As companies shift more data to the cloud, the US government's ability to gain access to content held by cloud providers should not be overlooked. The government may obtain access to the contents of an individual's communications, without notice to the individual, through several avenues.
The Electronic Communications Privacy Act (ECPA) protects the privacy of certain communications and consists of the Wiretap Act and the Stored Communications Act. ECPA sets forth limitations and requirements for law enforcement access to content and metadata held by providers of electronic communications and remote computing services (RCS) – including in a cloud environment.1 The Wiretap Act – sometimes referred to as Title I of ECPA – exclusively applies to the interception of communications – such as access or conduct that occurs "contemporaneous" to (ie, at the precise time of) transmission. Access to stored content is governed by the SCA – or Title II of ECPA – which only applies to conduct that occurs subsequent to transmission. Under ECPA, non-content information – subscriber records and transactional details about communications – can generally be obtained without a warrant, pursuant to an administrative subpoena under Section 2703(c)(2).
Under ECPA, the interception of communications is heavily restricted. Currently, the general position is that law enforcement access to stored communications requires probable cause and a warrant under most circumstances, though under some circumstances the burden is lower.
Section 2703(b): "reasonably related" or "probable cause" standard?
At inception, Section 2703(b) of the SCA, on its face, permitted the government to obtain certain content from "remote computing services" (which would include many cloud providers) without a warrant or showing of probable cause, provided the content has been in storage for more than 180 days. In U.S. v. Warshak, the Sixth Circuit addressed whether this was constitutional, concluding that 18 U.S.C. §2703(b) violated the Fourth Amendment to the extent it permitted the government to obtain emails from a remote computing service without showing probable cause.
In Warshak, the government argued it was permitted by Section 2703(b) to obtain access to emails in storage for more than 180 days with a remote computing service, without showing probable cause, because the access was not a "search" under the Fourth Amendment. The government argued that it need only show that the emails were "reasonably relevant." Though the ruling applies only in the Sixth Circuit, the Department of Justice has agreed, as a matter of policy, to follow Warshak generally and to seek warrants to obtain email content.
Section 2703(d) orders
The SCA offers another path for the government to obtain the content of communications: a court order that is not a warrant, but more than a Section 2703(b) request. A court order for disclosure of the contents of communications or subscriber information can be issued if the governmental entity offers specific, articulable facts showing reasonable grounds to believe the contents of a wire or electronic communication, or other information sought, are relevant and material to an ongoing criminal investigation. In the case of a state governmental authority, such a court order cannot issue if prohibited by the state's laws. A court issuing an order pursuant to this section, on a motion made promptly by the service provider, may quash or modify such order, if the information requested is unusually voluminous or if compliance otherwise would cause an undue burden on the provider.
These issues are important to many companies. Under the ECPA, many cloud-based providers will be considered an RCS; the government may be able to get content from an RCS without notice to the target of the request because the data will be obtained from the cloud provider directly, including under 2703(d).
Furthermore, the government has other tools that may allow it to access data that an RCS stores in the cloud. Among these are National Security Letters and the Foreign Intelligence Surveillance Act. If you are concerned about the government seeing any data you store in the cloud, keep the existence of these tools in mind.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.