While preparing to teach a recent class about search warrants for digital devices, I spoke with a number of experts in digital forensics. Each conversation was very helpful. Almost all of them touched on an issue I’d never previously considered: whether search warrants for cell phones do or may include the authority to search connected cloud services.
Example. To illustrate the question, imagine that the Bedrock police suspect Fred Flinstone of conspiring with Barney Rubble to sell drugs. They arrest a drug user, who tells them that he gets his drugs from Fred and that he communicates with Fred by cell phone. During surveillance, the police see Fred use his phone just before and during apparent hand-to-hand drug transactions. Finally, they have evidence that he’s working with Barney, and in their experience, co-conspirators often communicate using their cell phones. Based on the foregoing, the police seek a search warrant authorizing the search of Fred’s phone for evidence of drug activity including relevant communications, customer lists, ledgers, and trophy photos. Probable cause seems like a slam dunk. But if the warrant issues, may the police search connected cloud services while searching the phone? Would it be proper to embed in the search warrant a proviso along the lines of “including connected cloud services”? (I recognize that the term “connected cloud services” is not well-defined, but at a minimum I mean applications like Google Docs and Dropbox that may be installed on a user’s phone and that provide access to files and documents that are stored remotely on a server rather than locally on the device.)
The arguments for allowing the search of connected cloud services. I can imagine a couple of arguments for allowing the search to reach into the cloud. First, cloud services are designed to integrate seamlessly with the devices on which they are installed. From a user perspective, they function as a part of the device. Arguably, therefore, they should function as a part of the device from a law enforcement perspective also. In fact, when searching a device manually, an officer may not even realize that he or she has accessed data normally stored in the cloud. See Austin v. United States, 2016 WL 2795682 (E.D. Mich. May 13, 2016) (unpublished) (noting that “the officers at the time did not know whether the photos they saw were on the phone or in the iCloud, as each appeared the same on the phone”). A related point is that questions about the scope of search warrants have often been answered by asking whether evidence of the crime may be found in a particular location, and certainly it is possible that Fred could keep his or her ledgers in a connected cloud service.
Second, while allowing a search of connected cloud services may greatly expand the scope of a warrant, users are not required to install and use cloud services. They choose to do so, and when they do, perhaps they assume the risk that someone who gains access to the phone – whether unlawfully or pursuant to legal process – will also gain access to the cloud services.
A third possible argument, that information stored in cloud services is not subject to a reasonable expectation of privacy pursuant to the third-party doctrine, strikes me as increasingly an uphill battle given courts’ growing recognition of a reasonable expectation of privacy in email and other digital assets, and the Supreme Court’s decision not to apply the third-party doctrine to cell site location information in Carpenter v. United States, 585 U.S. __ (2018). The terms of service for the particular cloud service at issue might be pertinent to this analysis, however.
The arguments against allowing the search of connected cloud services. On the defense side of the ledger, allowing law enforcement to reach beyond what’s stored locally on a device may become a slippery slope. For example, my phone is connected to the cloud in a whole bunch of ways: my Gmail account is linked to my phone’s mail app, my social media accounts are linked to their respective apps, the contents of my Google Drive are linked through its app, information about an upcoming vacation is linked to the Disney app, and so on. If law enforcement can access all the remote information that is linked in some way to my phone, law enforcement can access just about all the digital information that exists about me.
The law. I don’t think there’s much law directly on point – proof, if more were needed, that the law lags behind technological change. Cloud storage was mentioned in passing by the Supreme Court in Riley v. California, 573 U.S. __ (2014), the landmark case holding that cell phones may not be searched incident to arrest. The Court wrote:
Treating a cell phone as a container whose contents may be searched incident to an arrest is a bit strained as an initial matter. But the analogy crumbles entirely when a cell phone is used to access data located elsewhere, at the tap of a screen. This is what cell phones, with increasing frequency, are designed to do by taking advantage of ‘cloud computing.’ . . . Cell phone users often may not know whether particular information is stored on the device or in the cloud, and it generally makes little difference. Moreover, the same type of data may be stored locally on the device for one user and in the cloud for another.
Unfortunately, the Court didn’t provide guidance about how to address cloud services in the context of search warrants. A federal magistrate judge amplified the issue in In re Cellular Telephones, 2014 WL 7793690 (D. Kan. Dec. 30, 2014) (unpublished), writing:
[C]ell phones allow a person to access a wide variety of personal data stored with third party Internet service providers . . . such as email accounts, social media accounts, and accounts dedicated specifically to the end of going entirely digital. Applications like Dropbox and Google Drive utilize cloud computing to allow users to centralize their data storage so that it can be accessed remotely from any device with an Internet connection. These developments are indicative of both the remarkable progress being made in the technological sphere, and the challenge courts face in applying precedent to an increasingly complex and technologically-advanced world. As the practices of syncing devices and using the cloud become more prevalent, the ability of courts to limit the scope of proposed warrants to places and things for which the government has probable cause to search becomes far more difficult. A warrant for the search of an individual’s cell phone may, in some cases, be practically equivalent to a warrant for the search of the individual’s entire digital presence wherever found. The question then becomes: does a warrant authorizing the search of a cell phone also authorize the search of data, accessible via the cell phone, but not actually stored there? If so, the potential for abuse becomes abundantly clear.
That judge believed that the best way to address the issue was to require law enforcement to submit in advance a search protocol explaining what it would search and how it would do so. That’s an approach that has gained some traction in the federal courts, but not yet in our state courts, as far as I know.
Tentative thoughts. Absent any controlling authority, what should criminal justice system actors do about all this? Here are a few tentative thoughts:
- Officers who want to access cloud services should consider seeking express authorization. An officer could explain in the application why he or she thinks that evidence may be stored in cloud services, and could explicitly reference connected cloud services in the draft warrant itself. Given the unsettled state of the law, it is entirely possible that searching connected cloud services without express authorization will be deemed unreasonable by a court hearing a motion to suppress, so seeking express authorization seems like the cautious approach. Warrants directly addressing connected cloud services appear to be reasonably common in practice. See, e.g., United States v. Shipley, 2017 WL 3432371 (D. Ariz. Aug. 10, 2017) (unpublished) (describing warrants to search “Defendant’s iPhone and iCloud account”).
- Judicial officials should consider specifying what they intend to authorize. Whether the applicant raises the issue or not, a judicial official considering an application for a search warrant for a digital device may wish to address the issue expressly in the warrant, either by authorizing a search of all connected cloud services, by authorizing a search of only certain connected cloud services, or by expressly limiting the search to data stored locally on the device. For whatever it may be worth, it seems to me that which of these avenues is most consistent with the Fourth Amendment may depend on the facts of the case. In our hypothetical, it may be reasonable to think that Fred has customer lists in Dropbox, but if the police want to search a suspect’s phone for evidence of a recent bar fight, there may not be sufficient likelihood to search the suspect’s Google Drive.
- Must search warrant applications that include connected cloud services be issued by a superior court judge? There’s quite a bit of confusion about who may issue search warrants for digital evidence, so I’ll try not to make that any worse. Generally, search warrants for digital devices are like any other search warrants and may be issued by any judicial official. However, search warrants requiring digital service providers to produce information – for example, a search warrant requiring Google to disclose the contents of a Gmail account, or a search warrant requiring Verizon to produce detailed data about a subscriber’s cellular account – normally must be issued by a superior court judge in order to comply with the federal Stored Communications Act. If a search warrant for a digital device includes authorization to search connected cloud services, does that trigger the Stored Communications Act such that the warrant must be issued by a superior court judge? I tend to think not, for two reasons. First, at least some cloud services may not fall within the scope of the Stored Communications Act, which applies only to providers that qualify as “electronic communications services” or “remote computing services” – terms that may have had clear meanings three decades ago when the Act was passed, but that are hard to apply to some contemporary cloud services. For a longer discussion of this issue, see Aaron J. Gold, Note, Obscured by Clouds: The Fourth Amendment and Searching Cloud Storage Accounts through Locally Installed Software, 56 Wm. & Mary L. Rev. 2321 (2015). Second, and perhaps more conclusively, the Act applies only to search warrants requiring a service provider to disclose information. See 18 U.S.C. § 2703. The search warrants under discussion in this post aren’t addressed to service providers and don’t require service providers to produce or disclose anything. So I don’t think a superior court judge needs to be involved, at least for warrants that allow officers to look through connected cloud services but that don’t require cloud service providers to produce or disclose anything.
Your thoughts. As noted above, my thoughts about this issue are tentative. I’d be interested in others’ perspectives and experiences. Feel free to email me directly or to post a comment if you have information or an opinion to share.