Google, Microsoft, eBay, telecoms companies and civil liberties groups in the US have called on the US government to update electronic privacy laws to take account of the internet and protect citizens from state snooping.
The companies and organisations claim that the current law, 1986's Electronic Communications Privacy Act (ECPA), is confusing and out of date and no longer protects citizens' privacy. They want the US government to pass a new law protecting the huge amounts of personal information that flows through or is stored via the internet.
"ECPA can no longer be applied in a clear and consistent way, and, consequently, the vast amount of personal information generated by today’s digital communication services may no longer be adequately protected," said a statement from the campaign group they have formed, Digital Due Process. "The time for an update to the ECPA is now."
"We have developed consensus around the notion of a core set of principles intended to simplify, clarify, and unify the ECPA standards; provide clearer privacy protections for subscribers taking into account changes in technology and usage patterns; and preserve the legal tools necessary for government agencies to enforce the laws and protect the public," it said.
The new group said that since 1986 the population of the US has started using email, the internet, mobile phones, cloud computing, social networking and other digital services that involve their private information and could not have been foreseen by the makers of the ECPA.
It said that the law is inconsistent and nonsensical. A document locally stored on a computer can only be viewed by the authorities with a warrant, but if it is stored remotely with a service provider it can be seen without a warrant.
"Technology has changed dramatically in the last 20 years, but the law has not,” said Jim Dempsey, vice president for public policy at digital rights pressure group the Center for Democracy and Technology, which is behind the formation of the Digital Due Process group.
“The traditional standard for the government to search your home or office and read your mail or seize your personal papers is a judicial warrant. The law needs to be clear that the same standard applies to email and documents stored with a service provider, while at the same time be flexible enough to meet law enforcement needs," Dempsey said.
"Citizens need government action to ensure that as more information moves from the desktop to the cloud, the country retains the traditional balance of privacy vis-à-vis the state," said Mike Hintze, associate general counsel at Microsoft. "Many Americans take for granted the protections of the Bill of Rights that prevent the government from coming into people’s homes without a valid search warrant. The rise of cloud computing should not diminish these privacy safeguards."
Microsoft's top lawyer Brad Smith called earlier this year for a new law that would specifically address cloud computing and the legal issues that arise concerning the remote storage of private information.
"We need Congress to modernise the laws, adapt them to the cloud, and adopt new measures to protect privacy and promote security," said Smith in January. "That’s why we’ve concluded that we need a Cloud Computing Advancement Act that will promote innovation, protect consumers, and provide the executive branch with the new tools needed for a new technology era."
"The rise of cloud computing should not lead to the demise of the privacy safeguards in the Bill of Rights. The public needs prompt and thoughtful action to ensure that the rights of citizens and government are fairly balanced so that these rights remain protected," said Smith.
Digital Due Process does not want a whole new law written, but does want the existing law modified.
It said that the law should be neutral in relation to the mechanics of material. "A particular kind of information (for example, the content of private communications) should receive the same level of protection regardless of the technology, platform or business model used to create, communicate or store it," it said.
It also said that the information should be protected to the same degree whether it was in transit or stored; and that whether a message had been 'opened' or not should not cause the information to be treated differently.
It also said that the law should be clear and simple so that it could be understood by everyone, and that existing exceptions to it - such as that allowing disclosures without warrant in emergencies - be preserved.
"Though members of the coalition may differ on the specifics, and some individual members would support additional changes, we all agree that these principles provide a framework for opening a public dialogue on the issue," said the Digital Due Process statement.
The principles of the coalition
- A governmental entity may require an entity covered by ECPA (a provider of wire or electronic communication service or a provider of remote computing service) to disclose communications that are not readily accessible to the public only with a search warrant issued based on a showing of probable cause, regardless of the age of the communications, the means or status of their storage or the provider’s access to or use of the communications in its normal business operations.
- A governmental entity may access, or may require a covered entity to provide, prospectively or retrospectively, location information regarding a mobile communications device only with a warrant issued based on a showing of probable cause.
- A governmental entity may access, or may require a covered entity to provide, prospectively or in real time, dialed number information, email to and from information or other data currently covered by the authority for pen registers and trap and trace devices only after judicial review and a court finding that the governmental entity has made a showing at least as strong as the showing under 2703(d).
- Where the Stored Communications Act authorizes a subpoena to acquire information, a governmental entity may use such subpoenas only for information related to a specified account(s) or individual(s). All non-particularized requests must be subject to judicial approval.