Electronic privacy

  • July 17, 2014

    by Jeremy Leaming

    Eighty-three percent of American “voters believe police should get a warrant before searching personal information on someone’s cell phone,” Microsoft General Counsel Brand Smith notes in a post on Digital Constitution.

    The survey conducted by the research firm, Anzalone Liszt Grove, following the U.S. Supreme Court’s unanimous opinion in Riley v. California, also reveals that 86 percent of respondents “believe police should have to follow the same legal requirements for obtaining personal information in the cloud as they do for personal information stored on paper.” In Riley, the high court found that police need warrants to search mobile devices of people they arrest.

    Smith says that while the Riley decision can be viewed as a “historic first step,” it only addresses “one of many questions that the growth of technology is posing for our privacy laws. We’ve raised another unresolved question in a case in federal court in New York in which we’re challenging a search warrant seeking customer communications stored in our data center in Ireland.”

    He continued that Microsoft believes it is a “problem for governments to use a warrant to reach across international borders and search a person’s email without respecting local privacy laws.” Smith then cites the survey that says a majority of Americans agree.

    Seventy-nine percent of those polled believe the “federal government should have to respect local privacy laws when searching through people’s personal information like their email accounts.” Moreover, the survey found 56 percent of respondents are “worried” that if the federal government demands “information in other countries without going through their governments, then other countries will follow suit and force companies to turn over Americans’ private information.”

    Smith concludes that the polling, all of which is available here, “suggests” Americans understand “what’s at stake for technology and the future of privacy.”

  • April 21, 2014
    Guest Post

    by Mark M. Jaycox, Legislative Analyst, Electronic Frontier Foundation

    The Electronic Communications Privacy Act (ECPA), which governs when service providers may disclose private online messages like Twitter direct messages, was ahead of its time in 1986. In the nearly three decades since it passed however, it has fallen woefully out of date. The government has used one archaic section to skirt the Fourth Amendment’s warrant requirement and obtain online messages older than 180 days with a simple subpoena based on much less than probable cause. Courts are leading the charge to ensure ECPA doesn't violate the Fourth Amendment, but Congress must step to the plate and make common sense changes to ECPA by explicitly requiring a warrant before the government can access your private online messages or your mobile phone location data.

    Just because your emails are stored online must not mean they have any less protection than if they were printed out and sitting on your desk. The Fourth Amendment's warrant requirement can not be ignored. The archaic law is an example of a typical statute that isn't "technology neutral." Nowadays people store emails and other private messages they care about most for extended periods of time online.

    The statute is also out of date regarding how law enforcement can obtain location data from your mobile phone. ECPA does not specifically say when geolocation can be obtained by law enforcement, so many law enforcement agencies don't currently obtain a warrant when they want your mobile location in the past or present. It's another example of how flaws in ECPA have been abused by the government to skirt the Fourth Amendment’s protections.

    In both instances, Courts are leading the charge to ensure ECPA is in line with Fourth Amendment requirements. In a U.S. Court of Appeals for the Sixth Circuit opinion called U.S. v. Warshak, the Court noted that emails and other private communications are protected by the Fourth Amendment. As a result, many Internet providers and other companies storing online communications require a warrant in all cases, despite any language in ECPA to the contrary. When it comes to issuing a warrant for geolocation, a circuit split exists between the U.S. Court of Appeals for the Third Circuit, which ruled that a warrant could be required for location information, and the U.S. Court of Appeals for the Fifth Circuit, which ruled that an order based on a lower threshold suffices. At the state level, courts in New Jersey and Massachusetts have firmly sided on ensuring law enforcement obtains a warrant, while states like Utah, Indiana and Montana passed laws requiring a warrant for geolocation.

    Congress is only now beginning to catch up with the judiciary. Representatives Kevin Yoder, Tom Graves, and Jared Polis have introduced The Email Privacy Act, which provides a "clean" update to ECPA by requiring law enforcement obtain a warrant before seeking any online private messages. And Senator Ron Wyden and Representative Jason Chaffetz have introduced the GPS Act, which requires law enforcement to obtain a warrant before obtaining geolocation.

  • April 14, 2014
    Guest Post
    by Peter M. Shane, Jacob E. Davis and Jacob E. Davis II Chair in Law, Moritz College of Law, The Ohio State University
     
    * Author's Note: I had the privilege on April 4 of delivering the following remarks as part of a panel on "Creating the Politics of Privacy," a session of the capstone conference for Ohio State's 2013-14 series of campus-wide programs on the distinction between public and private.
     
    ** This post originally appeared at The Huffington Post.
     
    America's cultural turn in recent decades toward a glorification of the private and a denigration of the public has coexisted with what quite obviously is a deterioration in privacy. As individuals, we have dramatically less capacity than in earlier decades to control information about even the most personal aspects of our lives. This is not just historical coincidence. The cultural turn to the "private" has actually hurt privacy.
     
    What I mean by a cultural turn is that, for the last 35-ish years, U.S. law and politics have moved away from the public-regarding orientation of the New Deal and its programmatic outgrowths and toward the individualist orientation of Reaganite small-government conservatism. We can see these moves in a variety of ways that implicate the private/public distinction. For example, we know that public institutions, such as schools, simultaneously create both public value and private value. They help both to benefit society through an educated citizenry and to prepare individuals for economic self-sufficiency. Yet our public policy toward schools has increasingly emphasized only their private value as providing persuasive reasons for their support.
     
    Likewise, private action simultaneously has both private and public impacts. What I do as an individual both serves my personal needs and gratifications and imposes externalities on others. Not all externalities are positive. Yet courts and politicians have increasingly resisted treating negative externalities as a sufficient justification for regulation. Supreme Court decisions limiting Congress' powers to keep guns away from schools or to provide federal remedies for domestic violence are perfect examples. The court's 2012 decision that Congress lacked power under the Commerce Clause to compel the private purchase of health insurance was based on legal arguments that earlier courts would have rejected out of hand.
     
  • April 11, 2014
    Guest Post

    by Sandra Fulton, Legislative Assistant, American Civil Liberties Union

    During the long, hard fight to bring the outdated Electronic Communications Privacy Act (ECPA) into the 21st century, advocates have run into the most unlikely of opponents: the Securities and Exchange Commission (SEC). Yes, the SEC—the agency charged with regulating the securities industry—has brought the ECPA update to a screeching halt. Yesterday the ACLU, along with the Heritage Foundation, Americans for Tax Reform and the Center for Democracy and Technology, sent the agency a letter calling them out on their opposition.

    ECPA, enacted in 1986, is the main statute protecting our online communications from unauthorized government access. Unfortunately, as our lives have moved online the law has remained stagnant, leaving dangerous loopholes in our privacy protections. A broad coalition including privacy and consumer advocates, civil rights organizations, tech companies, and members of Congress from both parties has been pushing for an update. Strong bipartisan legislation to update the law has over 200 sponsors and is making serious headway in Congress. Even the Department of Justice—the law enforcement agency with arguably the most to lose in such an update—testified that some ECPA loopholes need to be closed.

    But the SEC is pushing back – essentially arguing that they should get to keep one of the loopholes that have developed as the law has aged. When ECPA was passed in 1986, Congress developed an elaborate framework aimed at mirroring existing constitutional protections. Newer email, less than 180 days old, was accessible only with a warrant. Based on the technology of the time, older email was assumed to be “abandoned” and was made accessible with a mere subpoena. Similarly, another category of digital records, “remote computing services,” was created for information you outsourced to another company for data processing. Seen as similar to business records, it could also be collected with a subpoena under the law.

    Fast forward to the 21st Century. Now we keep a decade of email in our inboxes and "remote computing services” has morphed into Facebook keeping all our photos or Microsoft storing our Word documents in their cloud. Suddenly the SEC can access content in way it never could before.

  • April 10, 2014
    Guest Post
    by Christopher Wolf, Director, Privacy and Information Management Practice Group, Hogan Lovells LLP; Founder and Co-Chair, Future of Privacy Forum
     
    The Snowden revelations about NSA activities have brought government access to online data into the public eye over the past year. Allegations that surveillance programs may have impacted American citizens have led to public outrage. In response, the president has promised to reform the U.S. government surveillance apparatus to “provide greater transparency to our surveillance activities and fortify the safeguards that protect the privacy of U.S. persons.”  
     
    Long before the Snowden revelations, enhancing the privacy of U.S. persons was the focus of less-visible efforts to reform the Electronic Communications Privacy Act (ECPA), a law enacted well before the Internet era that allows law enforcement access to a panoply of electronic information held by third-party information service providers without first obtaining a warrant.
     
    In December 2013, more than 100,000 Americans signed an online petition calling on the Obama administration to support ECPA reform. Although a warm spring finally is emerging in Washington, D.C., the White House has remained silent as reform bills (e.g., S. 607 and H.R. 1847) remain frozen in Congress.