Simple questions sometimes have very difficult answers. For example, when you provide data to a cloud service, do you really own (in the language of the law, have a “possesory interest” in) that data? According to a recent opinion out of the Ninth Circuit suggests that the answer to that question might be “no.”
Different answers to that question have had profound implications for privacy debates in two discrete areas. The first involves what private companies can do with information about you collected online, which is addressed by statutes like the GDPR and the California Privacy Rights Act. The second involves the way that the government may collect information about you, which is addressed by wiretap and stored communications statutes. Cloud services store all kinds of information about individuals, and the ability of governments to access that data has been a point of discussion in both domestic politics and transatlantic state-to-state discussions.
In US v. Rosenow, the Ninth Circuit significantly undercut the idea that individuals own the data that they provide to cloud services. It bears noting that the defendant in this case was not a good guy. He was arrested on his return from the Phillipines where he allegedly engaged in child sex tourism. No one will mourn his incarceration.
Federal law requires covered electronic services to report instances where there’s apparent violations of child pornography statutes to the National Center for Missing and Exploited Children (NCMEC), which is, in turn, obligated to make those reports available to federal law enforcement. Yahoo suspected that the defendant was engaged in illegal activity and notified the FBI. An FBI agent then sent a preservation request and administrative subpoenas to both Facebook and Yahoo, which triggered internal child safety investigations around that account. (Federal statute specifically authorizes the use of these subpoenas for child crimes). The results of that investigation resulted in evidence sufficient to convict the defendant, and suffice it to say that it was compelling.
Most of the analysis of this issue seems de rigeur, but one paragraph stands out:
In practice, as Orrin Kerr pointed out, this means that the government can order service providers to store personal data without raising a Fourth Amendment issue, as the defendant has no “possessory” interest in it. Because the information in your account has already been created, the court reasoned, the government can order its preservation until there is evidence to support government access. All they are doing is making a copy.
That rationale seems at odds with how most people view the data they place in the cloud. Moreover, the privacy statutes that have been enacted in the United States provide consumers with rights of transparency, opt-out and deletion, which create expectations in consumers about how their data will be treated while in a cloud service’s possession.
This is a hard case. The defendant is not someone that anyone wants to see free on a technicality. But, as Prof. Kerr notes, this issue deserved a bit more analysis than a hundred and fifty words.