If a law enforcement officer obtains a search warrant for a suspect’s cell phone, may the officer use the phone to access cloud storage to which it is linked? For example, may the officer click on the Dropbox icon on the phone’s home screen and see what’s there?
This post asks several questions about the legal status of cloud storage. Most of the questions don’t have definite answers, as far as I know, but the post collects some helpful legal resources that lawyers, magistrates, and judges grappling with cloud storage questions may find helpful.
Here’s my list of questions:
- Do users have a reasonable expectation of privacy in cloud storage given that they typically have password-protected accounts? Or does the third party doctrine apply given that the storage provider has control of the data?
- Do the storage provider’s terms of service impact the above question? Different providers have different terms, with some giving the provider great control over the data and others promising a hands-off approach.
- If there is no reasonable expectation of privacy in cloud storage, does the Stored Communications Act apply to data stored in the cloud?
- If there is a reasonable expectation of privacy in cloud storage, may a search of a linked device include a search of the cloud storage? If so, is access to linked cloud storage automatically permissible as part of a search of a linked device, or must it be separately justified or authorized?
- If there is a reasonable expectation of privacy in cloud storage, to what extent would any sharing of access to such storage eliminate that expectation?
If readers have additional questions, or definite answers to any of these, please let me know.
Here’s my list of resources:
- Riley v. California, __ U.S. __, 134 S.Ct. 2473 (2014) (ruling that a cell phone may not be searched incident to arrest and that a warrant is normally required for such a search; noting that “the data a user views on many modern cell phones may not in fact be stored on the device itself”; that “[c]ell phone users often may not know whether particular information is stored on the device or in the cloud, and it generally makes little difference”; and that allowing officers to search cloud storage incident to arrest “would be like finding a key in a suspect’s pocket and arguing that it allowed law enforcement to unlock and search a house”).
- Ryan Watzel, Riley’s Implications for Fourth Amendment Protection in the Cloud, 124 Yale L.J. Forum 73 (2014) (“Riley’s protection of cloud-based data for cell phone searches, however, does not address the broader question of whether information stored in the cloud is entitled to Fourth Amendment protection in other contexts. . . . The third-party doctrine, which provides that information voluntarily revealed to third parties is not protected by the Fourth Amendment, may pose the biggest obstacle to whether cloud-based data receives Fourth Amendment protection, since any data stored in the cloud is necessarily conveyed to third-party servers.”).
- Eric Johnson, Note, Lost in the Cloud: Cloud Storage, Privacy, and Suggestions for Protecting Users’ Data, 69 Stan. L. Rev. 867 (2017) (analyzing at length some of the unanswered legal questions surrounding cloud storage).
I’m interested in thinking and talking more about cloud storage, so I would welcome comments of any kind or feedback by email or phone. If I make any progress, I’ll update this post or write a new one.
In the case of services like Dropbox, Slack, and other business collaboration services, the amount of employer information that could be accessed would be more like the electronic equivalent of finding an employee badge and using it to systematically access every door lock it would open in every company office. Along with the key in pocket analogy, wouldn’t such a search run afoul of the federal CFAA statute since there is no warrant authorizing the impersonation/use of the users credentials to access another computer in interstate commerce?