I’ve written before about the lack of privacy protections for consumers storing content in the cloud. In looking back over my notes, I’d forgotten just how few cloud privacy rights we have in the real world. Using the typical terms of service (ToS) from some major providers as a benchmark, your rights to the uploaded cloud can be summarized by this common expression (often used in relationships by one party): “what’s yours is mine”.
I’ve become obsessed recently with applying some of the security and privacy ideas we talk about in this blog in my daily life. Like you, I use a few well-known cloud file storage services to store documents, pictures, and audios — mostly of a quasi-public nature but occasionally more personal content as well.
After doing some additional research for this post, I’m now seeing the cloud a little more ominously. And I’ll start taking real actions in 2016. You should too.
In many cases, you lose all your privacy rights by clicking on a typical cloud storage ToS. Effectively, the provider can do whatever it wants with your data, including sending it to outside parties.
It’s Not a Safety Deposit Box
As a refresher course, the Stored Communications Act (SCA) is the relevant legislation covering digital content held by a company. It was written in the late bronze age of computing—circa mid-1980s. The intention was to give the then new email and other computing technologies the same privacy protections as legacy mail.
We don’t expect our letter carriers to casually open and read our mail or the postal service to send us targeted advertising flyers based on whom we’ve written to.
Lawmakers at the time thought they could help spur electronic communications by elevating email and, to a lesser extent, online storage to the same legal status (particular in terms of the 4th amendment) as the postal service and phone systems.
The SCA introduced the legal concept of electronic communications services (ECS) to cover email and messaging, and remote computing services (RCS) for online storage and data processing that are offered to the general public.
RCS is the one that’s most relevant to today’s cloud technology.
Any service in which the digital content or communications is stored — and that includes web-based email services —is better classified under the Act as an RCS.
Remote Computing Services and Privacy
While the authors of the SCA may have thought they were turning cloud storage into the virtual equivalent of a sealed letter, the reality of ad-based business models have made the cloud storage far less private.
The key problem is the Terms of Service agreements we robotically click on. Many major providers –no names, please—say in explicit terms that they can access the user’s uploaded contents for advertising purposes or else they have language that the contents can be accessed at some point for some unknown purpose.
From the SCA’s viewpoint, these ToS agreements mean that the cloud provider is not an RCS. The legalese in the Act states an RCS can access your data but only for reasons directly related to storage — say, copying to other sites in a cluster or archiving or some other IT function.
As soon as the provider is allowed to take the data and use it for activities not related to storage – say targeted advertising or other vaguely described reasons mentioned in the ToS— it’s no longer in the RCS business as far as the SCA is concerned.
You then lose all your SCA privacy protections since the statute protects your privacy only when the contents are held by an valid RCS. This includes, most importantly, for the provider to gain authorization from a subscriber when divulging contents.
The core issue is that once you allow the cloud storage provider to peek into the data for other than pure IT reasons, you no longer have an “expectation of privacy”.
If you want to learn more about the SCA and privacy in the cloud era, read this surprisingly interesting legal paper that traces the history and legal reasoning behind the law.
Once the cloud provider falls outside the SCA, it doesn’t need the subscriber’s permission to do anything else it wants with the data.
Send some personal data mined from your documents to a data broker? No problem.
You also lose, not insignificantly, your 4th amendment rights: the cloud provider can simply send your data to the government when faced with an easy-to-obtain administrative subpoena — and they don’t need to inform you!
And It Gets Worse
These days you don’t have to be a cloud provider to be able to implement storage and email services. Any company with an IT department can generally pull this off.
As a result, we as consumers see these services being offered by retail, travel, hospitality, and just about any large company that wants to “engage” with its customers.
But as far as the SCA is concerned, these companies are neither RCS or ECS. Since their primary business function is outside of communications, they’re not covered by SCA at all.
So the next time you’re in your favorite chain espresso bar and hooked into their WiFi, be aware that when using any special storage or messaging features provided by their website, your content is not protected.
Also not covered by the SCA: university or school email systems. Since their email services are not offered to the general public, it’s not considered an RCS/ECS.
Work email system fall outside the SCA as well. Though there are some interesting cases where the employee used a company provided cell phone and was in fact protected by the SCA.
Many cloud storage ToS agreements will say that won’t sell your data — both contents stored and PII — to third parties.
That’s a good start.
But then you have to look very carefully at how they can access the data: the less they say and the simpler the language in these agreements, the better.
My advice is that anything written that’s too vague will likely put them outside of the SCAs coverage and therefore your privacy will be compromised.
So what’s a privacy-minded consumer to do?
One option is to use one of the many services to encrypt the contents that you do upload into cloud storage and so protecting it from internal data scanners. This idea makes lots of sense, although it’s an extra step.
This is the one that I’ll implement this year!
Or if you do upload contents in plain-text to a cloud storage service, be very selective what you put there.
And for employees of companies who are casually using cloud storage services to upload business documents?
Cease and desist!
Need a cloud storage alternative for your employees? Keep your privacy right by cloud-enabling files with DatAnywhere.