Personal cloud storage account warrantless search breached the Fourth Amendment.
Written by Pierre Grosdidier
In State V. Bowers, the Wisconsin Court of Appeals held that a person had a reasonable expectation of privacy in the contents of a third-party cloud-storage account that the person personally paid for but created using the person’s county-owned email address.1 Taylor County detective Sgt. Steven Bowers allegedly used such an account to share a confidential murder investigative file with television show producers without authorization. Made aware of the breach, the department’s IT director unsuccessfully approached the cloud service provider to secure access to the account. She then activated an account password reset that sent a hyperlink to the email account, to which she had access in her professional capacity. Bowers was criminally charged based on the evidence found in the account. The trial court eventually granted his motion to suppress that challenged the warrantless search on Fourth Amendment grounds.2 The state appealed and the court of appeals affirmed.
Wisconsin courts require a criminal defendant challenging a Fourth Amendment search “to establish, by a preponderance of the evidence: ‘(1) that he or she had an actual, subjective expectation of privacy in the area searched . . . and (2) that society is willing to recognize . . . as reasonable.’”3 On appeal, the state argued only the second element, which the court analyzed under Wisconsin’s applicable six-factor test.4 The state conceded the first two factors—that Bowers had a property interest in the account and that he maintained it lawfully. The court rejected the state’s argument that Bowers did not have “complete dominion and control” over the account (third factor) because he allegedly shared it with others. In fact, Bowers never shared his account password with anyone and selectively shared files with third parties. The court also rejected the state’s argument that Bowers’ use of his county email address diminished his control over the account because the IT director was able to reset the password and gain access. This argument, the court held, is tantamount to arguing that a person’s expectation of privacy diminishes when the location or thing is vulnerable to a privacy breach, an argument that other courts have rejected in part because it would make privacy vulnerable to advancing technology.5 The same reasoning led the court to reject the state’s argument that Bowers did not take precautions to protect his account (fourth factor). Bowers password-protected his account and the county never gave him notice that he enjoyed no privacy in his cloud account, stored on noncounty property, just because he used his county email address.6
The court was more ambivalent as to whether Bowers put his account to private use (fifth factor) given that he used it to share county files. It merely assumed that Bowers must also have used the account for personal storage. Finally, the court rejected the state’s argument that “Bowers’ claim of privacy [wa]s not ‘consistent with historical notions of privacy’” (sixth factor) because, the state claimed, Bowers shared his account with others. But Bowers shared certain files, not his account and not his password. In summary, the court compared Bowers’ password-protected cloud account stored on noncounty property to a locked “container used to store personal documents and effects,” and in which persons have well-established reasonable expectations of privacy.7
The court also rejected the state’s exigent circumstances argument because the IT director first reached out to the cloud service provider instead of immediately seeking a warrant.8 Concluding under the totality of the circumstances, as one must in a Fourth Amendment analysis, the court agreed Bowers had a reasonable expectation of privacy in his cloud account. TBJ
PIERRE GROSDIDIER is a litigation attorney in Houston. He is certified in construction law by the Texas Board of Legal Specialization. Prior to practicing law, Grosdidier worked in the process control industry. He holds a Ph.D. from Caltech and a J.D. from the University of Texas. Grosdidier is a member of the State Bar of Texas, an AAA Panelist, a registered P.E. in Texas (inactive), a member of the Texas Bar Foundation and the Texas Bar College, a fellow of the American Bar Foundation, and the State Bar of Texas Computer & Technology Section chair for 2022-2023. He was elected medium section representative to the State Bar of Texas Board of Directors for the 2023-2026 term.