Cloud computing lets Feds read your email

More persuasive is Justices Brennan and Stewart's dissent in Smith where they note:

The Court today says that [Constitutional] safeguards do not extend to the numbers dialled from a private telephone, apparently because when a caller dials a number the digits may be recorded by the telephone company for billing purposes. But that observation no more than describes the basic nature of telephone calls. A telephone call simply cannot be made without the use of telephone company property and without payment to the company for the service. The telephone conversation itself must be electronically transmitted by telephone company equipment, and may be recorded or overheard by the use of other company equipment. Yet we have squarely held that the user of even a public telephone is entitled "to assume that the words he utters into the mouthpiece will not be broadcast to the world".

Justice Thurgood Marshall went further in Smith, noting:

Implicit in the concept of assumption of risk is some notion of choice. . . [U]nless a person is prepared to forgo use of what for many has become a personal or professional necessity [the telephone or the internet], he cannot help but accept the risk of surveillance. It is idle to speak of "assuming" risks in contexts where, as a practical matter, individuals have no realistic alternative. More fundamentally, to make risk analysis dispositive in assessing the reasonableness of privacy expectations would allow the government to define the scope of Fourth Amendment protections. For example, law enforcement officials, simply by announcing their intent to monitor the content of random samples of first-class mail or private phone conversations, could put the public on notice of the risks they would thereafter assume in such communications.

The same holds true for Warshak's email, Apple's MobileMe service, Google's GMail or Google Documents, or any remote storage facility. Almost by definition you have to use a third party to transmit this information, and almost by definition the third party has to make a "copy" of the communication. This is, in fact, the essential nature of "cloud" computing - the data resides somewhere else and you just "access" it.

The real problem with the Warshak Court's ruling - and here is where it gets dangerous - is that it essentially held that your expectation of privacy with respect to the government's seizure of your email is dictated by the terms of the contract with the ISP. These terms of use, which generally provide the ISP or storage facility a limited "right of entry" or "right of inspection" are intended to protect the ISP from liability, not to establish the balance of privacy vis a vis the government. Indeed, even if your employer said you had "no right of privacy" in your corporate email, this wouldn't necessarily mean that the cops could read the email without a warrant or a subpoena. It might mean that if the ISP or employer examined your email pursuant to their policy and then saw something and called the cops that this would be appropriate.

Privacy is not binary - it's not that you either have it or you don't. You may have an expectation of privacy vis a vis the FBI, and less with respect to your ISP. In fact, this is exactly the opposite of the position that the government took a few days later when it charged (pdf) a Philadelphia news anchor with reading his co-anchor's email, stating:

Our email is private, just like our telephone conversations and mail. Our expectation of privacy for email is even higher, due to the high level of security used in transmitting email messages.

The government went on to say "people expect that email in a password-protected, personal email account is private".

Sure. Unless, of course, the government wants to read it. In that case, according to both the government's brief and the court's opinion, you have no expectation of privacy.

This article originally appeared in Security Focus.

Copyright © 2008, SecurityFocus