< Back

Is Online Data Private?


Posted by Lawrence Sinclair on 20 Apr 2010 at 20:06

I was rather surprised today to read that data stored on "cloud" services might not have the same legal privacy protections in the US that data has when stored inside your home (or business). This came to my attention after a Wired Magazine article (April 20, 2010) about Google's recent openness about government worldwide requests for information.

A broad consortium of tech companies and privacy groups recently announced a push to modernize the nation’s privacy laws so that data stored by third parties, especially by so-called cloud computing services like Gmail, are treated just like data stored on citizens’ home computers. Currently, e-mails stored online lose much of their legal protection after 6 months, and the Justice Department recently tried to get at unopened mail online without having to get a proper search warrant.

The principle is that user data left online more than six months can be considered "abandoned" and so open to less restrictive government scrutiny. The primary, or at least initial, target seems to have been email. But the law could apply to phographs, usage and other behavioral data, friends, and status messages. As far as I can tell, this applies to just about any personal data stored online.

What to do about it?

One way to resolve this issue would be to insist on storing data online only in encrypted form, with all decryption done on the client side.  Currently, to ensure security, network connections between client and server are encrypted. But the data is then stored in clear, unencrypted form, exposing it to employees, theft, and government access at the host company premises.  This could help with some data, intended for the owners eyes only, such as email and personal documents. But this would not work easily for data that is intended to be shared with a limited audience. And this would not protect behavioral data, such as login times and places, and purchases.

As a stop gap measure, individuals and companies should consider deleting all data, including behavioral data as it grows older than 6 months.

One could also lobby to get the laws changed. But there are a lot of competing interests, and success is not inevitable, or likely to be rapid. However, an important solution should be legal, and some action in that direction is starting to take shape.


1 comment
  1. Lawrence Sinclair - Nov 08 2010

    Chris Thorpe made an excellent comment about how encryption keys you keep in your head **are** protected in US law by the Fifth Amendment to the US constitution. However, simple passwords are not protected and one can be forced to reveal them. See http://www.quora.com/Why-are-private-keys-protected-under-the-Fifth-Amendment-but-passwords-are-not

Leave a comment