One more try to modernize US surveillance laws for the Internet age
You may think that your communications with other individuals over the Internet may be protected from unreasonable use by US law enforcement without subpoena and due process. The truth is, judges have been loosening the interpretation of a 1986 wiretapping law, almost pretending that it did apply to present circumstances. But perhaps the greatest problem with the current Electronic Communications Privacy Act (ECPA) lay with its definitions, which at one point appear to be applicable (after several stretches of logic) to the Internet...and then, upon further review, does not.
"Electronic communication" means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce," paragraph 12 of section 2510 begins. Sounds fair enough, until you go on: "...but does not include (A) the radio portion of a cordless telephone communication that is transmitted between the cordless telephone handset and the base unit; (B) any wire or oral communication..."
If you subscribe to the FCC's emerging definition of the Internet, as a global device that consumes spectrum, then the exceptions listed here would appear to exclude your smartphone as a component of electronic communication. That exclusion could conceivably give a crafty law enforcement officer or prosecutor the means for issuing a subpoena for information from a wireless service provider, without just cause as determined by a judge.
"'Subpoena' is Latin for 'no judge has ever approved this,'" said Electronic Frontier Foundation senior staff attorney Kevin Bankston, during a news conference yesterday. "To me, that's the distinction here. Subpoenas are issued without any judicial review, and we really need that check-and-balance, that critical protection."
The news conference was assembled by the Center for Democracy and Technology to announce the publication of a set of proposed (and revised) principles for members of Congress to consider. Congress will, perhaps this season, hold hearings (again) on the possible modernization of ECPA, to make it clear that the same protections that applied to wiretapped telephone communication apply to Internet conversations. CDT's leaders have once again assembled a policy coalition (its last try at this was in 2008) to promote a set of four principles that it believes new law must follow.
This time around, however, the Digital Due Process group has enlisted the support of Microsoft and Google, two names that have figured prominently in the debate over Internet users' rights. (Facebook also figures prominently in this debate by its conspicuous absence from this coalition.)
"All private communications content stored with a service provider should be protected just as if it were stored on a laptop, or printed out or stored in a file," stated CDT Vice President for Public Policy Jim Dempsey yesterday, listing the first of the new group's four proposed principles. "That is, it should be protected by the warrant standard issued by a judge, based upon a finding of probable cause to believe that a crime is being committed or has been committed, and that the information is relevant to that crime.
"Currently, some e-mail stored online is protected by the warrant and some isn't," Dempsey continued. "And the rules as to what is protected and what isn't protected are pretty obscure and completely unknown to the average citizen. For example, there's the '180-day rule,' which says that after 180 days at the very longest, all of your stored e-mail loses the protection of the warrant and is available to the government, with a subpoena issued without a judge, and without a finding of probable cause. So we would say, one uniform rule across the board."
The second principle would apply a copy of that uniform rule to GPS and location information retrieved from an individual's smartphone or laptop. Third, a law enforcement body or government entity should be required to show just cause for requesting e-mail or information about the e-mail or other communication (e.g., the names of parties in the discussion). Fourth -- and certainly not least importantly -- the principles suggest new law should make clear that any subpoena issued under the existing Stored Communications Act should apply to an individual or an account belonging to an individual, and requests for information belonging to anything else (such as a company or group) must be approved by a judicial finding.
"Most laypeople don't realize this, but a subpoena is issued by the prosecutor, and often prosecutors hand it off to the FBI agents to fill in," explained Dempsey to a reporter who asked for a summary of how the law works today under the 1986 provisions. "They may be served in the name of a grand jury, or they may be administrative subpoenas, and a number of agencies have administrative subpoena authority. Those are issued at the discretion of an executive branch official with no judicial review. The Supreme Court has said that you can issue a subpoena...not because you believe the law is being violated, but merely to assure yourself that the law is not being violated. The standard is relevance to an ongoing investigation, and relevance is the lowest and broadest of the standards for compulsory access. It would be incumbent upon a service provider to challenge a subpoena when it's issued; often the subpoenas are issued with a delayed notice provision, meaning that the true party of interest, the customer, is not told about the subpoena in time to object to it.
"So there really are no checks and balances there that are meaningful," he continued. "A few service providers, in a few cases, have challenged subpoenas, or have pushed back. But that in and of itself is an expensive and unpredictable process."
Google's representative on the new coalition made a familiar case for Google: that the public's expectations for privacy rights have evolved faster than legislators have been able to keep up.
"This coalition is [in favor of] a very important initiative to advance what the legal protections are that cover the data that people are uploading to online services, those provided by many of the coalition members," said Google Senior Counsel Richard Salgado yesterday. "We're seeing tremendous change in the volume of data that people are uploading to services, the sensitivity of that data, and how that data and those services play a role in the day-to-day lives of people. Very different than how things looked in 1986 when the Web...didn't even exist...We're so far from that now, that you can hardly recognize the world of 1986; and yet, we've got a statute that envisions that bygone era. What we want to do is adjust some of the legal thresholds in the statute in a way that would make them more consistent with what users expect as their privacy right over the data that they've provided to these companies, and that they should expect, and doing so with thresholds that are very familiar to judges, very familiar to prosecutors, and that won't hinder the important work that government has to do."
For his company's part, Microsoft Associate General Counsel Mike Hintze yesterday pointed out that cloud technologies are preparing to rewrite the definitions yet again, and that any legal framework based squarely on 2010 could very soon look like 1986.
"ECPA...just hasn't kept up with technological changes. It doesn't reflect how people use online services and cloud services today. Therefore, a lot of the distinctions in the statute are illogical or unclear or inconsistent, which creates challenges in terms of compliance. It's unclear what the standard is, it creates friction between companies and law enforcement, and it creates confusion for the customers.
"More importantly than that, though, is the fact that, as more and more people embrace the benefits of cloud computing -- and Microsoft...has invested huge amounts in cloud technologies, and believe there are enormous benefits to the economy and to individual users...as that technological reality permeates our society, and people start moving documents from their file drawers and their individual computers into the cloud, we just don't believe that the balance between privacy and law enforcement should be fundamentally turned on its head," Hintze continued. "The US Constitution protects data in your home on your own PC at a very high standard; and as people take advantage of cloud services, we don't believe that that traditional balance of privacy vis-à-vis the state, should be fundamentally altered."
Next: Would revised surveillance law protect all personal data?