In the United States, personal information of individuals is protected by the Fourth Amendment of the Constitution which states:
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
So how does this affect our corporate data? What about our Disaster Recovery options?
Regardless of if our IT departments support it (and management approves of it), our employees are using these “share and sync” technologies to help themselves be more efficient for us and our business objectives. They use offerings such as Dropbox, Box.net, and others frequently, whether we know it or not. Recent Disaster Recovery strategies for files includes (or at least, are beginning to include) these types of solutions.
Usually, most use personal email addresses to create these accounts thereby making them personal. An upload of a document to a DropBox for example, may be argued in court as a personal document being shared with others. Once we share personal documents with others it is said that we are subjected to the “third party doctrine”. This doctrine states that once personal documents are shared with others, they are no longer protected by the Fourth Amendment and can be accessed by the government without the need for a warrant or demonstrating probable cause. Having said that, as far as I know the Supreme Court has not addressed how the Fourth Amendment applies to cloud computing. However, “when the object of a search — tangible or not — is voluntarily turned over to a third party, the Supreme Court has held that a person loses their reasonable expectation of privacy in that object.” [Cou09]. Bottom line, without any legal guidelines, uploading files to a cloud storage provider can be considered sharing and thus, the uploaded data is not perceived as private anymore.
An argument for a private cloud versus a public one should be rigorously evaluated and corporately debated. In particular, ones that enable the “share and sync” capabilities for anywhere, anytime and from any device access to corporate data. Without the functionality, we may lose our competitive edge in hiring and retention and most importantly, an overall corporate operational advantage.