Digital Due Process: A bid to modify the ECPA

Rarely does an alliance of this magnitude, involving such a varied and dynamic flock come into this world.  Digital Due Process (DDP) is a coalition of major online entities, privacy advocates, educational institutions and alike who have a common objective:

“To simplify, clarify, and unify the ECPA standards, providing stronger privacy protections for communications and associated data in response to changes in technology and new services and usage patterns, while preserving the legal tools necessary for government agencies to enforce the laws, respond to emergency circumstances and protect the public.”

Prominent members include Amazon, AOL, Google, HP, IBM, Intel, Microsoft and others. The Electronic Frontier Foundation (EFF) is also on board with this initiative along with a score of law schools across the United States. As quoted above, the group seeks to modify and balance privacy laws to be compatible with today’s technological reality.

Photo by Salvatore Vuono

The Electronic Communications Privacy Act (ECPA) is a part of the US Code enacted in 1986 with the stated goal of striking a balance between people’s privacy rights associated with new forms of electronic communication and the need for law enforcement to have the tools necessary to do their jobs effectively.

Prior to the ECPA, the Communications Act of 1934 and then the Federal Wiretap Act of 1968 prevented government entities and law enforcement (or anyone else for that matter) from intercepting or divulging peoples “wire communications”.  Then, in 1986, Congress sought to remedy the gaps in the law and clarify its position on privacy in electronic communications in the then forward thinking ECPA.

Though it may have been avant-garde for its time, DDP and others argue that this law is out of date and hopelessly out of touch with the realities of computing in the internet age.

Though Individual DDP members may have a slightly varying stance on the right direction for the ECPA, they all agree to the following four principles:

1) Law enforcement should have to obtain a warrant based on probable cause before it can demand that a service provider turn over a customer’s private data.

Currently, the law allows police and other law enforcement to demand access to people’s e-mails that have been in storage for more than 180 days without a warrant.  A simple court ordered subpoena is sufficient to order a service provider like Hotmail or Gmail to hand over your private e-mails providing they’ve been in your inbox (or any other folder for that matter) for 6 months or more.  The DDP sees this as too low a standard considering the implications on personal privacy. 

Law enforcement has never before had access to technologies that would enable such tracking of individuals. Does the simple fact that the technology and application now exist justify the use of those technologies?  Contrary to the views of the Justice Department, DDP does not believe so.

A major victory in favour of mandatory warrants to compel a service provider to hand over private information came in United States v. Warshak.  The U.S. Court of Appeals for the 6^th circuit held that forcing an ISP to hand over private data without a warrant is unconstitutional on the grounds that it breaches the 4^th Amendment.   The court ruled that people are entitled to the reasonable expectation of privacy relating to their e-mails stored on a third-party`s server.

2) Law enforcement should have to obtain a warrant before engaging in any location tracking through cell phones or other wireless devices.

The reality of today’s telecommunications means that service providers can potentially track their subscriber’s location in real time.  This powerful ability has not been lost on law enforcement.  Though there is intense debate, at least one court views this type of tracking without a warrant as unconstitutional.

Just last year, the U.S. Court of Appeals for the District of Columbia rendered a decision in United States v. Maynard where it disallowed evidence obtained by an F.B.I. GPS transmitter installed on a suspect-vehicle without a warrant.  The court found that:

"It is one thing for a passerby to observe or even to follow someone during a single journey as he goes to the market or returns home from work. It is another thing entirely for that stranger to pick up the scent again the next day and the day after that, week in and week out, dogging his prey until he has identified all the places, people, amusements, and chores that make up that person's hitherto private routine."`

This case has been appealed to the U.S Supreme Court and will be heard this year. Needless to say, DDP will be watching intently to see how the top court rules on this issue. It wouldn’t be surprising to see Amicus briefs by DDP members filed with the court in favour of the respondent.

3) The government should have to show that access to transactional is relevant to a criminal investigation before it is granted by a judge.

Transactional data refers to the logging of who we contact and when. The same way law enforcement may track the transactional data associated with people’s telephone calls, they may also track other forms of communication, namely e-mails, IM, text messages etc.

 DDP firmly believes that before being granted permission to do so, the entity requesting the right to proceed should have to show reasonable grounds that the information to be collected is relevant and pertinent to a criminal investigation.  Failure to do so should be met with the rejection of their request. Once again, simply because the technology is there, doesn`t mean that law enforcement should be given carte blanche to track and record transactional data regardless of the format or medium.

4) Police and other law enforcement should not be allowed to obtain a single subpoena granting access to the transactional data of several people.

This principle seeks to eliminate the practice of accessing groups or entire directories of transactional data in the hopes of it leading to a suspect.  DDP argues that law enforcement should have to obtain a separate subpoena for each individual’s personal transactional data.  If not, the entity requesting access should have to show that access to the bulk information is in itself relevant and pertinent to the investigation. 

In 1998, Senators Patrick Leahy (D) and John Ashcroft (R) made a bi-partisan attempt at modernizing the ECPA, including the Stored Communications Act (SCA).  Leahy and Ashcroft wanted to amend the law so that e-mails and other electronic communications not contemplated by the 1986 version receive the same treatment as telephone calls or letters.  

In his testimony before the Senate Committee on the Judiciary, James X. Dempsey, VP of the Public Policy Center for Democracy and Technology professed his agreement with DDP’s principles.  He urged the committee to consider giving the ECPA a makeover that would bring it into the modern era of computing.

Though many are in favour of modifying the existing law, some warn against the pitfall of over-specialization.  In other words, the ECPA shouldn’t turn into a law on cloud computing.  Doing so would defeat the purpose of modernizing the law as it would be rendered obsolete with the rise of the next technology. Rather, the legislature should re-draft the Act using technologically neutral language while maintaining its broad scope. 

Privacy has always been an issue close to the hearts of everyday people.  In this era of computing, every day people use the internet, every day. The prevalence and continued growth of cloud based offerings requires the modernization of the ECPA in a manner that will allow for growth and innovation. 

I'm of the opinion that the ECPA -or for that matter any law whose primary subject matter is technology should always have a mandatory 5 year review.  So much can happen in the world of tech in 5 years, let alone the 25 years it’s been since the enactment of the ECPA.  A mandatory review is exactly what legislation like this needs to avoid otherwise unsustainable legal delay.

Copyright in the Cloud

“The Cloud”.  For those who keep up with tech this term is nothing new.  For those who do not, “The Cloud” or “Cloud Computing” refers to web based software and online data storage.  The growing trend in computing today seems to denote a shift away from hard disk storage and software to this new online framework.  

Three of the major players- among others- in the tech space are harnessing the power of the cloud to offer web based music player and storage services.  On May 10^th, Google unveiled its new online music storage service at the Google I/O conference.   Amazon has already released their “Cloud Player” and Apple is reportedly in the process of coming out with their cloud based music offering.

Though these services are not and likely will not make it to Canada in the short term, the question beckons as to whether or not they would present copyright issues here.  Leaving out the obvious distribution licensing issues, the current Canadian Copyright Act does not allow for format shifting (the transferring of a media from one format to another). 

The format most widely used to encode digital music is without a doubt the MP3.  So if the music is uploaded in MP3 format there is no issue.  However, not all music files are MP3’s.  WMA, AIFF and FLAC are just some of the other file formats in which people’s music are often encoded.  In this event, the service provider- in this case Google Amazon or Apple- would be forced to convert the file type into MP3 format to render it compatible with the player. 

This would ultimately mean that the service providers must acquire a publishing license to properly operate the service.  Such a consideration might appear to be minor; but in reality it may prove to be a larger barrier to entry than one would think.  Needless to say a publishing license would be more costly.  Also, the music purchased from the provider would always be in MP3 form meaning that any format shifting that need occur would only concern music files the person uploaded from their existing library.  Therefore, the additional cost of licensing would be a bullet the service providers would have to take without seeing a profit directly related to it.  These providers will likely swallow this cost as a necessary evil.  After all, web based music services become much less attractive if the consumer cannot upload the music they have previously acquired.

The now defunct Bill C-32, Canada`s most recent attempt at modernizing our contextually archaic copyright law, provided for a “consumer exception” that would allow format shifting for private use.   It is unclear however if that would include this type of activity.  The provision was originally conceived to allow consumers to transfer their media from one platform to another (i.e. from a CD to an IPod).  In this case, it would be Google or Amazon executing the format shift.  Furthermore, one of the requirements in the Bill is that the original copy not be infringing.  Therefore, if the service provider is caught format shifting their client’s illegally downloaded music, the provision would not apply and they could feasibly be held liable for secondary infringement. 

It is clear that tech is going the way of the cloud.  It will become increasingly difficult for Canadian policy to ignore that fact.  It is somewhat embarrassing that Canadian copyright law has not been modified since 1997.  That’s two years prior to the birth of Napster!  One thing is certain. Further neglect to the modernization of copyright in Canada will have the undesired effect of leaving us in the dust of technological progress; an outcome most Canadians are probably unwilling to accept.