Today in Washington, the Senate Judiciary Committee held a hearing on updating the Electronic Communications Privacy Act (ECPA), the landmark 1986 legislation that governs the protections citizens have when they communicate using the Internet or cellphones.
The statements of the witnesses before the Senate from the Commerce Department, Justice Department and witnesses are embedded in ths post. Below, find an exclusive interview with digital privacy and security researcher Chris Soghoian, who until recently was the resident geek at the Federal Trade Commission, and some context on “Digital Due Process,” the coalition of industry and privacy advocates advocating for an ECPA update.
“From the perspective of industry and definitely the public interest groups, people shouldn’t have to consider government access as one of the issues when they embrace cloud computing,” said Soghoian. “It should be about cost, about efficiency, about green energy, about reliability, about backups, but government access shouldn’t be an issue.”
While the tech blogosphere may be focused on Twitter, Facebook and inside baseball among the venture capitalists of Silicon Valley’s today, the matter before Congress should be earning more attention from citizens, media and technologists alike. Over at Forbes, Kashmir Hill made the case that industry will benefit from a clearer Electronic Communications Privacy Law. Take it one step further: updates to the ECPA have the potential to improve the privacy protections for every connected citizen, cloud computing provider or government employee. As she pointed out there:
One of the most egregious ECPA issues is how it treats the protection of email. “Why should email in someone’s inbox be treated different from something in someone’s sent folder?” asked Smith [Microsoft’s general counsel]. “Why is something unread in my junk folder subjected to greater privacy than something read in my inbox? Why does an email I sent in April have fewer privacy protections than one I sent in September?”
It’s important to be clear: Congress is unlikely to move on updating ECPA before the mid-term elections or in the lame duck session. That said, the hearing in the Senate today and the hearing on ECPA reform and the revolution in cloud computing in the House of Representatives tomorrow will inform any legislative action in the next Congress.
Chairman Patrick Leahy was clear in his opening statement today: American innovation has outpaced digital privacy laws.
When Congress enacted ECPA in 1986, we wanted to ensure that all Americans would enjoy the same privacy protections in their online communications as they did in the offline world, while ensuring that law enforcement had access to information needed to combat crime. The result was a careful, bipartisan law designed in part to protect electronic communications from real-time monitoring or interception by the Government, as emails were being delivered and from searches when these communications were stored electronically. At the time, ECPA was a cutting-edge piece of legislation. But, the many advances in communication technologies since have outpaced the privacy protections that Congress put in place.
Today, ECPA is a law that is often hampered by conflicting privacy standards that create uncertainty and confusion for law enforcement, the business community and American consumers.
For example, the content of a single e-mail could be subject to as many as four different levels of privacy protections under ECPA, depending on where it is stored, and when it is sent. There are also no clear standards under that law for how and under what circumstances the Government can access cell phone, or other mobile location information when investigating crime or national security matters. In addition, the growing popularity of social networking sites, such as Facebook and MySpace, present new privacy challenges that were not envisioned when ECPA was passed.
Simply put, the times have changed, and so ECPA must be updated to keep up with the times. Today’s hearing is an opportunity for this Committee to begin to examine this important issue.
“There does seem to be wide agreement that current ECPA standards are a muddled mess,” said Julian Sanchez, a research fellow at the libertarian Cato Institute, and contributing editor for Reason Magazine. “The fear about “uncertainty” expressed by Baker is ridiculous when you consider the scholarly consensus and the evident confusion in the courts trying to apply it. In reality, DOJ finds the ambiguity convenient, since they can jurisidiction-shop for magistrates whose interpretations they find congenial.”
Jim Dempsey of the Center for Democracy and Technology made the following statement on ECPA, promoting security and protecting privacy:
Justice Brandeis famously called privacy “the most comprehensive of rights, and the right most valued by a free people.” The Fourth Amendment embodies this right, requiring a judicial warrant for most searches or seizures, and Congress has enacted numerous laws affording privacy protections going beyond those mandated by the Constitution.
In setting rules for electronic surveillance, the courts and Congress have sought to balance two critical interests: the individual’s right to privacy and the government’s need to obtain evidence to prevent and investigate crimes, respond to emergency circumstances and protect the public. More recently, as technological developments have opened vast new opportunities for communication and commerce, Congress has added a third goal: providing a sound trust framework for communications technology and affording companies the clarity and certainty they need to invest in the development of innovative new services.
Today, it is clear that the balance among these three interests – the individual’s right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust – has been lost as powerful new technologies create and store more and more information about our daily lives. The protections provided by judicial precedent and statute have failed to keep pace, and important information is falling outside the traditional warrant standard.
The personal and economic benefits of technological development should not come at the price of privacy. In the absence of judicial protections, it is time for Congress to respond, as it has in the past, to afford adequate privacy protections, while preserving law enforcement tools and providing clarity to service providers.
The American Civil Liberties Union also had specific recommendations for Congress on ECPA reform. “The Electronic Communications Privacy Act was written in 1986 before the Web was even invented and is in desperate need of an upgrade,” said Laura W. Murphy, Director of the ACLU Washington Legislative Office. “While Americans have embraced technology as an essential part of everyday life, they have not surrendered their fundamental right to privacy. Congress must ensure that our privacy laws reflect the technology Americans use every day.”
The testimony of the ACLU on ECPA reform is embedded below:
The written testimony of Microsoft general counsel Brad Smith is embedded below:
The written testimony of he Honorable James A. Baker, Esq., Associate Deputy Attorney General, United States Department of Justice, is embedded below:
The written testimony of the Honorable Cameron F. Kerry, Esq., General Counsel of the United States Department of Commerce is embedded below:
The written testimony of attorney Jamil Jaffer Testimony is below:
Digital Due Process
Earlier this year, I reported on the launch of DigitalDueProcess.org, a coalition pushing for an ECPA update for online privacy in cloud computing age. A powerful collection of organizations has been pushing for an update to ECPA. Members of the coalition include Google, Microsoft, AT&T, AOL, Intel, the ACLU and the Electronic Frontier Foundation. The guidance from the coalition would enshrine principles for “digital due process,” online privacy and data protection in the age of cloud computing within an updated ECPA.
The coalition set up a website, DigitalDueProcess.org, containing its proposals for updating ECPA in the face of new cloud computing security and online privacy challenges. Google Public Policy released a video, embedded below, describing the concept of “digital due process,”