I am hoping the power of crowdsourcing will help shed some light on an email query I received this week from a friend of mine involved with IT security and risk management at a large US University. She wrote me to ask:
"It came to my attention the other day that there is a thesis that when you put your data into the hands of a third party, you surrender your 4th Amendment rights."
[Note: the 4th Amendment to the US Constitution says: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."]
"[If true,] this becomes really relevant as our users (first party) in institutions of higher education put their data into our hands (2nd party) for email, file sharing, social networking, calendaring, etc. and then we outsource to some other organization (3rd party) for the provision of those services or [potentially] worst yet - place them in the hands of some other 3rd or 4th party to manage in the cloud."
"Have any of you heard anything about this? Do you have any information that would substantiate this thesis or deny it?"
I, for one, haven't been made aware of anything about this issue, or know whether it is a material risk issue or not. It is an interesting question, though.
There was a bit about this 4th Amendment issue that surfaced in a lawsuit from 2008 filed by the (now defunct) law firm Newman McIntosh & Hennessey seeking clarification of the issue by the U.S. District Court for the District of Columbia. The law firm, according to this story at The National Law Journal, was concerned "whether outsourcing of legal services compromises constitutional rights and whether consent should be required before such data is sent abroad. It also wants the court to order law firms to disclose their use of foreign legal support and to order that the government establish protocols to shield attorney-client information from surveillance."
The firm was concerned that the US Government could gain access to lawyer-client privileged information if it was sent overseas, since it could potentially be electronically monitored by the National Security Agency (NSA) once the information left the country.
There is also a "comment" (here in PDF) titled, "The Fourth Amendment and Privacy Issues on the "New" Internet: Facebook and MySpace.com," by Matthew J. Hodge that appeared in the Southern Illinois UniversityLaw Journal in the Fall of 2006. The paper concludes that "ultimately concludes that in limited instances, a person should be entitled to a reasonable expectation of privacy on these Web sites." I also read that conclusion as indicating that your 4th Amendment rights may be at risk.
Mr. Hodge's paper noted, for instance, that your bank records are not considered private papers because you voluntarily have turned that information over to the bank. In this case, the courts have found that an individual "takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to the Government."
That's about the extent of my knowledge on the subject, and I don't know if the Newman et co. lawsuit mentioned earlier is even relevant. If anyone has any further insight into my friend's question, and whether the issue is or is not a concern, please let me know.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.