Cloud-based data that do not involve electronic communications are not protected. Id. at 883; Gold, supra, at 2333. Suppose you upload a spreadsheet with all your financial information to Dropbox—this type of information would not be protected by the SCA because there is no communication involved; but if a Gmail account backed up emails into Google Drive, this information would be protected. Id. In effect, most cloud data are unprotected by the SCA. Johnson, supra, at 877; Matthew McKenna, “Up in the Cloud: Finding Common Ground in Providing for Law Enforcement Access to Data Held by Cloud Computing Service Providers,” 49 Vand. J. Transnat’l L. 1417, 1430 (2016); Serafino, supra, at 185.
To address cloud privacy, Congress needs to expand the SCA to protect noncommunicative cloud data. Requiring probable cause and a warrant to access this information would be a welcomed change. But the “procedural protections” are what matter for cloud privacy, not the document required to obtain the information, such as a warrant or subpoena. Murphy, supra, at 519. Congress should require probable cause and notice to acquire personal cloud data. It should also create safeguards to prevent the “unauthorized exposure” of data and compel their destruction after their use. Id. at 520–21. Last, it should expand the national security exemption to cover these requirements. Id.
The government would violate this statute if it searched a personal cloud account or used seized information without meeting these requirements. The trigger for this statute may “over-protect [digital] records”—but it is better to over-protect than to under-protect this type of information. Orin S. Kerr, The Digital Fourth Amendment: Implementing Carpenter 28 (Oxford Univ. Press, USC Law Legal Studies Paper No. 18-29, forthcoming) (on file). And transparency and clarity are the hallmarks of a well-written statute. Id. Without these features, confusion and abuse are inevitable. Id. at 26; Secretary Michael Chertoff, Exploding Data: Reclaiming Our Cyber Security in the Digital Age 200 (Atlantic Monthly Press 2018). Employing this concrete standard reduces the chance of either occurring. Kerr, supra, at 28. Some may argue that this standard is too rigid. But suppose law enforcement enters your house without a warrant and searches your desk. Clearly, this type of entry and search is unlawful. Id. Why should personal cloud information be any different?
A legislative fix would also clarify this issue for defendants, prosecutors, and private companies. Murphy, supra, at 536. Defendants would know their rights, prosecutors would know their boundaries, and cloud providers would know when it was necessary to comply with the government. Id. As long as this area remains unlegislated, companies and individuals will face expensive litigation and difficult decisions. Id. Cloud providers do not want customers losing faith in their service, which is why they are likely to oppose data requests. Id. But a federal statute provides “legal safe harbors for compliance,” freeing companies from difficult ethical decisions and angry customers. Id.
Even with a privacy statute that protects cloud information, Congress must do more. Congress needs to create a law the forces it to revisit digital privacy statutes on a recurring basis. Keeping pace with rapid technological changes will not be easy. Id. at 540–41. Nor will bipartisan support on some issues. But with the constant evolution of technology, using 30-year-old statutes for digital privacy is a recipe for disaster. With this law, Congress will be forced to examine digital privacy protections more often than every 30 years.
Conclusion
Digital privacy is threatened without statutory protection. H. Brian Holland, “A Cognitive Theory of the Third-Party Doctrine and Digital Papers,” 91 Temp. L. Rev. 55, 58 (2018). To be sure, the government should have “the appropriate legal authority to provide security” and fulfill its constitutional role. Chertoff, supra, at 199. At the same time, people must maintain “a sufficient scope of privacy and autonomy necessary for [their] human dignity.” Id. Herein lies the inherent tension. But I believe the recommendations put forth by this article accommodate both essential principles.
For those who argue that my suggestions will allow people to “do things they shouldn’t be doing,” I respectfully disagree. Diamantis, supra, at 501. The proposed statutory amendment “allow[s] people to live core areas of their personal lives with the dignity that excludes onlookers.” Id. The United States is not a totalitarian country. Id. We have always warned against oppressive behavior in the physical world, and the digital world should be no different. Armed with wholesale cloud access, the government could “pursue personal vendettas, target the politically unpopular,” and trample on other civil liberties. Kerr, supra, at 26; Diamantis, supra, at 501; Chertoff, supra, at 200; Johnson, supra, at 869–70 (“In 1963, the Federal Bureau of Investigation wiretapped the phones of Martin Luther King, Jr. under the pretense of determining King’s ties to members of the American Communist Party. And after 9/11, the New York Police Department, with significant assistance from the Central Intelligence Agency, spent years monitoring Muslim neighborhoods and community centers.”).
Since 9/11, the government has received “greater investigative latitude,” but to extend this ability to warrantless searches of cloud services is unwise. Vania Mia Chaker, “Your Spying Smartphone: Individual Privacy Is Narrowly Strengthened in Carpenter v. United States, the U.S. Supreme Court’s Most Recent Fourth Amendment Ruling,” 22 J. Tech. L. & Pol’y 1, 12–13 (2018) (sign-in required). Although it is my belief that Carpenter protects cloud data from warrantless searches, this area is still “ripe for future Supreme Court review.” Kerr, supra, at 26. With Justice Brett Kavanaugh joining the bench, and a slim 5–4 majority in the Carpenter opinion, this issue is hardly settled in the courtroom. Dan Sewell, “Kavanaugh’s Support for Surveilling Americans Raises Concern,” AP News, Aug. 28, 2018 (“Supreme Court nominee Brett Kavanaugh has frequently supported giving the U.S. government wide latitude in the name of national security, including the secret collection of personal data from Americans.”).
And so Congress must act.