A powerful collection of organizations has formed a new coalition to push for an update to the Electronic Communications Privacy Act (ECPA). Members of the coalition include Google, Microsoft, AT&T, AOL, Intel, the ACLU and the Electronic Frontier Foundation. The guidance from the coalition would enshrine principles for “digital due process,” online privacy and data protection in the age of cloud computing within an updated ECPA.
“The traditional standard for the government to search your home or office and read your mail or seize your personal papers is a judicial warrant,” said Jim Dempsey, vice president for public policy at the Center for Democracy & Technology, who has led the coalition effort. “The law needs to be clear that the same standard applies to email and documents stored with a service provider, while at the same time be flexible enough to meet law enforcement needs.”
Updates to ECPA may also be relevant to the public sector, as CIOs answer the call to arms issued by U.S. CIO Vivek Kundra for cloud computing services. Cloud computing compliance figures to be a growing concern as enterprises turn to rapidly maturing Google Apps.
The coalition has set up a website, DigitalDueProcess.org, containing its proposals for updating ECPA in the face of new cloud computing security and online privacy challenges. Google Public Policy released a video, embedded below, describing the concept of “digital due process”:
[kml_flashembed movie="http://www.youtube.com/v/AYYjr3XNaGs" width="425" height="350" wmode="transparent" /]
At issue is the reality that for many consumers and enterprises, sensitive data in email and other electronic communications no longer resides solely on a hard drive at home or in the office. “The statute was passed in 1986 and doesn’t reflect how people use online services today,” said Microsoft spokesman Mike Hennessey. “The U.S. Constitution protects data at home and on your computer at a very high standard. We don’t believe that that should be turned on its head.”
As more and more people embrace the benefits of cloud computing, there are challenges in terms of compliance, as well as friction in terms of law enforcement access. Congress has heard testimony on location-based services and online privacy as usage of mobile social networks has exploded.
“The majority of court decisions have found that the government needs to get a warrant if it needs to track citizens in real time,” said Kevin Bankston, a senior staff attorney at the ACLU.
The coalition is pushing for a set of simplified standards that defines legal protection for data in the cloud, and that also addresses the increasingly blurred distinctions among data provided through GPS, cell sites and network triangulation.
“The reality is that technology has advanced over the last 20 years, so that better technology and intrusive technology has become available to both government and consumers,” said Catherine Sloan, vice president of government relations at the Computer & Communications Industry Association. “When you’re talking about the government, folks don’t have a choice of whether to deal with the government or not. They can’t just change a provider. That’s why the statute, in terms of government, needs to be updated.”
The coalition has issued principles for updating the ECPA that would define the rules for government access to email and other files stored online. These include requirements that:
- ”A governmental entity may require an entity covered by the ECPA (a provider of wire or electronic communication service or a provider of remote computing service) to disclose communications that are not readily accessible to the public only with a search warrant issued based on a showing of probable cause, regardless of the age of the communications, the means or status of their storage or the provider’s access to or use of the communications in its normal business operations.”
- ”A governmental entity may access, or may require a covered entity to provide location information regarding a mobile communications device only with a warrant issued based on a showing of probable cause.”
- ”A governmental entity may access, or may require a covered entity to provide, prospectively or in real time, dialed number information, email to and from information or other data currently covered by the authority for pen registers and trap and trace devices only after judicial review and a court finding.”
- ”Where the Stored Communications Act authorizes a subpoena to acquire information, a governmental entity may use such subpoenas only for information related to a specified account(s) or individual(s).”
The complete list of coalition members include: ACLU, American Library Association, Americans for Tax Reform, AOL, Association of Research Libraries, AT&T, Center for Democracy & Technology, Citizens Against Government Waste, Competitive Enterprise Institute, Computer and Communications Industry Association, eBay, Electronic Frontier Foundation, Google, Information Technology and Innovation Foundation, Integra Telecom, Intel, Loopt, Microsoft, NetCoalition, The Progress & Freedom Foundation and Salesforce.com. The coalition will continue to add new members.