No Cops in the Cloud Without a Warrant

April 9, 2010— -- What do Google, Microsoft, AT&T, Intel, Americans for Tax Reform, ACLU, the American Library Association, the Competitive Enterprise Institute and the Electronic Frontier Foundation have in common?

They actually all agree that the law covering government access to today's sophisticated electronic communications is in desperate need of an update.

That law, the Electronic Communications Privacy Act (ECPA), was adopted when the Internet was in its infancy. The law was prescient for its time, setting out the rules for government access to electronic data. But technology has evolved rapidly since that time.

And there is a widespread view among major companies and trade associations, advocacy groups and think tanks from across the political spectrum that this critical privacy law needs to be updated in light of modern technology.

The diverse interests came together last week to propose principles to guide revision of the law and launch the Digital Due Process coalition (DPP).

The Law Has Not Kept Pace With Technology

When ECPA was adopted in 1986, the Web didn't exist, commercial access to e-mail was limited and only a select few Americans had mobile phones (large brick-shaped devices). No one knew how these new mediums would develop but the rules about government access to the information that would flow over them were murky, at best.

Existing law only protected voice communications carried over a wire. Many believed that cellular phone calls and e-mail enjoyed no constitutional protection.

Congress enacted ECPA to fill that void and extend protection to wireless and Internet communications so that these new technologies would be trusted by consumers and therefore able to grow.

What followed was the great technology boom. Today, approximately three out of every four Americans are Internet users.

There are 277 million cell phones in use in the United States. Cloud computing is all the rage, and exciting new location-based technologies are becoming ubiquitous.

But the rules governing how, when and under what circumstances law enforcement can get access to the information generated by these services is frozen in a 1986 vision of technology.

So DDP is proposing a set of principles for law enforcement access that will safeguard end-user privacy, provide clarity for service providers and enable law-enforcement officials to conduct effective and efficient investigations. The recommendations focus on a handful of the most important issues that are arising daily under the current law.

Cloud Computing: Leveling the Privacy Playing Field

A document stored on a desk top computer is protected by the warrant requirement of the Fourth Amendment, but ECPA says that the same document stored with a service provider (in the "cloud") is accessible to the government with a subpoena (issued by prosecutors without a judge's approval).

It says the same thing about e-mail more than six months old. In other words, the mere fact that more and more people store their sensitive e-mail, documents, calendars and financial information in the Internet cloud instead of on their own computers means that more and more people enjoy less privacy than they used to.

Privacy protections should be technology neutral but today they are unnecessarily technology-specific.

In some instances, personal information stored online may not even be eligible for ECPA's subpoena protections.

The law may not provide protection if the cloud service provider can access stored data for a purpose other than storage or processing. But today it is a common business practice for e-mail and data-storage service providers to examine user communications for marketing, security and anti-spam purposes.

Everyday Business Practices May Strip Customers of Privacy Expectation

As the law is now written, the everyday business practices may strip their customers of any expectation of privacy. That would mean that the government would not even need a subpoena to access this information.

So something has to change. Operating without specific privacy laws threatens the development of cloud computing services and all of the efficiencies and capabilities they promise.

A cloud service can have the best privacy policy in the world and protect data with a high level of security, but because the law is out of date, it cannot provide assurance that the information you've stored there is as safe from government access as the data on the hard drive of your home computer.

Will law enforcement buy into these changes? Consider that, today, most large cloud providers are U.S. companies and most store their data here. If cloud providers in the United States cannot assure their customers of an adequate level of privacy against the government, those customers will go elsewhere.

And they will take their information with them to other countries, where it will be harder for U.S. law enforcement to access. Treaties are helpful, but there's no substitute for having the data nearby, within the jurisdiction of a U.S. court.

It may sound counterintuitive, but raising the standard for government access to cloud computing information makes it more likely that the data will be here, accessible to U.S. law enforcement agencies. Failure to raise the standards in the United States means the data is more likely to be housed elsewhere, possibly out of reach of our law enforcement agencies.

Social Networking Information: Replacing Confusion With Clarity

What about those pictures you share with friends and family on Flickr or all that information you put up on Facebook for only "friends" to see? Are there any rules that protect this information from the prying eyes of government in a social media environment?

When ECPA was drafted in 1986, CompuServe was the closest thing to "social media" on the technological landscape; the authors of ECPA couldn't have foreseen the boomtown development of social media sites; so now, how law enforcement is allowed to operate within the social media landscape is also unclear.

Rules about how and when government is allowed access to information kept by a social media service can vary wildly.

Naturally, this lack of clarity confounds the lawyers for social networking sites. Government officials often do not know with certainty what authority they have to compel disclosure of a particular piece of information.

And consumers, meanwhile, are often most in the dark, left with a vague sense that maybe social networking is not so private. Bottom line: the rules are murky and need to be made clearer for everyone.

The DDP coalition offers a simple solution: The government should have to get a judicial warrant to read anyone's private material just as they would if the material was stored in a home computer or a desk drawer.

Location, Location, Location

The proliferation of increasingly high-powered mobile devices has already given rise to the Internet's first generation of location-based services and applications. Nowadays, it is becoming easy to find a nearby restaurant or bookstore using your mobile device. You can even find your friends and loved ones: Some services allow a user to plot the location of friends on a map, making it easy to meet up.

But, ECPA provides no legal standard for law enforcement access to location information, resulting in a confusing mish-mash of court opinions. A majority of lower court decisions have required a probable-cause warrant for real-time access to location information, but other courts have required far less.

Some courts make distinctions based on the precision of the location data. GPS can provide more precise location than can other technologies, such as proximity to cell phone towers.

Some courts have made distinctions based on whether location information is real time, or historical. This legal uncertainty not only complicates the job of law enforcement, but the lack of strong privacy standards can hold back consumer use of location-based services.

In a world where most Americans carry with them a cell phone that broadcasts their location about once every several seconds, it is time to afford this location data a very high level of protection.

The coalition is proposing that ECPA be updated to require the government to obtain a warrant from a judge before tracking the location of a cell phone or any other mobile communications device.

This warrant standard would apply regardless of the precision of the location information and whether it is prospective or retrospective. The coalition's principle would allow for exception in emergency cases, such as locating a missing person.

What Comes Next?

The current uncertain state of the law serves no one well. Consumers do not know how well their data is protected, law enforcement is uncertain about what kind of process to use to secure lawful access to different kinds of information, and the companies that hold the information do not know what their obligations are. Any solution must balance the interests of law enforcement, privacy, and industry.

The launch of Digital Due Process marks a new phase in a long-term effort to bring protection to our 21st century communications. The process of updating the laws is likely to last several years.

ECPA is complicated and although it is crucial to the privacy of Americans' data, the statute is not well understood even by many policymakers and stakeholders. Encouragingly, both the House and Senate Judiciary Committees have already signaled that they will hold hearings on ECPA reform this year.

In 1986, Congress enacted the Electronic Communications Privacy Act to foster new communications technologies by giving users confidence that their privacy would be respected. By helping to further the growth of the Internet, ECPA proved monumentally important to the U.S. economy.

Now, technology has again jumped ahead. It's time to update ECPA so we can continue to innovate and grow, with our privacy intact.

Leslie Harris is president and CEO of the Center for Democracy & Technology.