September 4, 2015

Can California Lead on Privacy Moving from Pen and Paper to Cloud Computing?

ACSblog Symposium on ECPA Reform, data storage, ECPA reform, Electronic Communications Privacy Act, Internet privacy

by Anupam Chander, Director of the California International Law Center and Professor of Law at the University of California, Davis. He is the author of The Electronic Silk Road: How the Web Binds the World Together in Commerce, published by Yale University Press.

*This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).

My parents grew up in a pen and paper world, where most of their writings and records were kept at home, in their offices, or with close confidantes. I grew up in a world of computers, but even my writings were mostly kept at home on hard drives and floppy disks (for today’s students, many of whom have never seen a floppy disk, a history of the floppy disk). My first writings were kept, astonishingly, on a cassette recorder, which stored what I typed on my TRS-80, a computer made by Radio Shack. That computer had a total memory of 16K, roughly 16,000 characters (not even words) of text.

My children are growing up in the cloud, where their writings and their records are being stored in remote computers. Because those computers are managed by Dropbox, Google, Microsoft, and their peers, their writings are far more secure than I ever managed when I stored my files on a floppy or a hard drive, both of which failed with remarkable regularity and maximally devastating timing.

But even if our kids never know the pain of losing a week’s work to faulty computing or an accidental deletion, they face a world where their writings are far more subject to government scrutiny than mine ever were. Not only are their writings subject to government searches, but also their whereabouts, through the tracking of smartphones. This is because while the Fourth Amendment clearly protects homes from searches and seizures without a warrant, it is not so clear that it protects writings and the records about us stored on a remote computer.

Do our children deserve less protection from government snooping because they are relying on cloud services? Right now, the law says that if the government wants to read what’s on my home computer, it has to get a warrant to do so. But if the government wants to read what our kids are storing privately online, they may not. (For a more detailed account of when the government can access information online without a warrant, see this ProPublica summary, updated as of June 2014, but not including Riley v. California, described below.)

Others in this symposium will discuss the reforms we need at the national level for this and related problems, including the LEADS Act, introduced by Senators Orrin Hatch, Dean Heller, and Chris Coons. I will focus my contribution on what we in California can do at home. The California legislature is currently considering a bill called the “California's Electronic Communications Privacy Act (CalECPA).” In the words of the Electronic Frontier Foundation, CalECPA would require state law enforcement “to get a warrant before they can access electronic information about who we are, where we go, who we know, and what we do.” The California bill would apply only to California state officials. Thus, even if CalECPA passes, we will still need reform at the national level.

Some will worry that a warrant requirement will stop police from accessing a cellphone or an email in an emergency. But the bill provides exceptions for emergencies, allowing police to access information without a warrant if they believe that “an emergency involving danger of death or serious physical injury to any person requires access.”

Others will argue that we should trust the police to gather whatever information they need from whatever source they want. Our founding fathers may not have anticipated the Internet, but they knew all too well the potential for the government to abuse citizens through warrantless searches. Indeed, the Bill of Rights sought to enshrine this freedom in the Constitution. Recently, the United States Supreme Court ruled that a police officer must have a warrant to search the cellphone of a person subject to arrest. In that case, Riley v. California, Chief Justice John Roberts explained that “Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life.’”

California’s concern with how technology might allow the invasion of privacy extends back at least to 1862, when the introduction of the telegraph caused worries about telegraph operators divulging messages. The Assembly accordingly passed “An Act for the Regulation of the Telegraph and to Secure Secrecy and Fidelity in the Transmission of Telegraphic Messages.” (I should note that I prefer the quaint and expressive legislative titles of the 19th century to the Orwellian and forced acronym-words of the 21st, such as the USA PATRIOT Act and the USA FREEDOM Act.) In 1905, in the face of yet a new communications technology, California extended its telegraph interception prohibition to the telephone.

California has led in cyber law before. It passed a security breach notification statute in 2002, requiring companies to notify Californians when their unencrypted data has been disclosed.

Support for this reform has been bipartisan. CalECPA is authored by Senator Mark Leno (D-San Francisco) and Senator Joel Anderson (R-Alpine). CalECPA has the support of a broad array of groups, from civil liberties groups such as the American Civil Liberties Union and the Electronic Frontier Foundation, to California-based technology companies like Apple, Facebook, Google and Twitter. On June 3, 2015, CalECPA passed out of the California Senate unanimously, 39 to 0. This week, the California state associations of police chiefs, state sheriffs, and district attorneys all withdrew their earlier opposition to the bill.

Cal-ECPA will be discussed next week on the floor of the California State Assembly. Given that the people of the world increasingly entrust the privacies of life to California companies, Californians should lead in protecting privacy.