Research & Commentary: Protecting Privacy in Cloud Computing

Published July 1, 2011

The 25-five-year-old federal Electronic Communications Privacy Act (ECPA) doesn’t protect individuals’ data stored remotely in the Internet “cloud” (such as gmail, mobileme, and skydrive). This allows government agencies to perform warrantless searches on any data stored there for more than 180 days. Sen. Patrick Leahy (D-VT) has filed an update to ECPA that would apply protections to any data stored in the cloud, plus geolocation data from mobile phones and URL and IP data from any device.

Cloud services are increasingly popular. More than 153 million Americans used some form of cloud-based email last year, according to a ComScore report. In addition, 22 percent of U.S. consumers store personal medical records and more than 20 percent store personal financial documents in these remote data centers.

The loopholes in ECPA’s obsolete, technology-specific language discourage consumers and businesses from using cloud services more intensively. Berin Szoka of TechFreedom notes updating ECPA to reduce ambiguity would decrease incentives for companies to locate their datacenters overseas, thus keeping more jobs in the United States. The reform also would clarify that “normal law enforcement access to private data should be subject to the judicial warrant requirement enshrined in the Fourth Amendment,” Szoka notes.

Adoption of new ECPA language and new transparency and reporting requirements for the use of “emergency exemptions”—without adding any new regulatory burdens—would benefit consumers, increase innovation in the telecom sector, and help strengthen the economy.

The following documents consider the implications of extending privacy protection to the cloud.

Electronic Communications Privacy Act Amendments Act of 2011

S. 1011 is the Electronic Communications Privacy Act Amendments Act of 2011, introduced by Sen. Patrick Leahy (D-VT). The act updates the decades-old ECPA with language protecting cloud-based, mobile, and geolocation information from privacy infringements.

Leahy Introduces Benchmark Bill to Update Key Digital Privacy Law

This press release from Sen. Patrick Leahy (D-VT) details his plan to update the Electronic Communications Privacy Act. Leahy writes, “The balanced reforms in this bill will help ensure that our federal privacy laws address the many dangers to personal privacy posed by the rapid advances in electronic communications technologies.”

Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing

Writing for the World Privacy Forum, Robert Gellman outlines many of the threats to privacy in cloud computing and identifies ways to increase consumer and business privacy. Gellman writes, “both government agencies and private litigants may be able to obtain information from a third party more easily than from the creator of the information.”

Privacy in the Cloud Computing Era

This short paper from Microsoft’s “Trustworthy Computing” initiative outlines the company’s work on its own privacy policy, what it implies about emerging issues and technology in the cloud, and problems with current policies and regulations. The paper notes, “providers can be caught in an impossible position when governments impose conflicting legal obligations and assert competing claims of jurisdiction over user data held by these providers.”

Coalition Letter Urging Congress to Update Privacy Laws

This coalition letter to Sen. Patrick Leahy (D-VT) from a host of free-market and digital privacy groups sparked his update to the ECPA and suggested specific updates. The letter advises, “Specifically, Congress should amend outdated U.S. laws originally intended to protect citizens against unwarranted law enforcement access to their private information held electronically by third parties.”

Free at What Cost

Writing in the Georgetown Law Review, William Jeremy Robison identifies a legal framework of best practices from past law that can be applied to new technologies. He argues that past law was written poorly: “The Stored Communications Act [of 1986] … is not built around clear principles that are intended to easily accommodate future changes in technology; instead, Congress chose to draft a complex statute based on the operation of early computer networks.” Robison argues for a full rewrite of both the ECPA and the Stored Communications Act.

Data in the “Cloud” Needs Fourth Amendment Protection

Technology and privacy expert Steven Titch of the Reason Foundation argues cloud computing is becoming so essential that in order for U.S. businesses to remain competitive and innovative it must be protected: “It’s not simply an option in the way one chooses to manage data. Cloud computing is becoming necessary to go about one’s daily business. Legal protections need to be there.”

Block Big Brother’s Internet Snoops

Reason Foundation information technology expert Steven Titch argues in favor of Sen. Leahy’s update of the ECPA. He writes, however, “the bill could be strengthened even more if, as the American Civil Liberties Union suggests, there were stricter reporting requirements about the use of online surveillance and greater safeguards against the use of ’emergency exemptions’ that could undermine the bill’s aims.”

For further information on this subject, visit the InfoTech & Telecom News Web site at, the InfoTech Issue Suite at The Heartland Institute’s Web site at, and PolicyBot, Heartland’s free online research database, at

Nothing in this message is intended to influence the passage of legislation, and it does not necessarily represent the views of The Heartland Institute. If you have any questions about this issue or the Heartland Institute Web site, please contact Marc Oestreich, legislative specialist in telecommunications, at 312/3774000 or [email protected].