If you think data on your cloud storage system is private, you are wrong.
In fact, all the data you store on your cloud storage including pictures, emails and files, is likely being searched for illegal content like child pornography. That's because the companies that run these cloud services have to follow the PROTECT Our Children Act passed by Congress in 2008. The act mandates that service providers, although not required to search for illegal content, must report child pornography if they find it's being stored by their customers. But, this act was passed before cloud services became popular so many consumers don't actually know their cloud falls under the law.
And if you have illegal content on your cloud, companies like Verizon will report you to the authorities.
And that's exactly what happened on March 1 when William Steven Albaugh was arrested after he backed up his computer to Verizon's online backup service. It turns out, Verizon used image-matching technology to detect that the 67-year-old deacon of a Catholic church was storing pornographic images and videos of children on their cloud.
Verizon is one of 1,000 Electronic Service Providers set up to report incidents of child pornography to the CyberTipline. Cloud storage is not the only place images can be searched. Electronic service providers also include hosting companies (like GoDaddy), social media (like Facebook) and email providers (like AOL), according to the National Center for Missing & Exploited Children.
John Shehan, the Executive Director of the Exploited Child Division for the NCMEC, said that the group's CyberTipline has been receiving tips since 1998, when Congress authorized them to receive reports of sexual exploitation.
"To date we've had 1.8 million reports that have come through- 63% of those reports have come from Electronics Service Providers," Shehan said.
How do they do it? The NCMEC provides companies with the tools to search for child exploitation, called photo DNA. The NCMEC has made available 16,000 images that contain strict criteria for companies to use in order to run comparison searches. If a match exists, they report it to the NCMEC.
Does this include those innocent bathtub pictures you have of your kids? Shehan said, no, that's not even close. The images in the commercial provider database has been checked by three criteria: it contains children who are prepubescent or infants, those children are being subjected to sexual abuse in the photos, and the children have been previously identified by law enforcement as victims.
Verizon is not doing anything that they haven't told their customers, right? It's all spelled out in their terms of service agreement-and we all read every word of that?
According to Verizon's backup storage terms and conditions: "Verizon reserves the right to access your Storage Service account at any time with or without prior notice to you and to disable access to or remove content which in our sole discretion is or reasonably could be deemed unlawful."
Verizon isn't the only cloud provider searching your files. Shehan said that there are about a dozen companies doing it, but because of a confidentiality clause, the NCMEC can't disclose who the companies are unless they are proactively talking about it. Shehan said that there are only two that are openly talking about the photo DNA: Facebook and Microsoft.
Time Warner and Sprint are also participating in these efforts as part of a 2010 agreement between online service providers and New York Attorney General Andrew Cuomo. Plus, Cuomo made an agreement with a number of social networking sites as well including Facebook and LiveJournal.
We also know that in 2011, cloud storage system Dropbox updated its Terms of Service to say that if the government asks, they will have to decrypt user's files and turn them over. Users were shocked about that because Dropbox touts the fact that it encrypts all its data.
Apple's iCloud actually uses keywords and phrases to detect pornographic emails. But the company doesn't just block them, it actually deletes them. The iCloud censorship was discovered by an Academy Award-winning screenwriter that tried to send a script to a director by emailing it from an iCloud account. The director never received the script because of one line about a character viewing an advertisement for a pornographic site on his computer. iCloud picked up on the words and deleted the email.
So, if you are storing data on a cloud or email account, what you think may be private, actually isn't. You are, in essence, entrusting companies with your information to do with it what they will. So, the question is, can you trust companies to stick to the law?
Let's take for example, Google. Google is paying $7 million to settle a case over its Street View cars that were collecting data from unsecured Wi-Fi networks. The actual data collection happened between 2007 and 2010. At first, Google denied that it had collected any payload data, but later admitted it had mistakenly collected data. It was later found out that the system was built knowingly by a "rogue engineer." Google said the payload data that it had said it deleted was still in its possession, and started giving it back to governments for their investigations.
Dr. Katina Michael, an associate professor at University of Wollongong in Australia and TED speaker, has been studying new technologies and their social implications since the late 1990's. She said that she won't store any sensitive statistics on Google Drive because she doesn't believe it's private.
"I use Google Drive for some things. But, do I want data of a sensitive nature e.g.--the statistics that I gather which I tell my ethics committee are under lock and key--do I want to break that by storing everything on the internet or the cloud?" Michael said. "And then someone down the road saying, 'well, we found data that you had?' I'm not going to share data that has to be private- it's not private on a cloud, in fact it's free, and I say to [my students], nothing is free."
Michael also said that all that information you store for free, could eventually cost you money.
"It's not going to take long before they're charging for something, and then we're all handcuffed have to pay because we put our whole lives on the internet," Michael said.
If you want to entrust companies with your information, go right ahead. But understand that the fine print in the terms of service may not tell the whole story. In fact, cloud providers must be able to provide files stored in the cloud to law enforcement, and in some cases, without a warrant. If you recall, the Electronic Communications Privacy Act Amendments Act of 2012 failed to get out of Senate last year. The Act would have offered cloud-based storage greater privacy protections, so your personal files will be open to scrutiny for the foreseeable future.