The experts agree: 24 years is long enough without a revision of the Electronic Communications Privacy Act (ECPA).
That was the consensus of many of the witnesses who testified before the House Subcommittee on the Constitution, Civil Rights and Civil Liberties at its “ECPA Reform and the Revolution in Cloud Computing” hearing on Thursday. The hearing’s two panels of witnesses included academics, industry leaders and law enforcement officials, and while many had different views on specific issues embedded in the law, there was widespread agreement that too much has changed since 1986 for ECPA to provide the protections needed for Internet users in this era of cloud computing.
Opening the hearing, Chairman Jerrold Nadler (D-NY) said that the focus should be on protecting the market, consumers and law enforcement, pointing out one of the key dilemmas critics of ECPA point to is the fact that the same data stored in the cloud has less legal protection than if it was stored on a home computer. A challenge, Nadler said, is finding ways to take advantage of the new technologies without ushering in a new “privacy-free civilization.”
Highlighting just how much has changed since 1986, Center for Information Technology Policy Director Edward W. Felten described the Internet as it was, with a few thousand computers used by the government only with no Web pages at all, in a time when the founder of the world’s largest social networking site was just two years old. The most substantive change, he pointed out, comes in the way that people use the Internet, leaving “extensive electronic trails online, including their health records and financial transactions.”
With more and more individuals and businesses turning to the cloud to store information such as e-mail and documents--and with some users unaware of just how their data is being stored--Felten and other experts cautioned that ECPA can cause legal uncertainty and other confusion.
Richard P. Salgado, senior counsel for law enforcement and information security at Google, which is one of the key members of the ECPA reform advocacy group known as Digital Due Process, said that “a large gap has grown between the technological assumptions made in ECPA and the reality of how the Internet works today, leaving us in some circumstances with complex and baffling rules that are both difficult to explain to users and difficult to apply.”
For example, in the cloud, e-mails that are over 180 days old may be accessed by law enforcement with just a subpoena, while those under 180 days old require a warrant based on ECPA, which industry leaders and privacy advocates question based on the fact that many people now store e-mail and other documents in the cloud for years in lieu of other filing methods with no intent of “discarding” the documents.
Salgado suggested the committee consider proposals by Digital Due Process to use common sense principles for updating ECPA in ways that maintain the structure of the statute and the tools needed for law enforcement while ensuring that the protection afforded to data in the cloud is no less than that afforded information stored within the home.
While law enforcement officials testifying at the hearing cautioned that too many limits on their ability to access information can become problematic in investigations, when asked by Nadler whether a move to require warrants for content stored in the cloud would be problematic, the consensus was that it would not.
And the House of Representative is not the only body interested in reevaluating the law.
Sen. Partick Leahy (D-VT) was quoted this week in a
PCWorld
as voicing support for plans to update the 24-year-old law.
"The content of a single e-mail could be subject to as many as four different levels of privacy protections under ECPA,” he said, adding, “There are also no clear standards under that law for how and under what circumstances the government can access cell phone or other mobile location information when investigating crime or national security matters."
Several witnesses at the hearing also pointed to the frustrations expressed by consumers in other countries in dealing with ECPA provisions and whether their data would be scrutinized by the U.S. government.
Michael D. Hintze, associate general counsel for Microsoft Corporation, also said the key will be to create appropriate standards that strike a balance between legitimate law enforcement needs and user privacy.
“The mismatch between these new computing technologies and ECPA’s outmoded distinctions is a source of reasonable concern for all stakeholders with an interest in online privacy,” Hintze said, “and it is the principal force driving the need for reform.”
