Can you assert a confidentiality or privacy claim when you have willingly put the information you seek to protect on someone else's computer system?

This question is important given the full-scale adoption of distributed computing. Yes, I mean cloud computing. But I also mean to address the issue of ISP disclosures to the police and the issue of employers who look at "personal" employee communications. These are all scenarios where a person claiming that certain information is confidential is not the owner of the medium on which it is stored. This common scenario is what makes mine an important question, and the answer in Canada seems to be, "It depends on the terms of service."

We need to go no further back than earlier this month for some well-reasoned authority. In R. v. Cuttell, Pringle J. of the Ontario Superior Court of Justice considered whether the police violated section 8 of the Charter by obtaining the identity of an individual suspected of possessing and sharing child pornography through a simple letter request to an ISP. In her analysis, she asks the direct question, "Does involvement of a third-party change the privacy analysis?" Pringle J.'s answer: in Canada, third-party custody of confidential information does not automatically extinguish any reasonable expectation of privacy but the rights reserved by the third-party vis-a-vis the information might.

In making this conclusion, Pringle J. relied on a 2002 Criminal Law Quarterly article by Robert Hubbard, Peter DeFreitas and Susan Margotiaux called The Internet – Expectations of Privacy in a New Context. Hubbard and company distinguish the Canadian and American treatment of information disclosed to third-parties. The American position, so they explain, is unforgiving and typified by the decision in United States v. Miller in which the United States Supreme Court held that an individual's bank records did not warrant 4th Amendment protection, in part, because they were accessible to bank employees "in the ordinary course of business." In Canada, Hubbard and company explain, the degree to which information is treated as confidential is important, but not as determinative a factor in assessing the reasonableness of a privacy claim.

Not surprisingly, the idea from Miller is neither as simple nor as aggressive as it may first sound. The Miller judgement stresses that the information at issue was information about bank transactions in which a bank had a strong operational interest - i.e. they were the bank's own business records. Hubbard and company argue that internet "traffic data" is a similar kind of data and should not be constitutionally protected in Canada because it is used by ISPs and others in making internet-based communications work. Pringle J. rejected this view in R. v. Cuttell, but the issue is far from decided in Canada. What should be noted, however, is that even if the idea from Miller is accepted, it does not suggest that one cannot maintain a protectable confidentiality interest in information that is meant to be private and simply stored by a third-party. Professor Susan Brenner, who writes the excellent "Cyb3rcrim3" blog, explains:

I also think the validity of the third argument [about cloud service employee access eradicating a privacy interest in stored communications] depends on the extent to which the data I store in a cloud is secure from the cloud computing company and its employees. If they can read the contents of the data I’ve stored with them, then I can’t have a 4th Amendment expectation of privacy in that data; it’s essentially the equivalent of sending a postcard through the mail (only worse, because I’m leaving it with the cloud computing service for a lot longer than it takes a mail to travel from sender to recipient).

I don’t think putting data in a cloud is the equivalent of sharing the numbers I dial on my phone with the phone company because to use the phone company’s service, I HAVE to give it those numbers. The phone company’s systems can’t connect my calls if I don’t let them know what phone number I’m calling and what phone number I’m calling from. Since all I’m doing in cloud computing is storing data on a system, I don’t see that I’m sharing it with the owner of the cloud computing service and its employees, unless, of course, the data isn’t encrypted or otherwise sealed in a virtual “closed container.” If it’s in a sealed, functionally-opaque container, then the neither the owner of the system nor its employees can read my data; it again is analogous to sending a sealed letter.

All of this analysis means the answer to my question will be heavily influenced by the applicable terms of service. If you're outsourcing to the cloud… fine… but have you distinguished your own confidential records from the records that will be created in the ordinary course of cloud service provision? Have you locked the information in those records down by contractual means and required notice of third party demands for access unless prohibited by law? Have you demanded that your confidential information be protected with technical and administrative means? Or, if you're an ISP who believes that willing cooperation with police investigations into child pornography is good policy, then put your customers on notice. And finally, if you're an employer who permits incidental personal use of your computer system, be careful about relying on the once successful "I own the medium" argument and reserve all the audit, inspection and investigation rights you need to meet your legitimate business needs by way of a clear and well-implemented computer use policy.

An analysis that stresses contractual terms is a good thing in my view. There are those who may suggest that information that deserves the special protection associated with confidential or private status should always be under an owner's direct control. A more nuanced view that turns on the actual relationship between data owner and data processor invites a realistic balancing of interests that doesn't clash with a model of computing that has become so prominent. Bring on the cloud!

Related readings

• Privacy and the Cloud, Susan Brenner
• Privacy and the Cloud – Part 2, Susan Brenner
• The debate about warantless access to ISP customer information, David Fraser
• Court finds warantless search for ISP subscriber information reasonable, admits evidence, Dan Michaluk
• Privacy in the Clouds, Risks to Privacy and Confidentiality from Cloud Computing, World Privacy Forum