There was an minor announcement yesterday, which said something to the effect that data stored in the cloud in Europe and other locations was not immune to US Patriot act access.
This concern was mainly aired by one cloud provider but they mentioned any US company would need to provide the same access to data located anywhere.
I suppose living in the US, this sort of access should not be a concern for me but somehow this struck a chord. Does this mean that anything I store in the cloud, search on the internet, publish to social media is essentially available to any government entity that deems it important to access – yes, probably so.
The Fourth Amendment to the US constitution established the right of individuals to not be subject to “unreasonable search and seizure of property”. One could readily extend the definition of property to data. However somewhere in case law this provision has been modified to imply that such rights only apply to property that a person has a reasonable expectation of being private.
Data property rights outside your office
So where does that leave the data property rights:
- Social media – seems to me that you waive any property rights to the data you submit to social media the moment you hit enter. For example, in Twitter any tweets you create are broadcast to all your followers and anybody searching on tweet text (unless you restrict your tweets) can see it. Places like Facebook, Flickr, Youtube, and other social media provide a service where updates are broadcast automatically to anyone searching on that information unless you lock it down and secure access to only a limited set of “friends”. But in the most common case, data in social media is public information (although perhaps owned by the social media company).
- Cloud data – privacy rights may or may not exist in the cloud, it depends on what you store there. Lets say you start backing up your laptop/desktop to the cloud. Such data is in a format that is likely proprietary to the particular backup application you use but that doesn’t mean you have any reasonable expectation of privacy because those formats are known to the US company that created it. As such, plain text data, placed in the cloud probably has no expectation of privacy. Encrypted data is another story however.
Establishing reasonable expectations of privacy
So what can someone do today to establish “expectations of privacy”
- Abandon social media. If you can’t do that, be very careful of the data you expose there.
- Abandon cloud storage. If you can’t do that encrypt your data before it moves or is copied to the cloud. But you must understand who owns the encryption keys and where they reside. If the cloud provider owns the encryption keys and they can be found in the cloud, then reasonable expectation of privacy IS not present. To really secure data, encrypt the data yourself with an application not associated with the cloud service, with key phrases known only to you and stored outside the cloud only. Given all that one can assume a “reasonable expectation of privacy”.
Yes, either of these approaches are painful. Yes, they make using such facilities more complex, painful and time consuming but it’s the only way to establish a privacy rights for your data.
Being an active user of Twitter and blogging, I have no reasonable expectation of privacy for this data but that doesn’t mean I relinquish the rest of my data to unrestrained access.
For some time now I have been considering the use of cloud backup but have been reluctant for my data to leave my control. Such fears, now seem to have a factual component to them. Nonetheless, cloud data can be private and secure but only if one safeguards the data before it leaves your premises.