First, an article on the Fourth Amendment.
As a network administrator for a library system and a technical advisor for a cloud computer company, I have a certain vague relationship with electronic law. More often, technical necessity and security best practices determine how things should be done, but beyond all this there are legal requirements that do have to be met and further legal protections that should be protected.
The key paragraph in that link is:
In order for enough trust to be built into the online cloud economy, however, governments should endeavor to build a legal framework that respects corporate and individual privacy, and overall data security. While national security is important, governments must be careful not to create an atmosphere in which the customers and vendors of the cloud distrust their ability to securely conduct business within the jurisdiction, either directly or indirectly.
Laws must be appraised on a few points. Most importantly, how and why does a law infringe upon the rights of its citizens. Do the law’s protections provide an adequate compensation for the freedoms infringed? Finally, does the law provide a mechanism of recourse for those parties that have been affected.
As I see it, any law regarding cloud computing needs to make data within the cloud fundamentally private, or private by default with a handful of acceptable cases for disclosure. First, any non-intentional, non-targeted access by network administrators need to fall under a sort of ‘technician’s freedom’. If an account is having problems and a technician logs in to figure out the problem and happens to see some emails, this should not count as a privacy breach, assuming that this was a reasonable response to the problem and that reasonable precautions were taken to prevent that sort of disclosure. As usual, any sort of warrent of subpoena should be honored, but the standards of access need to be held high otherwise the integrity of the cloud are lost.
The idea that data must be encrypted to be considered secure seems faulty. Certainly data that is put up for public or open access is not ‘protected’. An open facebook page has no assumption of privacy, but an uploaded google doc does and should, regardless of encryption. Forcing encryption might be good technically (and probably is), but it does not serve any particular useful legal standard. Rather, saying that only encrypted documents are private within the cloud, suggests that the cloud, regardless of any user access that a customer would logically or contractual expect, has no protections whatsoever. A different analogy than the ‘locked briefcase’ should be considered.
‘I smelled something’ type police work should not be encouraged on the internet. Crime inevitably leaves a trial, usually a financial trail, and that’s where police work needs to start and end whether it be common fraud or the terrorism that will inevitable be used to justify some overarching data-mining operation that won’t actually help anyone. Any terrorist dumb enough to put any easily found keywords in his online documentation probably would have gotten caught anyone, and anyone more clever than that is going to be lost within the the billions of terabytes of data online. That’s another argument altogether, but as far as fledging cloud computer is concerned, some decent privacy laws are an absolute requirement both to reassure the customer and to bind the providers into a respect for privacy and security that, thus far, has been noticeably lax, as the frequent data breaches suggest.
