Google, Microsoft and other tech industry heavyweights have joined forces with advocacy groups to push for changes to the Electronic Communications Privacy Act (ECPA).
ECPA was enacted in 1986 to provide a legal framework to extend government monitoring of telephone communications to electronic communications on computers. The sweeping legislation set a standard for the coming digital age, but has left a trail of confusion for police, businesses and consumers more than 20 years later, critics say.
“1986 was light years ago in Internet terms, and it’s now time to update ECPA,” Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, said during a conference call March 30 with the media announcing the group’s proposal.
The Center for Democracy and Technology joins the American Civil Liberties Union, Google, Microsoft, AT&T and others in forming a coalition called Digital Due Process to address that very issue.
“Currently, some e-mail stored online is protected by [search warrant requirements] and some isn’t. … For example, there’s the 180-day rule, which says that after 180 days at the very longest all of your stored e-mail loses the protection of the warrant and is available to the government with a subpoena issued without a judge and without a finding of probable cause,” Dempsey said.
It is these types of discrepancies coalition members said they want to address. The group is focused on four core principles. First, the government must get a search warrant to require a company to disclose digital communications not readily accessible to the public. Second, the government may only access or require location data from a mobile communications device be turned over with a warrant issued based on a showing of probable cause.
A third proposal is that the government can only access or require a company to provide dialed number information, e-mail to and from information, or other data “covered by the authority for pen registers and trap and trace devices” after judicial review determines the government has shown the information is relevant to an ongoing investigation. Finally, where the Stored Communications Act authorizes a subpoena for information, the government can only use the subpoena for information related to a specified individual or account.
Past efforts to make headway on these issues have fallen short, but while group members said they expect to meet some resistance, more than one said they would look to work with law enforcement to strike the proper balance between user privacy and law enforcement needs.
The issue is particularly important due to the growth of cloud computing. Many of the distinctions in the ECPA statute are “illogical” and create friction between companies and law enforcement, opined Mike Hintze, associate general counsel at Microsoft.
“The U.S. Constitution protects data in your home, on your own PC, at a very high standard, and as people take advantage of cloud services we don’t believe that that traditional balance of privacy vis a vis the state should be fundamentally altered,” he said.
Dempsey said he does not expect movement on the group’s proposals to happen overnight, and noted some of them were actually first put forth by Sen. Patrick Leahy, D-Vt., and then-Sen. John Ashcroft in 1998. In a statement, Leahy said he applauded the group’s efforts and looks forward to reviewing the coalition’s ideas.
“While the question of how best to balance privacy and security in the 21st century has no simple answer, what is clear is that our federal electronic privacy laws are woefully outdated,” Leahy said. “In the coming months, I plan to hold hearings on much-needed updates to the Electronic Communications Privacy Act … and I encourage others in Congress to work with me to address these important privacy and law enforcement issues.”