A coalition of tech vendors and privacy groups is calling on the U.S. Congress to update a 24-year-old law to better protect users of e-mail, cloud computing services and mobile phones from government surveillance.
The newly formed Digital Due Process Coalition wants Congress to revamp the 1986 Electronic Communications Privacy Act (ECPA) to ensure that e-mail messages, documents stored on cloud computing services and location-based mobile-phone information enjoy the same privacy protections as information stored in a file cabinet or on a PC hard drive.
ECPA needs to be updated because, in some cases, digital information stored in the cloud doesn’t enjoy the same legal protections as other data, said Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, a privacy and digital rights group that has spearheaded the coalition. In other cases, the privacy protections for digital data are unclear, he said during a press conference Tuesday.
ECPA doesn’t work for many of the ways people use digital information today, said Michael Hintze, associate general counsel at Microsoft, a member of the coalition. “A lot of the distinctions in the statute are illogical or unclear or inconsistent, which creates challenges in terms of compliance,” he said. “As more and more people embrace the benefits of cloud computing … we just don’t believe that the balance between privacy and law enforcement should be fundamentally turned on its head.”
Typically, law enforcement officials would have to get a court-ordered warrant to search a suspect’s PC or file cabinets, but law enforcement agencies can get access to some e-mail information, instant messages and other information stored in the cloud, as well as mobile-phone tracking information, through simple subpoenas, members of the coalition said.
The coalition’s suggested changes to ECPA “would make it clear that all of that data, as it moves from the desktop to the cloud and back again, to the handheld device, without regard to platform, private content should be protected,” Dempsey said.
The group wants ECPA changed so that law enforcement officials have to get warrants before demanding Internet service providers and cloud computing providers turn over private documents stored online and before mobile carriers turn over tracking information about customers. The coalition also wants court review that any real-time surveillance of communications such as text messages and instant messages is relevant to a criminal investigation, and it wants courts to review law enforcement requests for transactional data of multiple unidentified users.
Some of the changes the coalition wants were introduced in Senate legislation as far back as 1998. The coalition has briefed lawmakers and the U.S. Department of Justice and U.S. Federal Bureau of Investigation about its proposals, Dempsey said.
The DOJ’s and FBI’s reactions have been “respectful,” he added. “These are the core issues that have been around for a very long time now,” Dempsey said. “We’re 100 percent committed to dialog with law enforcement, to hear their concerns. This isn’t going to happen unless it happens with law enforcement coming along with us.”
A spokeswoman for the DOJ didn’t immediately respond to a request for comments on the new coalition.
Dempsey said he doesn’t expect changes to ECPA to happen this year, although Senator Patrick Leahy, a Vermont Democrat and chairman of the Senate Judiciary Committee, plans to have hearings on the law later in the year.
Members of the coalition include Google, AT&T, the Electronic Frontier Foundation, the American Civil Liberties Union and the Computer and Communications Industry Association.