While they may disagree over consumer privacy, industry and privacy advocates have found common ground when it comes to whether Congress should make it more difficult for law enforcement to obtain such electronic communications as e-mails, computer documents, and cell-phone location records.
Usually this type of cooperation on an issue bodes well for its prospects in Congress, but supporters of overhauling the 1986 Electronic Communications Privacy Act have a more difficult obstacle: the Justice Department. The law, which has been amended a few times over the years, outlines the rules under which law enforcement can get access to electronic communications.
“I believe law-enforcement concerns are a big part of why this hasn’t moved,” said Morgan Reed, executive director of the Association for Competitive Technology.
Advocates of updating ECPA say changes in technology and varying interpretations by the courts have left a patchwork of standards that do not adequately protect modern-day communications. Under current rules, for example, law enforcement does not need a warrant to see e-mail that is more than 180 days old. When this standard was put into place, most Americans downloaded their e-mail from service providers like AOL, which then only kept such messages for a short time, such as the six-month standard included in the law, according to Greg Nojeim, senior counsel for the Center for Democracy and Technology.
“We’re stuck with privacy laws from the file-cabinet era,” said Business Software Alliance President and CEO Robert Holleyman. Failure to update ECPA, he said, “will hamper the growth of new technologies, like cloud computing,” which uses Internet-based resources to store and process data. Holleyman said that the outdated protections included in the privacy act are partly why his group put the United States in fourth place on a scorecard ranking how well 24 countries support cloud computing.
Some foreign providers of cloud services are using the issue to persuade their customers to use their cloud services over those provided by U.S. companies, according to both Holleyman and Reed. Their groups are part of the Digital Due Process Coalition, which has been pressing Congress to update ECPA for the past two years. The nonprofit coalition, which was launched by the Center for Democracy and Technology, promotes civil liberties in the digital age. It includes such companies as AT&T, Apple, Facebook, Google, and Microsoft as well as public-interest groups on both ends of the political spectrum, from the American Civil Liberties Union to Americans for Tax Reform.
“The absence of clear rules hurts the company offering cloud-based services because they don’t know what privacy they can promise,” Nojeim said. “It hurts law enforcement, because it doesn’t know what process is required [for obtaining data], and it hurts consumers, because they don’t know if their data is adequately protected by law.”
Last year, Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., introduced legislation to overhaul ECPA, and the bill included some of the changes favored by the coalition. The bill would get rid of the 180-day rule and require law enforcement to obtain a warrant to access stored electronic communications. The bill also would require a warrant or a court order under the Foreign Intelligence Surveillance Act to obtain location information from a user’s smartphone or another device.
While acknowledging that some changes are needed to ECPA, the Justice Department raised a question in testimony before the Senate Judiciary Committee last April about requiring a warrant for access to most electronic communications. Associate Deputy Attorney General James Baker detailed several examples of how the current ECPA rules have been used to help catch criminals. In one case, police in Baton Rouge, La., were able to use a subpoena to obtain cell-phone data to confirm a suspect’s location at the time that he was accused of shooting a police officer.
Such resistance appears to have had an effect on Congress. While Leahy says his bill remains a priority, his committee has yet to mark up the legislation. He has been trying to attract at least one Republican supporter, but so far he has yet to lure any cosponsors for his bill to reform ECPA.
Even if Congress fails to act, some privacy advocates say the courts may take matters into their own hands. The Supreme Court ruled in January that law enforcement cannot track suspects in real time using a GPS device without first obtaining a warrant. In their ruling, a majority of justices invited Congress to deal with the issue. In the lower courts, a federal judge in New York ruled last August that law enforcement violated the Constitution when it failed to get a warrant in obtaining stored cell-phone location data. And in December 2010, the Sixth Circuit Court of Appeals ruled that law enforcement needs a warrant to gain access to stored e-mail.
And there is still hope on the horizon that Congress may act this year.
“I could imagine a piece of ECPA reform happening this year,” Nojeim said. “At the end of every session, there are some efforts to move legislation. This could be one of them.”
This article appears in the March 28, 2012, edition of National Journal Daily.