Why ECPA Should Make You Think Twice about the Cloud
By Tony Bradley
The Digital Due Process coalition is pushing Congress to modernize privacy laws in the United States. The coalition–comprised of technology companies and special interest groups, including Microsoft, Google, EFF (Electronic Frontier Foundation), ACLU (American Civil Liberties Union), eBay, and others–feels that existing privacy regulations do not adequately protect data in the digital era, and could stop businesses from embracing cloud computing.
It seems like vendors can’t develop a new product or offer a new service these days without tacking the word “cloud” onto it. There are major players–like Microsoft, Amazon, and Google–backing the move to cloud-based services, and businesses are rushing to capitalize on the operational and financial benefits offered by cloud computing. However, businesses need to consider whether existing privacy law adequately protects data in the cloud.
Privacy of electronic data is essentially governed by the Electronic Communications Privacy Act (ECPA)–which was enacted in 1986. While it may have been a cutting edge statute at the time, things have changed. The Digital Due Process site says “Technology has advanced dramatically since 1986, and ECPA has been outpaced. The statute has not undergone a significant revision since it was enacted in 1986–light years ago in Internet time.”
The site goes on to explain “As a result, ECPA is a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for both service providers and law enforcement agencies. ECPA can no longer be applied in a clear and consistent way, and, consequently, the vast amount of personal information generated by today’s digital communication services may no longer be adequately protected.”
One example of how the ECPA hasn’t kept up is with e-mail. Under ECPA rules, any e-mail left on a server over 180 days is considered abandoned and can be accessed by law enforcement without a warrant or probable cause. That may have made sense in 1986 when e-mail was almost always downloaded and didn’t sit idly on servers, but with Gmail, Yahoo Mail, and other Web-based e-mail services providing gigabytes of storage space, users now leave e-mail on cloud-based servers indefinitely.
The Digital Due Process coalition is united in pursuing the following principles:
• Technology and Platform Neutrality: A particular kind of information (for example, the content of private communications) should receive the same level of protection regardless of the technology, platform or business model used to create, communicate or store it.
• Assurance of Law Enforcement Access: The reform principles would preserve all of the building blocks of criminal investigations – subpoenas, court orders, pen register orders, trap and trace orders, and warrants – as well as the sliding scale that allows the government to escalate its investigative efforts.
• Equality Between Transit and Storage: Generally, a particular category of information should be afforded the same level of protection whether it is in transit or in storage.
• Consistency: The content of communications should be protected by a court order based on probable cause, regardless of how old the communication is and whether it has been “opened” or not.
• Simplicity and Clarity: All stakeholders – service providers, users and government investigators – deserve clear and simple rules.
• Recognition of All Existing Exceptions: Over the years, a variety of exceptions have been written into the ECPA, such as provisions allowing disclosures to the government without court orders in emergency cases. These principles should leave all those exceptions in place.
Hopefully Congress will listen and take action to bring the ECPA into this century. In the meantime, the Fourth Amendment requires that law enforcement get a warrant in order to access data stored on a desktop computer in your office, but that same data stored in the cloud may or may not be subject to a warrant requirement depending on interpretation.
There are a number of benefits to embracing the cloud, but make sure you are aware of the limitations of ECPA as you move your data and communications to the cloud. You may want to urge elected representatives to get on board with modernizing ECPA, and in the meantime you should encrypt any data you do store in the cloud so that it will take more than a subpoena of your cloud storage provider to gain access to it.