A coalition of technology companies, public interest groups, think tanks, and academics has formed to push for updating federal privacy laws to address 21st century privacy concerns. The group, Digital Due Process (www.digitaldueprocess.org), announced an effort to push for changes in the 1986 Electronic Communications Privacy Act, the major federal law governing access to email and other electronic information. The coalition argues that changes to the law are required to deal with new technologies, new services, and new data usage patterns.
Digital Due Process includes a wide variety of groups within the information industry. Technology companies that are members of the coalition include AT&T, AOL, eBay, Intel, Microsoft, and Google. The American Library Association and the Association of Research Libraries are also members. Public interest groups include the ACLU, Citizens Against Government Waste, and the Electronic Frontier Foundation.
Privacy protection has become a hot-button issue with the universal use of electronic communication tools and electronic documents of all kinds. The growth of social networking platforms such as Facebook and Twitter has raised additional concerns, particularly in the use of those resources by law enforcement agencies. In March 2010, for example, it was reported that the IRS and the Justice Department were training their agents and investigators on accessing personal information from social networking sites.
The Electronic Communications Privacy Act (ECPA) is the major piece of federal law that regulates the use of electronic communications, both by law enforcement agencies and by others. The 1986 Act was an attempt to update earlier anti-wiretap laws to adapt to new computer technologies and communication networks. The ECPA applies to government officials in both law-enforcement and other contexts, as well as to private parties and corporations.
The ECPA has three major components to it. First is the Wiretap Act, which addresses the intentional interception of any "wire, oral or electronic communication." This applies to traditional wiretapping of telephone lines, as well as hacking electronic communications and recording (through an analog or digital device) of any "oral" communication. In order to legally intercept a communication the government must meet the Fourth Amendment requirements of probable cause and obtain a search warrant.
The second component is known as the Stored Communications Act, which addresses access to any "wire or electronic communication while it is in electronic storage." Unauthorized access to or disclosure of the contents of stored communication by service providers is forbidden except by court order. The third component is the Pen Register Act, which requires a court order in order to install any device that traces "dialing, routing, addressing, or signaling information."
While the ECPA provides some privacy protections for electronic communications, there are limits to its effectiveness. Under the Wiretap Act, if one party consents to the interception or recording, then the law is not violated. More critically, the Stored Communications Act provides less protection to stored electronic communication than to in-transit information, and has a narrow definition of "in-transit." Most documents, such as emails, photographs, search queries, social networking posts and the like, spend very little time "in transit"-being electronically shuttled from one server to another-and more time in "storage" on a client or server. Documents in storage can be obtained with a simple subpoena, which does not require probable cause.
The reasoning behind the lesser protection given to stored communication is that because that communication has already been shared with a third party-the recipient or recipients, as well as the communication service provider-it is entitled to less privacy protection. However, privacy advocates argue that computer files, particularly those that are increasingly stored on hosted servers, should be entitled to the same protection as physical files stored at the home or office.
To that end the coalition has outlined four principals that the ECPA should include. The first is that a search warrant based on probable cause should be required in order to access private communications or documents in electronic storage. This would provide the same high level of legal safeguard for digital content while both in transit and in storage.
The ECPA should also be amended to require a search warrant for tracking the location of cell phones or other mobile devices. The ECPA does not address the ubiquitous GPS devices now in many electronic devices. While court decisions usually have required a search warrant for real-time tracking, the coalition would apply the same standard for all access to GPS data, whether past, real-time, or stored information.
The third principal would require law enforcement to demonstrate that tracking information about any electronic communication-email, messaging, phone, peer-to-peer, web searches, URLs visited, etc.-must be relevant to a specific criminal investigation before they are allowed to obtain the information. The fourth principal would require the same relevance standard for tracking the activities of multiple users, such as everyone who visited a particular website.
Not everyone is supportive of the coalition's proposals. Law enforcement agencies are likely to argue that implementation of these standards will make it more difficult to track criminal or terrorist activities through their electronic communications. The Obama administration is reported to object to at least some of the proposals. Digital content providers (notably absent from the Digital Due Process coalition) would likely share similar concerns about their ability to track illegal downloading and obtain identity information about users engaged in copyright infringement. The coalition has indicated that their proposals would not affect commercial and marketing interests.
As of now, legislation to amend the ECPA has not been introduced in Congress. However, Senator Leahy (D-VT) has spoken in support of the coalition and indicated that he plans to hold Congressional hearings on the issue.
Privacy and law enforcement positions are often at odds with each other. The greater the privacy protections, the harder it is for law enforcement-including civil law enforcement such as copyright protection-to protect society. But greater protection through enforcement usually means weaker privacy protections. The Digital Due Process coalition's express goals are to bring balance to those competing positions as the law struggles to deal with 21st century technologies.