Consumer Electronics Daily was a Warren News publication.
‘Year Already Over’

ECPA Overhaul—Sometime—Is Goal of Broad Coalition, Hill Committees

The emergence of cloud computing and ubiquitous mobile devices has complicated the federal statute covering law-enforcement access to electronic communications, written when e-mail was a new technology, a coalition of Internet companies, privacy groups and think tanks said Tuesday. They are pushing for revision of the Electronic Communications Privacy Act at a time when the Obama administration is defending a government right of access without warrants to information about cellphone locations (CD Feb 16 p11). Those pressing for change have allies in the leaders of the House and Senate Judiciary committees. But they don’t expect legislation to move this year.

The Digital Due Process Coalition includes Google, Microsoft, AT&T, AOL, Intel, Loopt, Salesforce.com, the ACLU, the Computer & Communications Industry Association, the Information Technology & Innovation Foundation, the Electronic Frontier Foundation, the Progress & Freedom Foundation, and a handful of other companies and think tanks. It’s led by the Center for Democracy & Technology, whose vice president of public policy, Jim Dempsey, told reporters Tuesday that the center had worked for the past two years to build the coalition. It also has a law-enforcement tie-in: Google’s representative, Richard Salgado, and attorney Marc Zwillinger used to work in the Justice Department’s Computer Crime and Intellectual Property Section.

The coalition wants to start a “broad, in-depth dialogue,” especially with law enforcement, about changing the law to treat private data the same everywhere, Dempsey said. It set forth four principles, available with background materials at DigitalDueProcess.org: (1) All private communications stored with a service provider should be governed by the probable-cause standard, regardless of the data’s age. ECPA’s treatment of cloud data is “pretty obscure and completely unknown to the average citizen,” Dempsey said, pointing to a 180-day cutoff for warrantless e-mail access. (2) A probable-cause standard should be applied to location data -- because although GPS data in particular is protected, “courts have been all over the ballpark” on the thresholds for government access, Dempsey said. (3) A minimum showing should be required from the government, before a judge, to acquire noncontent data, now covered by warrantless standards for phone and Internet transactional data. (4) Subpoenas authorized by the Stored Communications Act should be usable only with a “particular account” or person. Any bulk or blanket requests for data should have to go through a judge.

Representatives of the coalition have briefed several lawmakers and met with officials at Justice, the FBI, the Commerce Department and the White House, Dempsey said. Justice isn’t “endorsing” the proposals, but officials there have been “respectful,” he said. Variations on the proposals have been floating around, since 1998 when Sen. Patrick Leahy, D-Vt., now the Judiciary Committee chairman, and then-Sen. John Ashcroft, R-Mo., put them forth, he said. But “we're not expecting that these will be enacted this year,” Dempsey said, joking, “It’s March. The year is already over."

Legal clarity and codification of case law are the group’s top goals, Dempsey said. Services such as Google Docs and Flickr are probably covered by ECPA in many cases but not necessarily in every situation where a person intends data to remain private or available to a small group, he said. And because of “delayed notice” provisions in some subpoenas to providers, users often can’t object in time to government access to their data, Dempsey said. Asked whether heavy use of cloud and Web 2.0 services shows that users don’t care about the government getting their data, CCIA’s vice president of government relations, Cathy Sloan, told reporters that Facebook regularly has to update its privacy policies to satisfy users. But Internet users can’t leave the federal government for another “provider,” she said. “The popularity of new services will always get out ahead” of timely public policies.

The distinctions in ECPA are “illogical,” said Mike Hintze, Microsoft’s associate general counsel. There’s “friction” between companies and law enforcement over when warrants are required or subpoenas are adequate. “We just don’t believe that the balance between privacy and law should be fundamentally turned on its head” in cloud computing, because that would scare people away from services that Microsoft has invested in heavily, he said. The proposals include legal thresholds that prosecutors and judges are familiar with in other contexts, said Salgado, Google’s senior counsel for law enforcement and information security. Restrictions on access to location data are the trend coming from the courts, said Kevin Bankston of EFF, which countered the government’s view at a 3rd U.S. Circuit Court of Appeals argument last month. “These are really reasonable measures” that the coalition is proposing, said Legislative Counsel Chris Calabrese of the ACLU, which would prefer higher protections for mobile data.

"While the question of how best to balance privacy and security in the 21st century has no simple answer, what is clear is that our federal electronic privacy laws are woefully outdated,” Leahy said. The Senate Judiciary Committee will hold hearings on “much-needed updates” to ECPA “in the coming months” and review the coalition’s proposals, he said. The House may do a more thorough review. House Judiciary Committee Chairman John Conyers, D-Mich., Civil Liberties Subcommittee Chairman Jerrold Nadler, D-N.Y., and Crime Subcommittee Chairman Bobby Scott, D-Va., promised to hold hearings on ECPA this spring, and Conyers thanked the disparate coalition members for reaching “common ground."

Other potential allies are hanging back or are aligned with another overhaul proposal. A Verizon spokesman told us his company supports a similar proposal by USTelecom. “We think it’s good for the FCC to have a variety of options to assess and choose from.” A spokesman for Facebook said the company isn’t participating “formally” but will continue “monitoring the discussion and plan to evaluate joining in the future.”