Tuesday, July 5, 2011

Digital Due Process: A bid to modify the ECPA


Rarely does an alliance of this magnitude, involving such a varied and dynamic flock come into this world.  Digital Due Process (DDP) is a coalition of major online entities, privacy advocates, educational institutions and alike who have a common objective:

“To simplify, clarify, and unify the ECPA standards, providing stronger privacy protections for communications and associated data in response to changes in technology and new services and usage patterns, while preserving the legal tools necessary for government agencies to enforce the laws, respond to emergency circumstances and protect the public.”

Prominent members include Amazon, AOL, Google, HP, IBM, Intel, Microsoft and others. The Electronic Frontier Foundation (EFF) is also on board with this initiative along with a score of law schools across the United States. As quoted above, the group seeks to modify and balance privacy laws to be compatible with today’s technological reality.

Photo by Salvatore Vuono
The Electronic Communications Privacy Act (ECPA) is a part of the US Code enacted in 1986 with the stated goal of striking a balance between people’s privacy rights associated with new forms of electronic communication and the need for law enforcement to have the tools necessary to do their jobs effectively.

Prior to the ECPA, the Communications Act of 1934 and then the Federal Wiretap Act of 1968 prevented government entities and law enforcement (or anyone else for that matter) from intercepting or divulging peoples “wire communications”.  Then, in 1986, Congress sought to remedy the gaps in the law and clarify its position on privacy in electronic communications in the then forward thinking ECPA.

Though it may have been avant-garde for its time, DDP and others argue that this law is out of date and hopelessly out of touch with the realities of computing in the internet age.

Though Individual DDP members may have a slightly varying stance on the right direction for the ECPA, they all agree to the following four principles:

1) Law enforcement should have to obtain a warrant based on probable cause before it can demand that a service provider turn over a customer’s private data.

Currently, the law allows police and other law enforcement to demand access to people’s e-mails that have been in storage for more than 180 days without a warrant.  A simple court ordered subpoena is sufficient to order a service provider like Hotmail or Gmail to hand over your private e-mails providing they’ve been in your inbox (or any other folder for that matter) for 6 months or more.  The DDP sees this as too low a standard considering the implications on personal privacy. 

Law enforcement has never before had access to technologies that would enable such tracking of individuals. Does the simple fact that the technology and application now exist justify the use of those technologies?  Contrary to the views of the Justice Department, DDP does not believe so.

A major victory in favour of mandatory warrants to compel a service provider to hand over private information came in United States v. Warshak.  The U.S. Court of Appeals for the 6th circuit held that forcing an ISP to hand over private data without a warrant is unconstitutional on the grounds that it breaches the 4th Amendment.   The court ruled that people are entitled to the reasonable expectation of privacy relating to their e-mails stored on a third-party`s server.

2) Law enforcement should have to obtain a warrant before engaging in any location tracking through cell phones or other wireless devices.

The reality of today’s telecommunications means that service providers can potentially track their subscriber’s location in real time.  This powerful ability has not been lost on law enforcement.  Though there is intense debate, at least one court views this type of tracking without a warrant as unconstitutional.

Just last year, the U.S. Court of Appeals for the District of Columbia rendered a decision in United States v. Maynard where it disallowed evidence obtained by an F.B.I. GPS transmitter installed on a suspect-vehicle without a warrant.  The court found that:

"It is one thing for a passerby to observe or even to follow someone during a single journey as he goes to the market or returns home from work. It is another thing entirely for that stranger to pick up the scent again the next day and the day after that, week in and week out, dogging his prey until he has identified all the places, people, amusements, and chores that make up that person's hitherto private routine."`

This case has been appealed to the U.S Supreme Court and will be heard this year. Needless to say, DDP will be watching intently to see how the top court rules on this issue. It wouldn’t be surprising to see Amicus briefs by DDP members filed with the court in favour of the respondent.

3) The government should have to show that access to transactional is relevant to a criminal investigation before it is granted by a judge.

Transactional data refers to the logging of who we contact and when. The same way law enforcement may track the transactional data associated with people’s telephone calls, they may also track other forms of communication, namely e-mails, IM, text messages etc.

 DDP firmly believes that before being granted permission to do so, the entity requesting the right to proceed should have to show reasonable grounds that the information to be collected is relevant and pertinent to a criminal investigation.  Failure to do so should be met with the rejection of their request. Once again, simply because the technology is there, doesn`t mean that law enforcement should be given carte blanche to track and record transactional data regardless of the format or medium.

4) Police and other law enforcement should not be allowed to obtain a single subpoena granting access to the transactional data of several people.

This principle seeks to eliminate the practice of accessing groups or entire directories of transactional data in the hopes of it leading to a suspect.  DDP argues that law enforcement should have to obtain a separate subpoena for each individual’s personal transactional data.  If not, the entity requesting access should have to show that access to the bulk information is in itself relevant and pertinent to the investigation. 

In 1998, Senators Patrick Leahy (D) and John Ashcroft (R) made a bi-partisan attempt at modernizing the ECPA, including the Stored Communications Act (SCA).  Leahy and Ashcroft wanted to amend the law so that e-mails and other electronic communications not contemplated by the 1986 version receive the same treatment as telephone calls or letters.  

In his testimony before the Senate Committee on the Judiciary, James X. Dempsey, VP of the Public Policy Center for Democracy and Technology professed his agreement with DDP’s principles.  He urged the committee to consider giving the ECPA a makeover that would bring it into the modern era of computing.

Though many are in favour of modifying the existing law, some warn against the pitfall of over-specialization.  In other words, the ECPA shouldn’t turn into a law on cloud computing.  Doing so would defeat the purpose of modernizing the law as it would be rendered obsolete with the rise of the next technology. Rather, the legislature should re-draft the Act using technologically neutral language while maintaining its broad scope. 

Privacy has always been an issue close to the hearts of everyday people.  In this era of computing, every day people use the internet, every day. The prevalence and continued growth of cloud based offerings requires the modernization of the ECPA in a manner that will allow for growth and innovation. 

I'm of the opinion that the ECPA -or for that matter any law whose primary subject matter is technology should always have a mandatory 5 year review.  So much can happen in the world of tech in 5 years, let alone the 25 years it’s been since the enactment of the ECPA.  A mandatory review is exactly what legislation like this needs to avoid otherwise unsustainable legal delay.

No comments:

Post a Comment