It’s time to protect data in the cloud

Steven Titch Associate Fellow, R Street Institute
Font Size:

Tuesday’s State of the Union address affords President Barack Obama another opportunity to address the government’s massive overreach in collecting data about ordinary Americans in the name of protecting us.

Although Obama, a constitutional scholar, spoke at length in a January 17th address to the nation about balancing individual privacy and national security, even conceding that there is a “bias” within government to amass as much information as it can, he offered no guidance or framework to Congress as to how existing law can be strengthened to protect Americans from wholesale government intrusion into their online lives.

Fortunately, bipartisan efforts on Capitol Hill have been gaining ground. And while the scope of NSA and other government abuses defy a single solution, strengthening existing laws, particularly the Electronic Communications Privacy Act, is a great place to start.

Even before news of the NSA’s surveillance programs broke last June, Sens. Patrick Leahy, D-Vt., and Mike Lee, R-Utah, had co-sponsored revisions of ECPA to extend Fourth Amendment protections to private data stored on servers on the Internet, or as it’s called current nomenclature, the “cloud.”

ECPA sets out rules for law enforcement agencies that want to tap phone lines. When it was enacted nearly 30 years ago, there was no concept of cloud computing. Cloud computing makes it possible for users to, for example, access playlists and movies from multiple devices, because that content is stored on servers in data centers that could be anywhere in the world.

But there’s much more to it than that. Cloud computing is driving the so-called “Internet of things.” The latest tech buzzwords that shout from covers of Wired and Popular Science — smart homes, driverless cars, wearable computers — will all be possible because of cloud computing.

But to work efficiently, cloud computing needs large amounts of personal data. Much of it is anonymized in the process, such as when a GPS system can access highway location data about automobile speeds and car density, determine there is an accident three miles ahead and route you around the traffic. Still, it would be wrong to say systems always purge personal information.

That means companies involved in cloud technology will require a high degree of trust and goodwill from the marketplace if consumers are going to feel comfortable sharing data. One way the government can help increase this trust is to extend legal protections to data in the cloud, because it is where most of our data will inevitably reside.

The lack of specific Fourth Amendment protection is partly responsible for the massive scope of government intrusion into the Internet. NSA programs such as MUSCULAR and “Tailored Access Operations” were specifically aimed at defeating the encryption and firewalls that Internet companies use to safeguard user data. The NSA hopes to hide behind judicial interpretations that cloud data has no explicit legal protection. But this is a technicality to evade the principle. The intent of ECPA always was to prevent law enforcement agencies from the very sort of fishing expeditions the NSA has been doing.

Stronger legal safeguards would help repair the damage the government spying has done to the U.S. technology sector, the global leader in cloud computing. The Information Technology and Innovation Foundation (ITIF), a research institute that aims to promote public policies that advance technological innovation and productivity, estimates international concern and mistrust of U.S. tech companies could cost the industry between $21.5 billion and $35 billion through 2016. Forrester Research, which provides analysis for financial firms and investors, believes the potential global industry cost could be much more — $180 billion worldwide over the same period.

A number of European banks no longer want to store data in the United States. Salesforce.com, which provides highly sensitive cloud-based sales leads and customer information, reportedly has lost a major European client. Both Salesforce.com and Amazon, perhaps fearing “guilt by association,” have felt the need to publicly state that they were not part of the these spying programs.

While real NSA reform may be a ways off, it would not require much political capital for President Obama to endorse ECPA revision. It would certainly accelerate action on the legislation and signal that the president understands the constitutional problems that government spying activities raise.

For its part, Congress, in revising ECPA, would send a message to Americans that their personal data is safe and that, in an age when “papers and effects” referred to in the Fourth Amendment are more likely to be PDF files locked away on an Internet server, the principles of due process set forth in the Bill of Rights still apply.

Steven Titch is an associate fellow at the R Street Institute, and author of the new study “Has NSA Poisoned the Cloud?

Tags : mike lee
Steven Titch