I am pleased to announce that I’ve joined a diverse coalition of privacy groups, think tanks, technology companies, and fellow academics in an effort to update the Electronic Communications Privacy Act (ECPA) to better reflect the realities of modern communication technologies. One of the primary federal electronic privacy and surveillance laws, EPCA is in dire need of an upgrade: it was originally passed in 1986, before the World Wide Web was invented and when the number of American cell phone users numbered in the tens of thousands rather than the hundreds of millions.
Under the name “Digital Due Process“, the coalition has recommended that the legal standards under which the government can access some of Americans’ most sensitive data — including communications and documents stored in the Internet “cloud” and location information generated by mobile devices — be clarified and strengthened. The Digital Due Process coalition is led by the Center for Democracy & Technology, and includes Google and Microsoft, the ACLU, the Electronic Frontier Foundation, the American Library Association, and other players in technology and advocacy circles. (It’s interesting that Facebook & Yahoo aren’t among the members.)
Here’s a video Google has produced providing some background and additional information:
Four key principles are outlined to modernize ECPA:
1. The government should obtain a search warrant based on probable cause before it can compel a service provider to disclose a user’s private communications or documents stored online.
- This principle applies the safeguards that the law has traditionally provided for the privacy of our phone calls or the physical files we store in our homes to private communications, documents and other private user content stored in or transmitted through the Internet “cloud”– private emails, instant messages, text messages, word processing documents and spreadsheets, photos, Internet search queries and private posts made over social networks.
- This change was first proposed in bi-partisan legislation introduced in 1998 by Senators John Ashcroft and Patrick Leahy. It is consistent with recent appeals court decisions holding that emails and SMS text messages stored by communications providers are protected by the Fourth Amendment, and is also consistent with the latest legal scholarship on the issue.
2. The government should obtain a search warrant based on probable cause before it can track, prospectively or retrospectively, the location of a cell phone or other mobile communications device.
- This principle addresses the treatment of the growing quantity and quality of data based on the location of cell phones, laptops and other mobile devices, which is currently the subject of conflicting court decisions; it proposes the conclusion reached by a majority of the courts that a search warrant is required for real-time cell phone tracking, and would apply the same standard to access to stored location data.
- A warrant for mobile location information was first proposed in 1998 as part of the bipartisan Ashcroft-Leahy bill. It was approved 20 to 1 by the House Judiciary Committee in 2000.
3. Before obtaining transactional data in real time about when and with whom an individual communicates using email, instant messaging, text messaging, the telephone or any other communications technology, the government should demonstrate to a court that such data is relevant to an authorized criminal investigation.
- In 2001, the law governing “pen registers and trap & trace devices” – technologies used to obtain transactional data in real time about when and with whom individuals communicate over the phone – was expanded to also allow monitoring of communications made over the Internet. In particular, the data at issue includes information on who individuals email with, who individuals IM with, who individuals send text messages to, and the Internet Protocol addresses of the Internet sites individuals visit.
- This principle would update the law to reflect modern technology by establishing judicial review of surveillance requests for this data based on a factual showing of reasonable grounds to believe that the information sought is relevant to a crime being investigated.
4. Before obtaining transactional data about multiple unidentified users of communications or other online services when trying to track down a suspect, the government should first demonstrate to a court that the data is needed for its criminal investigation.
- This principle addresses the circumstance when the government uses subpoenas to get information in bulk about broad categories of telephone or Internet users, rather than seeking the records of specific individuals that are relevant to an investigation. For example, there have been reported cases of bulk requests for information about everyone that visited a particular web site on a particular day, or everyone that used the Internet to sell products in a particular jurisdiction.
- Because such bulk requests for information on classes of unidentified individuals implicate unique privacy interests, this principle applies a standard requiring a showing to the court that the bulk data is relevant to an investigation.
Senator Leahy has promised to consider these principles at planned Senate hearings to consider the updating of EPCA.
I hope these recommendations don’t fall on deaf ears. And I also hope that Google, Microsoft, and the other online service providers in the coalition take their own proactive steps to protect user privacy, regardless of what the law eventually requires.