If you watch way too much Law & Order, CSI:, and other crime shows on TV like I do you’ve already encountered numerous story lines that hinge on investigators getting their hands on a person’s private e-mail or online browser history (not just what’s on their computer.) The emergence of these themes in police-blotter fiction written for television series describes a sort of cultural understanding of the digital era: what we do online, not only stays online, but it can stay online forever.

Increasingly, people discover themselves leaving behind broader and more detailed digital footprints as they go about their daily lives. With the near-ubiquity of smartphones, text on mobile, e-mail, and the like people are constantly using services on the Internet and they quickly forget that they don’t own those services. They’re essentially 3^rd party carriers who happen to be storing their activity and information (however transiently or indefinitely.)

According to an article in The Atlantic, Joshua Gruenspecht, a cybersecurity expert at the Center for Democracy and Technology, feels that modern subpoena power wielded by grand juries in the United States may endanger the privacy of people who take part in a personal cloud more than they know:

Grand jury subpoenas are used to collect evidence. Unlike warrants, subpoenas can be issued with less than probable cause. The reasoning for the lower bar is in part that if someone does not want to turn over the requested evidence, he or she can contest the subpoena in court. Grand juries can subpoena not only the person who created a document but any third parties who might be in possession of that document. Under the Stored Communications Act, a grand jury can subpoena certain types of data from third parties whose only role is storing that data.

Gruenspecht argues that this reflects outdated notions of the role of third parties. When these laws developed, it was reasonable to believe that any third party with access to someone’s data would have a stake in that data and a relationship with the person who created it. The opportunity to contest a subpoena was therefore assumed to be genuine. But when a company that merely stores the data is subpoenaed, it may have no reason to protest and just fork over the information.

The cloud is beginning to blur the lines between documents generated as work product during interaction with a corporation—say, internal documents about financial activity, i.e. information subject to subpoena—and the activities of a private citizen going about their daily life—say, letters sent via the Post Office to another person that just happen to reside in a storage container, i.e. information subject only to a duly signed warrant.

Ideally, just the fact that my private missives just happen to be in a filing cabinet in a storage locker (owned and secured by a 3^rd party) doesn’t mean that a grand jury can just subpoena the documents in my lockers; a judge instead protects my right to privacy. However, since those letters are actually stored on a company server and look a lot more like work product than the emissions of my private activity that they are, they increasingly fall under subpoena powers, meaning I might not even know someone wants to look at them. The subpoena won’t go through me: it’ll go to Google, my ISP, or someone else who is housing my information and they can just turn it over without telling me.

Governments and corporations could skip informing you of accessing your data

Recently, the E.U. became incensed at this sort of potential behavior involving their own citizens and elements of the cloud stored in the U.S. when Microsoft warned about needing to comply with the PATRIOT Act. This adds a whole new spin to cloud-storage and -security when we realize that our data could be stored on foreign soil and subject to foreign laws.

People ever more understand that corporations do not protect their privacy in the wake of government intrusions into civil rights but only as a sort of extension of seeing that corporations are terrible at protecting themselves from hackers. The recent debacles striking Dropbox and their Terms of Service changes that explain user privacy exemplar that even those services that encrypt external user information could still have that data subpoenaed (and in the case of Dropbox they’d decrypt it for the government as well.)

Privacy in the digital world isn’t something that can be outsourced to a 3^rd party. Private e-mails may not be so private when the cloud-storage that keeps them is visible to the eyeballs of employees (and therefore the government) and it’s about time that people who use the Internet and the cloud start paying attention to their own information hygiene by thinking about protecting their own data from prying eyes.

An individual who encrypts their e-mail and their information stored in services such as DropBox won’t find themselves silently struck by a subpoena to their cloud-storage service. Certainly, the information will be turned over to the grand jury; but at least the person involved will learn about it when a judge signs a warrant requesting that they decrypt the information giving them ample chance to resist the request in court.