In a ruling handed down on December 14, 2010, the Sixth Circuit in United States v. Warshak held that a user of a third-party e-mail service has a reasonable expectation of privacy in the e-mails stored on the third-party’s servers. In the case, the government failed to obtain a search warrant based on probable cause before it compelled Warshak’s ISP to turn over his e-mail communications. The government argued that the Stored Communications Act of 1986 (SCA) permitted just such a warrantless search. In holding that Warshak had a reasonable expectation of privacy, the court struck that part of the SCA as unconstitutional.
Privacy issues such as those addressed by the Sixth Circuit in Warshak likely will continue to dominate the news in the coming year. As more individuals, companies, and governments communicate and store data in the cloud, both the technological and legal privacy and security of that data will be tested. And as the Warshak case demonstrates, federal statutes drafted decades ago — or even mere years ago —cannot be reasonably be interpreted in light of the current state of online data storage and communication. At its base, the privacy issue in Warshak is no different than traditional forms of private communication, which the Sixth Circuit correctly reasoned. In 1986, however, it was not so simple to draw the analogy between electronically stored communications and regular mail. Legislators are not often elected for their ability to understand how technological changes will effect current legislation.
Legislation aimed at regulating, or otherwise affecting, technological change is almost always going to be outdated shortly after it is passed. This is not necessarily because we do not have bright, technologically savvy legislators drafting these laws. Rather, it likely has more to do with the fact that our brand of democracy results in a government that often is slow to respond. To effectively mitigate privacy and security risks, reliance on the government for protection is not a wise strategy. The best protection will result from carefully considered, contractual provisions that include in the balance of equities the privacy and security risks individuals and organizations face when entering the cloud.