data storage

  • September 4, 2015
    Guest Post

    by Anupam Chander, Director of the California International Law Center and Professor of Law at the University of California, Davis. He is the author of The Electronic Silk Road: How the Web Binds the World Together in Commerce, published by Yale University Press.

    *This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).

    My parents grew up in a pen and paper world, where most of their writings and records were kept at home, in their offices, or with close confidantes. I grew up in a world of computers, but even my writings were mostly kept at home on hard drives and floppy disks (for today’s students, many of whom have never seen a floppy disk, a history of the floppy disk). My first writings were kept, astonishingly, on a cassette recorder, which stored what I typed on my TRS-80, a computer made by Radio Shack. That computer had a total memory of 16K, roughly 16,000 characters (not even words) of text.

    My children are growing up in the cloud, where their writings and their records are being stored in remote computers. Because those computers are managed by Dropbox, Google, Microsoft, and their peers, their writings are far more secure than I ever managed when I stored my files on a floppy or a hard drive, both of which failed with remarkable regularity and maximally devastating timing.

    But even if our kids never know the pain of losing a week’s work to faulty computing or an accidental deletion, they face a world where their writings are far more subject to government scrutiny than mine ever were. Not only are their writings subject to government searches, but also their whereabouts, through the tracking of smartphones. This is because while the Fourth Amendment clearly protects homes from searches and seizures without a warrant, it is not so clear that it protects writings and the records about us stored on a remote computer.

    Do our children deserve less protection from government snooping because they are relying on cloud services? Right now, the law says that if the government wants to read what’s on my home computer, it has to get a warrant to do so. But if the government wants to read what our kids are storing privately online, they may not. (For a more detailed account of when the government can access information online without a warrant, see this ProPublica summary, updated as of June 2014, but not including Riley v. California, described below.)

  • September 2, 2015
    Guest Post

    by Kate Westmoreland, Non-Residential Fellow, The Center for Internet & Society at Stanford Law School

    *This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).

    As internet companies and cloud providers hold more and more communications and user data, access to this information has become a key part of criminal investigations and prosecutions. The current system for managing international access to this data is struggling under the increased demand. Microsoft’s Brad Smith has been vocal in his calls for a new international convention on access to user data for criminal matters. But is a whole new convention really necessary?

    The answer depends on (1) whether the system is actually broken and, if so, (2) whether a new international convention is the right solution. Perhaps I should give a spoiler alert on this, but I think the answer is “yes, but don’t put all your eggs in the one basket.” Ultimately, we should be working towards a new international system for managing government requests for user data, but this is a very long-term, ambitious project. In the meantime, we need to pursue a range of shorter-term improvements at the domestic and international levels.

    There is a growing consensus that the current system for international government access to user data in criminal matters is broken. It is governed by a creaky old system of bilateral and multilateral treaties (mutual legal assistance treaties or “MLATs”), relationships between law enforcement officers and companies, and a mishmash of domestic legislation. A government report last year stated that MLAT requests to the United States take an average of at least 10 months to process. The White House then called for increased funding to process the requests more quickly, but the appropriation has stalled. When law enforcement agencies feel that they cannot access the information through mutual legal assistance, they turn to alternative, informal methods, including directly asking companies to hand over the data.