A coalition of industry and civil liberties organizations yesterday launched an effort to modify the Electronic Communications Privacy Act, and in particular the provisions of the Stored Communications Act, to ensure privacy protections extend to information in the cloud. Rather than attempt a full rewrite of ECPA, the coalition focused on a handful of the most important issues – those that are arising daily under the current law: access to email and other private communications stored in the cloud, access to location information, and the use of subpoenas to obtain transactional data. The coalition includes AOL, AT&T, eBay, Google, Integra Telecom, Intel, Loopt, Microsoft, Salesforce.com as well as a host of civil liberties organizations articulated four principles to guide lawmakers in developing changes. Senator Leahy and Congressman Conyers have indicated that they will each hold hearings on the issue this year. The principles are described below. More information is available at www.digitaldueprocess.org
ECPA Reform: Why Now?
The Electronic Communications Privacy Act (ECPA) was a forward-looking statute when enacted in 1986. It specified standards for law enforcement access to electronic communications and associated data, affording important privacy protections to subscribers of emerging wireless and Internet technologies. Technology has advanced dramatically since 1986, and ECPA has been outpaced. The statute has not undergone a significant revision since it was enacted in 1986 – light years ago in Internet time.
As a result, ECPA is a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for both service providers and law enforcement agencies. ECPA can no longer be applied in a clear and consistent way, and, consequently, the vast amount of personal information generated by today’s digital communication services may no longer be adequately protected. At the same time, ECPA must be flexible enough to allow law enforcement agencies and services providers to work effectively together to combat increasingly sophisticated cyber-criminals or sexual predators.
The time for an update to the ECPA is now. For more than a year, privacy advocates, legal scholars, and major Internet and communications service providers have been engaged in a dialogue to explore how the ECPA applies to new services and technologies. We have developed consensus around the notion of a core set of principles intended to simplify, clarify, and unify the ECPA standards; provide clearer privacy protections for subscribers taking into account changes in technology and usage patterns; and preserve the legal tools necessary for government agencies to enforce the laws and protect the public.
Changes in Technology Have Outpaced the Law
Justice Brandeis famously called privacy “the most comprehensive of rights, and the right most valued by a free people.” Of course, privacy must be balanced against other societal interests. Electronic communications and associated data can provide key evidence in the investigation of many crimes, and the assistance of service providers is often necessary to access such evidence. With respect to communications privacy and law enforcement investigations, the courts and Congress have sought to develop rules for government surveillance that balance three interests: the individual’s constitutional right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust.
Since enactment of ECPA, there have been fundamental changes in communications technology and the way people use it, including –
· Email: Most Americans have embraced email in their professional and personal lives and use it daily for confidential communications of a personal or business nature. Because of the importance of email and unlimited storage capabilities available today, most people save their email indefinitely, just as they previously saved letters and other correspondence. The difference, of course, is that it is easier to save, search and retrieve digital communications. Many of us now have many years worth of stored email. Moreover, for many people, much of that email is stored on the computers of service providers.
· Mobile location: Cell phones and mobile Internet devices constantly generate location data that supports both the underlying service and a growing range of location-based services of great convenience and value. This location data can be intercepted in realtime, and is often stored in easily accessible logs files. Location data can reveal a person’s movements, from which inferences can be drawn about activities and associations. Location data is augmented by very precise GPS data being installed in a growing number of devices.
· Cloud computing: Increasingly, businesses and individuals are storing data “in the cloud,” with potentially huge benefits in terms of cost, security, flexibility and the ability to share and collaborate.
· Social networking: One of the most striking developments of the past few years has been the remarkable growth of social networking. Hundreds of millions of people now use these social media services to share information with friends and as an alternative platform for private communications.
In the face of these developments, ECPA does not provide protection suited to the way technology is used today:
· Conflicting standards and illogical distinctions: ECPA sets rules for governmental access to email and stored documents that are not consistent. A single email is subject to multiple different legal standards in its lifecycle, from the moment it is being typed to the moment it is opened by the recipient to the time it is stored with the email service provider. To take another example, a document stored on a desktop computer is protected by the warrant requirement of the Fourth Amendment, but the ECPA says that the same document stored with a service provider may not be subject to the warrant requirement.
· Unclear standards: ECPA does not clearly state the standard for governmental access to location information.
· Judicial criticism: The courts have repeatedly criticized ECPA for being confusing and difficult to apply. The Ninth Circuit in 2002 said that Internet surveillance was “a confusing and uncertain area of the law.” In the past 5 years, no fewer than 30 federal opinions have been published on government access to cell phone location information, reaching a variety of conclusions.
· Constitutional uncertainty: The courts are equally conflicted about the application of the Fourth Amendment to new services and information. A district court in Oregon recently opined that email is not covered by the constitutional protections, while the Ninth Circuit has held precisely the opposite. Last year, a panel of the Sixth Circuit first ruled that email was protected by the Constitution and then a larger panel of the court vacated the opinion.
This murky legal landscape does not serve the government, customers or service providers well. Customers are, at best, confused about the security of their data in response to an access request from law enforcement. Companies are uncertain of their responsibilities and unable to assure their customers that subscriber data will be uniformly protected. The current state of the law does not well serve law enforcement interests either as resources are wasted on litigation over applicable standards, and prosecutions are in jeopardy should the courts ultimately rule on the Constitutional questions.
The solution is a clear set of rules for law enforcement access that will safeguard end-user privacy, provide clarity for service providers, and enable law enforcement officials to conduct effective and efficient investigations.
Guiding Principles for ECPA Reform
The overarching goal of our review of the ECPA was to balance the law enforcement interests of the government, the privacy interests of users, and the interests of communications service providers in certainty, efficiency and public confidence.
We were guided by the following concepts:
· Technology and Platform Neutrality: A particular kind of information (for example, the content of private communications) should receive the same level of protection regardless of the technology, platform or business model used to create, communicate or store it.
· Assurance of Law Enforcement Access: The reform principles would preserve all of the building blocks of criminal investigations – subpoenas, court orders, pen register orders, trap and trace orders, and warrants – as well as the sliding scale that allows the government to escalate its investigative efforts.
· Equality Between Transit and Storage: Generally, a particular category of information should be afforded the same level of protection whether it is in transit or in storage.
· Consistency: The content of communications should be protected by a court order based on probable cause, regardless of how old the communication is and whether it has been “opened” or not.
· Simplicity and Clarity: All stakeholders – service providers, users and government investigators – deserve clear and simple rules.
· Recognition of All Existing Exceptions: Over the years, a variety of exceptions have been written into the ECPA, such as provisions allowing disclosures to the government without court orders in emergency cases. These principles should leave all those exceptions in place.
Rather than attempt a full rewrite of ECPA, which might have unintended consequences, we focused on just a handful of the most important issues – those that are arising daily under the current law: access to email and other private communications stored in the cloud, access to location information, and the use of subpoenas to obtain transactional data.
Our principles do not seek to answer all questions or concerns about ECPA. Though members of the coalition may differ on the specifics, and some individual members would support additional changes, we all agree that these principles provide a framework for opening a public dialogue on the issue.
Specific Background on ECPA Reform Principles
1. The government should obtain a search warrant based on probable cause before it can compel a service provider to disclose a user’s private communications or documents stored online.
- This principle applies the safeguards that the law has traditionally provided for the privacy of our phone calls or the physical files we store in our homes to private communications, documents and other private user content stored in or transmitted through the Internet "cloud"– private emails, instant messages, text messages, word processing documents and spreadsheets, photos, Internet search queries and private posts made over social networks.
- This change was first proposed in bi-partisan legislation introduced in 1998 by Senators John Ashcroft and Patrick Leahy. It is consistent with recent appeals court decisions holding that emails and SMS text messages stored by communications providers are protected by the Fourth Amendment, and is also consistent with the latest legal scholarship on the issue.
2. The government should obtain a search warrant based on probable cause before it can track, prospectively or retrospectively, the location of a cell phone or other mobile communications device.
- This principle addresses the treatment of the growing quantity and quality of data based on the location of cell phones, laptops and other mobile devices, which is currently the subject of conflicting court decisions; it proposes the conclusion reached by a majority of the courts that a search warrant is required for real-time cell phone tracking, and would apply the same standard to access to stored location data.
- A warrant for mobile location information was first proposed in 1998 as part of the bipartisan Ashcroft-Leahy bill. It was approved 20 to 1 by the House Judiciary Committee in 2000.
3. Before obtaining transactional data in real time about when and with whom an individual communicates using email, instant messaging, text messaging, the telephone or any other communications technology, the government should demonstrate to a court that such data is relevant to an authorized criminal investigation.
- In 2001, the law governing “pen registers and trap & trace devices”—technologies used to obtain transactional data in real time about when and with whom individuals communicate over the phone—was expanded to also allow monitoring of communications made over the Internet. In particular, the data at issue includes information on who individuals email with, who individuals IM with, who individuals send text messages to, and the Internet Protocol addresses of the Internet sites individuals visit.
- This principle would update the law to reflect modern technology by establishing judicial review of surveillance requests for this data based on a factual showing of reasonable grounds to believe that the information sought is relevant to a crime being investigated.
4. Before obtaining transactional data about multiple unidentified users of communications or other online services when trying to track down a suspect, the government should first demonstrate to a court that the data is needed for its criminal investigation.
- This principle addresses the circumstance when the government uses subpoenas to get information in bulk about broad categories of telephone or Internet users, rather than seeking the records of specific individuals that are relevant to an investigation. For example, there have been reported cases of bulk requests for information about everyone that visited a particular web site on a particular day, or everyone that used the Internet to sell products in a particular jurisdiction.
- Because such bulk requests for information on classes of unidentified individuals implicate unique privacy interests, this principle applies a standard requiring a showing to the court that the bulk data is relevant to an investigation.
March 30, 2010