Cloud computing is all the rage.
Traditionally, people had to store, manage and process data on a personal computer or local server. Cloud computing moves those functions to a remote server accessible from multiple locations. In turn, the cloud provider assumes the job of maintaining and backing up the data, and often it spreads the workload across a number of remote servers to maximize efficiency.
Even if you aren’t familiar with the term, if you’re using any one of dozens of popular online services to store your data, then you’re in the cloud. Among others, I’ve used Google Docs to exchange story drafts, Dropbox to store interview transcripts, Flickr to store photos, and Google Calendar to manage my schedule.
The benefits are significant. By storing things in the cloud, I can access them anywhere on any device. I don’t need to copy data from one laptop to the other, and I don’t need to conduct any sort of sync operation. That helps me work efficiently while on the move, because all I need is an Internet connection and one device.
I’m careful, though, not to keep anything sensitive in the cloud that might compromise a source. And that’s not only because of the technical risk that someone might access my data without my knowledge, but also because the legal protections for journalists using the cloud is, well, cloudy. Congress should clear the air by updating the Privacy Protection Act of 1980 (PPA), which protects journalists generally from government searches and seizures.
Some journalists have been early adopters of cloud technology. Take just two examples involving Amazon’s Elastic Compute Cloud (EC2) service. It makes web-scale computing easier for developers.
In 2008, during the Democratic primary race, an engineer at The Washington Post used the EC2 to process Hillary Clinton’s official schedule as first lady. Released by the National Archives as a non-searchable PDF, it covered eight years and totaled 17,481 pages. The newspaper used the service to convert the PDF to a usable, searchable text, all within the same news cycle, for less than $150.
In 2009, New York Times reporter Charles Duhigg began using the EC2 to store the 200 million data records he used in his “Toxic Waters” series. The investigation explored the failures of the Clean Water Act and the Safe Drinking Water Act, and the cloud allowed the newspaper to build a computerized database to guide Duhigg’s prize-winning reporting.
For more than thirty years, the PPA has empowered journalists to protect documents and work product related to their reporting. But what would happen if the government went after the records Duhigg used in the “Toxic Waters” series? To what extent would the law protect those cloud-based records from compelled disclosure?
Quite simply, it’s unclear whether the things journalists store in the cloud enjoy the same legal protection as the things they store on personal computers, on local servers, and in desk drawers.
Digital Due Process, a coalition of privacy groups, companies, and think tanks, has been lobbying Congress to amend online privacy laws. By expanding the protections of the Electronic Communications Privacy Act, which sets general standards for law-enforcement access to online data, the reforms would benefit journalists incidentally.
But they wouldn’t afford journalists the kind of safeguards they’ve come to expect from the PPA, which explicitly protects journalists from newsroom, computer, and other searches. It applies to all kinds of law-enforcement officers, and it prohibits the use of a search warrant to obtain materials from people engaged in First Amendment activities. Instead, the PPA requires the government to get a subpoena, giving the journalist a chance to challenge it in court.
The PPA states that with a few exceptions, “it shall be unlawful for a government officer or employee, in connection with the investigation or prosecution of a criminal offense, to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication,” or any “documentary materials possessed by a person in connection with” such a purpose.
So the PPA divides materials into two categories: “work product” and “documentary.” The former includes materials “prepared, produced, authored, or created” for dissemination to the public, like story drafts and outtakes. The latter includes “materials upon which information is recorded,” like photographs and videotapes.
The PPA was passed in 1980, when the Internet consisted of a few thousand computers—14 years before Amazon was founded, 18 years before Google was founded. It was last amended in 1996, and it has not entered the cloud-computing era. In fact, it’s not even clear the PPA has entered the Internet era.