For years, privacy advocates have made efforts to place greater restrictions on law enforcement’s ability to access remotely stored, or “in the cloud,” consumer data. Law enforcement gets such data by, for example, asking the telecommunications companies or Internet service providers that hold the information to turn it over to the authorities as part of an investigation. Those who want it to be harder for government to access such data have taken many cases to court, but they recognize that they can ultimately only make real headway by getting Congress to strengthen the Electronic Communications Privacy Act (ECPA).
The act, which protects oral and electronic communications in transit and in storage, is antiquated, they argue. Written in 1986, it fails to account for the growth of e-mail and other cloud-based services. It gives law enforcement excessive power to make data requests through the use of subpoenas, say privacy advocates and others.
Strong industry backing is a “landmark step” for ECPA reform and related privacy initiatives, said Christopher Calabrese, legislative counsel for the American Civil Liberties Union. Calabrese spoke on a conference call announcing a new 64-member coalition aimed principally at ECPA reform. Members of the group, called Digital Due Process (DDP), include privacy advocacy groups and companies such as Google, Microsoft, AT&T, eBay, and AOL.
Companies support amending the laws because currently statutes may force companies to take action at the government’s request when that action could make customers unhappy and hurt business. Legally, companies are supposed to notify customers when their data has been requested by a third party, such as the FBI, said Cathy Sloan, a vice president at the Computer and Communications Industry Association, during the call. But when it occurs, such notification is frequently only provided after data has been shared, she said.
Data requests are generating increasing friction among companies, customers, and government agencies, said Richard Salgado, senior counsel for Google, also speaking on the conference call. Companies such as Microsoft and Google in recent years have also invested “huge sums” in cloud-based technology, added Michael Hintze, associate general counsel with Microsoft. Internal studies have shown that 90 percent of consumers and businesses are concerned about cloud privacy, he said. “We think a lot of that [stems from] government requests.”
The U.S. Constitution has been interpreted to provide far stricter privacy protection for information that consumers store with their own equipment that is kept in their own possession, said Salgado. A goal should be to equalize protection whether data is “on the desktop, in the cloud, or on a handheld device.”
Coalition goals include requiring agencies to obtain either judicial approval or a warrant to access customer e-mail, phone records, and other personal data. Another main goal is to eliminate “blanket” requests, which ask for data on numerous customers when just one is of interest. The coalition also aims to improve privacy protection by requiring the government to obtain a warrant before accessing mobile device users’ location information which can be tracked through cell towers on the Global Positioning Systems.
The group has held initial discussions with U.S. Department of Justice (DOJ) officials, who have been “respectful,” said Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, a coalition member. For its part, DOJ may be stepping up efforts to increase database controls. When it comes to data leakage, the agency’s top goal is to prosecute employees who use databases for inappropriate purposes, such as for personal matters, said Howard Cox, assistant deputy chief in DOJ’s computer crimes and intellectual property section, speaking at a recent Washington security conference.
Some DDP members said the Obama administration might be more receptive to stronger privacy protections than the previous administration. The coalition emphasizes that it is focused on law enforcement as opposed to national security-related matters. Spurred partly by coalition efforts, Sen. Patrick Leahy (D-VT), who chairs the Senate Judiciary Committee, recently announced plans to hold hearings on the issue.
Group members are encouraged by the attention to the issue and receptivity to adjustments in policy and law. But they are realistic. Invariably, any changes will still require a long process, said Dempsey.