Updating Privacy Protections for 21st Century Communications
Today, a CDT-led coalition issued recommendations to strengthen the Electronic Communications Privacy Act (ECPA), a key federal privacy law. The proposals address the rules for government access to some of Americans’ most sensitive data, including communications and documents stored in the Internet “cloud” and location information generated by mobile devices. Our goal is to preserve traditional privacy rights, ensure law enforcement has the capability to conduct investigations, and give industry a clear legal footing upon which it can innovate and better compete in the global marketplace.
The group – called Digital Due Process (DDP) – is remarkably diverse, drawing from major companies, individual subject matter experts and think tanks and advocacy groups across the political spectrum. In addition to CDT, the group’s membership includes Google and Microsoft, as well as ACLU, EFF and The Progress & Freedom Foundation. The broad nature of the coalition reflects widespread consensus among the business and privacy communities that the laws on government access to electronic data need to be updated in light of modern technology.
For a detailed explanation of the principles put forth by the coalition for updating ECPA, please see the DDP website.
Two case studies for ECPA reform
ECPA focuses on standards for law enforcement access to communications data. Enacted in 1986, it established privacy protections to foster the growth of then-emerging wireless and Internet technologies. However, the statute has not undergone a significant revision in the quarter century since its enactment. Technology has changed dramatically since 1986 and the statute is no longer compatible with modern business practices or consumers’ everyday uses of digital services. Instead, ECPA is a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for both service providers and law enforcement agencies.
The solution is a clear set of rules for law enforcement access that will safeguard end-user privacy, provide clarity for service providers, and enable law enforcement officials to conduct effective and efficient investigations. Rather than attempt a full rewrite of ECPA, which might have unintended consequences, DDP’s principles focus on just a handful of the most important issues that are arising daily under the current law. Two leading examples are email and other private communications stored in the cloud, and location information.
Cloud Computing:
A document or email stored on a desktop computer is protected by the warrant requirement of the Fourth Amendment, but ECPA says that the same document or email stored with a service provider (in the “cloud”) is accessible to the government with a subpoena (issued without a judge’s approval). Moreover, if the service provider can access the data for any purpose other than storage or processing, the data falls outside of ECPA entirely. Today, email and data storage service providers often examine user communications for marketing, security and anti-spam purposes. Under ECPA, these normal business practices may deprive users of privacy interests with regards to the government.
The coalition is proposing that ECPA be updated to require that the government obtain a probable cause warrant before it can acquire any private communications or documents stored “in the cloud” by service providers. This warrant standard would apply regardless of the age of the communication and whether it has been opened or not – distinctions which unnecessarily trigger different standards under current law.
Location Information:
The proliferation of increasingly high-powered mobile devices has already given rise to the Internet’s first generation of location-based services and applications. However, ECPA provides no legal standard for law enforcement access to location information, resulting in a confusing mish-mash of court opinions. A majority of lower courts to consider the issue have required a probable cause warrant for real-time access to location information, but other courts have required far less. Some courts make distinctions based on the precision of the location data or whether the data is historical or real-time. This legal uncertainty not only complicates the job of law enforcement, but the lack of strong privacy standards can hold back consumer use of location-based services.
The coalition is proposing that ECPA be updated to require the government to obtain a probable cause warrant before it can track the location of a cell phone or any other mobile communications device. This warrant standard would apply regardless of the precision of the location information and whether it is prospective or retrospective.
What Comes Next
Today’s launch of Digital Due Process marks a new phase in a long-term effort likely to last several years. ECPA is quite complicated, and although it is crucial to the privacy of Americans’ data, ECPA is not well understood even by many policymakers and stakeholders. Therefore, DDP will be devoting significant time and resources to engaging lawmakers and government officials in a dialogue so that the economic and privacy rationales for ECPA reform are clear and the proper balance is achieved. Encouragingly, Senator Leahy– the original author of ECPA in 1986 and now the chair of the Senate Judiciary Committee– announced his intention to hold a hearing on updating ECPA in late May.
Ultimately, CDT will urge Congress to pass legislation to strengthen ECPA’s privacy standards. Congress enacted the Electronic Communications Privacy Act to foster new communications technologies by giving users confidence that their privacy would be respected. ECPA helped further the growth of the Internet and proved monumentally important to the U.S. economy. Now, technology has again jumped ahead. It’s time to update ECPA.