State House - Privacy, Cloud Services and the Law

I find myself constantly drawn into questions of how the law applies to various functions of my life as an avid technology user and, and even more specifically, as a Software Architect and Engineer. In light of recent events and revelations it is clear that where we elect to process, store and backup our data may increase the risk that “well meaning” entities may peek at information we assumed was private.

I have worked with startups in healthcare and of primary concern was compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). More recently I have worked with Financial Institutions who are required by law (Gramm–Leach–Bliley Act) to disclose to their clients the nature of the personal financial information they collect, the law also states that consumers must be informed about any company or organization that receives their personal information.

These laws are still relatively young and they actually offer protection to the general population. This is critically important, as well meaning (but not necessarily benign) technology begin to infiltrate very sensitive areas of our homes, work and health. This process of digitization have made certain impractical information gathering techniques not only practical but viable and even common place. So laws that may, for all past practical applications, have appeared to be quite reasonable now provide government agencies the ability to look into your data without being in direct contravention with the Fourth Amendment.

One defining legal battle, Smith v Maryland - US Supreme Court Case (1979), held this position (emphasis mine):

Given a pen register's limited capabilities, therefore, petitioner's argument that its installation and use constituted a "search" necessarily rests upon a claim that he had a "legitimate expectation of privacy" regarding the numbers he dialed on his phone.

This claim must be rejected. First, we doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must "convey" phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills. In fact, pen registers and similar devices are routinely used by telephone companies "for the purposes of checking billing operations, detecting fraud, and preventing violations of law."

For an electronic device (pen register) in 1979 this may have been a reasonable stance, however, in 2013 this opens up plethora of issues for our online digital information. Most citizens can clearly see how a warrant may be required for files or emails on a hard drive in our homes. Well, how about when you send email from Yahoo or make digital calls, do you “…in general entertain any actual expectation of privacy…”?

A more felicitous example may actually be in regards to your Dropbox files, or your SkyDrive and Google Drive data files. I think we as subscribers of those services understand in order for the service to work they may have to index and measure the file for billing purposes, or look into the file to provision search capabilities, but does that then allow an outside government agency to review that file (or its metadata) in a broad reaching search?

On June 6, 2013, plaintiffs brought the first of two related lawsuits challenging the constitutionality of “certain intelligence-gathering practices” by the US government relating specifically to the wholesale collection of phone record metadata. A Federal District Court Judge for the District of Columbia, has ordered the government to stop collecting data on the personal calls of the two plaintiffs in the case and to destroy the records of their calling history:

I cannot imagine a more 'indiscriminate' and 'arbitrary' invasion than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying and analyzing it without prior judicial approval ... Surely, such a program infringes on 'that degree of privacy' that the founders enshrined in the Fourth Amendment

This is clearly bound for appeal and in all likelihood the Supreme Court, the judge recognized this and actually preemptively granted a stay on his own order pending appeal.

Given the ways in which we can manipulate, store, search and cross reference massive amounts of data, the notion of privacy by obscurity is almost completely invalid. Our laws need to start to reflect a completely new digital paradigm where apparently “harmless” metadata combined with other “harmless” data can be cross referenced in such a way that your assumed private life is actually quite public.