america (Score:3, Insightful)

    by petes_PoV (912422) on Tuesday January 19, 2010 @09:08AM (#30818674)
    US freedoms, protections and liberties only apply within US borders. If you put your data in "the cloud" is there any guarantee that your data will stay with US borders, or is it free to float (as clouds do) to any other geographic location.

    Specifically, would it be wise to assume that all, or any, backups will only be taken in america, or that the data won't get routed to or through another country.?

    It's a big world out there and the USA is only a small part of it.

  • t, way back in 1986.

    http://en.wikipedia.org/wiki/Stored_Communications_Act

    "With respect to the government’s ability to compel disclosure, the most significant distinction made by the SCA is between communications held in electronic communications services, which require a search warrant and probable cause, and those in remote computing services, which require only a subpoena or court order, with prior notice. This lower level of protection is essentially the same as would be provided by the Fourth Ame

  • by Yvanhoe (564877) on Tuesday January 19, 2010 @09:19AM (#30818784) Journal
    A bit offtopic but I think it is important for lawmakers : stop doing analogies. Cryptography does not work like a lock or like an opaque case, owning cryptographic keys does not make you the landlord of anything. Cryptography works by taking a clear message and a key and mix them in a way that produces a seemingly random information but that can be made sense of thanks to the decoding key and the decoding algorithm. It is not that hard to understand. It requires 30 secondes of focus to understand and twenty minutes of thinking about and around, and you have understood the basis of crypto.

    Dear lawmakers, please make laws about cryptography, not about analogies of cryptography if you don't want me to just be an analogy of a law abiding citizen.

    Thanks.
    • by gclef (96311)

      Lawyers don't do that because they think you're dumb...they do it as a way to build out existing precedent. If there already is law or precedent covering sealed envelopes, for example, and you can show that the situation you're looking at is functionally the same as a sealed envelope, then you can argue that existing precedent covers the situation and no new law is necessary. Creating new precedent and/or law is rare, and judges are hesitant to do it unless there's a clear need. If the lawyers can presen

    • by srleffler (721400)
      The analogies are important here, because this is a legal argument. Besides written laws, there are judicial decisions covering thinks like the privacy of an item in a locked briefcase, or of material stored on a landlord's premises. By making analogies to these things, the author is arguing that the principles in those judicial decisions should be applied to cloud storage as well. If that argument succeeds, it may not be necessary to make any new laws at all, just to correctly interpret the existing ones.
  • if you want something private, don't put it on the internet

    if you want a private conversation, walk with the person on a beach

    everything else is subject to snooping, and not just by the government. there are other less savory entities out there that can pilfer your information

    so if its important, just keep it off the wires. this is a complete shortcircuiting of all of the legal arguments

    because even if you successfully clamped down on the government across all legal avenues, the government really is the lea

  • The analogy of a locked briefcase is instructive. If the government were to try to guess the combination, aren't they ignoring my intention of privacy? That is, I locked the briefcase, intending to shield the contents from disclosure without my consent. Being a combination lock means nothing, because picking a key lock is the same effort, indeed snipping off the lock is the equivalent. Does the means of entry matter? Indeed, coercing me to divulge the combination, or give them the key, aren't these also

  • Solution: just don't give anyone else the key to your encrypted data. And certainly not the third-parties.

    The problem is, though, that web-browsers don't (yet) have good support for encryption/decryption of data.
    The only encryption supported well is the TLS connection to the webserver, but that one doesn't count since it merely allows you to talk to the webserver (i.e., the third-party).

    Another problem with client-side-encryption is that the third-parties cannot manipulate or index your data, but that could

  • First issue - 4th Amendment protections in the US - what search and seizure protections do you have. Despite the so-called newness of the cloud (some of us remember big iron - dumb terminal models from way back) it is another way to electronically transmit information - so it would seem that all the existing wiretap laws would apply. Just like they can tap your phone they can intercept other electronic transmission, with a proper warrant. To the extent such information is publicly available (such as via a

  • If an American citizen has data stored on "the cloud" (be it email, documents, images, videos). Not all of that data is necessarily stored in the U.S. In fact, the citizen may have a video on the cloud that is split up and stored across the cloud in different countries. How does that fit with the 4th amendment. If their data is stored in another country, I'm not sure the U.S. could get that info without permission of another government.
    • If their data is stored in another country, I'm not sure the U.S. could get that info without permission of another government.

      Or another more important question:

      What if the US engages in a data sharing exchange with another government. You show us your database, and we will show you ours.

      Suddenly you have the UK monitoring US citizens w/o 4th amendment protections, and you have the US monitoring UK citizens without their privacy protections and then they exchange the data.

      Somewhere along the line, Rights

  • Quite simply, don't store any data in "the cloud" that you would object to seeing printed on the front page of a newspaper the next morning. If you want to keep something confidential, store it on a server controlled by you, and use adequate encryption when transmitting it.
  • This is not a "law review article" - it is a "note." Published law review articles by students are extremely rare. Law review articles are also generally quite a bit longer and more in-depth. When a student who works on the school's law review writes something and it gets published, it is usually called a "note" or a "comment," specifically to distinguish it from the actual articles, which themselves are usually the product of a law professor or, in some cases, a practicing attorney.

    But that's just pe
  • My issue is reciprocity: If it is legal for the government to "peer into" my private data they should not be allowed to take umberage if I peer into theirs. (note: this is a joke do not put me in jail)

    If privacy is dead it should be dead for *everyone*.

    If privacy is not dead then it should be enforced for everyone.

  • This is exactly why I donate to the Electronic Frontier Foundation [eff.org] every year. Until these rights are tested for the 'new' electronic medium in a court of law, we need a lobby group dedicated to securing them.
  • to my safety deposit box. There are 2 keys to open the box. The bank inserts their key and I insert mine
    in order to open the box. If I lose mine, they have made it very clear that it will cost me a couple of hundred
    bucks for them to drill open the lock and re-key it. I think they will also drill it open under a subpoena. But
    I will know next time I go to open it...

    • by oasisbob (460665)

      Yes, in the US this is a standard practice. No financial institution I know of will keep a spare key to a safe deposit box. (The exception being those institutions which have switched to electronic locks, that technology doesn't easily allow for an institution to lock themselves out intentionally.)

      That second key the bank possesses is known as a guard key. It's there to prevent what banks call "box hopping/jumping" where you sign-in on one box, and use a separate key to access another box unaudited. (eg if

Real Users find the one combination of bizarre input values that shuts down the system for days.

Working...