Digital Due Process: Protecting Americans’ Privacy by Restoring Constitutional Limits to Government in ECPA

by on March 30, 2010 · 20 comments

By Ryan Radia & Berin Szoka

Today a broad array of civil liberties groups, think tanks, and technology companies launched the Digital Due Process coalition. The coalition’s mission is to educate lawmakers and the public about the need to update U.S. privacy laws to better safeguard individual information online and ensure that federal privacy statutes accurately reflect the realities of the digital age.

Over 20 organizations belong to the Digital Due Process coalition, including such odd bedfellows as AT&T, Google, Microsoft, the Center for Democracy & Technology, the American Civil Liberties Union, the Electronic Frontier Foundation, The Progress & Freedom Foundation (where Berin works), the Competitive Enterprise Institute (where Ryan works), the Internet Technology & Innovation Foundation, Citizens Against Government Waste, and Americans for Tax Reform. The full member list is available at the coalition’s website.

Amidst the heated tech policy wars, it’s not every day that such a diverse group of organizations comes together to endorse a unified set of core principles for legislative reform. Over two years in the making, the Digital Due Process coalition, spearheaded by the Center for Democracy & Technology, is a testament to the broad consensus that’s emerged among business leaders, activists, and scholars regarding the inadequacies of the current legal regime intended to protect Americans’ privacy from government snooping and the need for Congress to revisit decades-old privacy statutes. It also represents a revival of a bipartisan consensus on the need for reform reached back in 2000, when the Republican-led House Judiciary Committee voted 20-1 to approve very similar reforms (HR 5018).

Today, in the digital age, robust privacy laws are more important than ever. That’s because U.S. courts have been unwilling to extend the Fourth Amendment’s protection against unreasonable search and seizure to individual information stored with third parties such as cloud computing providers. Thus, while government authorities must get a search warrant based on probable cause before they can lawfully rifle through documents stored in your desk, basement, or safe deposit box, information you store on the cloud enjoys no Constitutional protection. (Some legal scholars argue this interpretation of the Fourth Amendment, referred to as the Third Party Doctrine, is outdated and deficient. See, for example, Jim Harper’s excellent 2008 article in the American University Law Review.)

To be sure, this doesn’t mean that data stored in the cloud is completely without legal protection. In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA), a then-forward-looking law that established several new privacy protections limiting governmental access to consumer data stored or transmitted by “remote computing service providers” and “electronic communications service providers.” Thanks to this law, along with earlier statutes such as the Wiretap Act, most electronic communications transmitted today enjoy some degree of legal protection. Unfortunately, the law’s provisions don’t reflect the reality of modern digital communications, nor do they offer sufficient protections for sensitive items like emails, mobile device locational information, and instant messages.

To remedy these deficiencies, the Digital Due Process coalition has offered four principles for Congress to consider as it revisits ECPA. In essence, they would require that government obtain:

  • A search warrant from the court, upon the showing of “probable cause” required by the Fourth Amendment, before compelling “cloud” providers to disclose most kinds of private communications or mobile location information;
  • A court order subject to meaningful judicial review before compelling providers to disclose dialed number information or email to and from information; and
  • Judicial approval, rather than a mere subpoena, before compelling providers to disclose non-particularized information about individual accounts.

These proposed reforms, if enacted, would go a long way toward ensuring that individuals enjoy the same legal protections online that the Fourth Amendment has long provided in the offline world. The principles would also empower cloud computing and mobile service providers to offer more robust privacy assurances to users. Such assurances will help strengthen user trust in of cloud computing and, consequently, may spur innovation in cloud computing services that involve highly sensitive data like health information.

This call to action is also a reminder that restricting the power of government, not the private sector, is the solution to the privacy challenges of the digital age. Privacy advocates and zealots alike often focus on the risks of private data collection. Yet the greatest, and most demonstrable, of these risks comes not from private firms but from the real Big Brother: the risk that government will get its hands on private data without meaningful judicial oversight.

As we’ve long argued (see Ryan’s essay with Wayne Crews, “Selling Out Online Advertising,” and Berin’s comments to the FTC’s Exploring Privacy Roundtable last November), the consumer benefit of individualized data collection and use is nothing short of spectacular. Without it, services like Gmail, Google search, and Facebook likely wouldn’t exist. (And it’s only 2010—the best is yet to come!) Simply put, there is no free lunch!

But data collection has a real downside: As long as sensitive information remains stored on a provider’s server, there’s a risk that it will end up in the wrong hands. Through smart information security practices and privacy policies enforced both by the FTC and strong reputational forces, the private sector has generally done a good job of safeguarding individual data, with rare exceptions. Yet, today, no amount of security or legalese or good intentions can protect against a government subpoena issued in compliance with ECPA’s outdated, inconsistent and downright byzantine legal standards—which vary widely depending on whether messages have been opened, how long they’ve been on the server, etc.

The reforms proposed by the Digital Due Process Coalition would fix this gaping hole in America’s privacy laws, allowing individuals to rest assured that their personal information won’t end up in the hands of government unless probable cause is shown before a court of law. That’s the promise enshrined in the Fourth Amendment—a promise we seek to restore.

  • http://srynas.blogspot.com/ Steve R.

    I still don't believe that there is a clearly articulated case concerning what constitutes a “right to privacy”. First, I find this post disappointing since it typically focuses on government collecting your data while ignoring the abuse of private companies. Now, I am not going to defend the collection of data by government, but I find the assertions that “the private sector has generally done a good job of safeguarding individual data, with rare exceptions.” to be totally unsupported. Furthermore, there really is NO incentive for private companies to actually protect your data since they make money by trading your personal information.

    Allegorical evidence, I have been sent (on several occasions) new credit credit cards because of data security breaches. Companies routinely trade/sell/rent your information to their “partners”. Companies make it difficult for you to opt-out. For example, when you register Turbotax you enter your personal information. Want to opt-out you have to go through several additional screens and then manually re-enter all the same information. Clearly this is being done by a private company (not the government) to discourage you from keeping your data private.

    TJX Data Security Breach Saga Continues David Johnson wrote “The intrusion involved transactions occurring in 2003 and from May-December 2006. TJX learned about the intrusion in mid-December 2006, but delayed making public notification until January 17, 2007. Reports indicated that approximately 45.7 million customer credit and debit cards were affected by the breach.”

    To change “gears” a bit. I am even more puzzled concerning the assertion that “These proposed reforms, if enacted, would go a long way toward ensuring that individuals enjoy the same legal protections online that the Fourth Amendment has long provided in the offline world. “. It seems that proposed laws are actually going in the opposite direction. For example, from TechDirt Once Again Privacy Laws And Anti-Piracy Data Retention Laws Conflict. Mike Masnick wrote “We've noticed in the past that there are two massively conflicting ideas pushed by politicians: privacy laws that require companies to dump data they collect on users and data-retention laws that require companies to hold onto data for law enforcement or anti-piracy efforts.” also there is a “big” government article Biden's “IP roundtable” brings together Big Content, FBI in Ars Technica by Nate Anderson

    The comments by Nate and Mike raise the following concern. Since the TLF is opposed government intrusion, why are there so few posts on the TLF condemning the attempts of lawmakers to pass laws that invade a persons privacy in the name of fighting the red-herring of piracy?

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    So… are you saying you don't support increased protections from government access, Steve?

  • http://www.cdt.org/ HLGCDT

    Steve R.:

    Several members of the Digital Due Process coalition agree that the treatment of consumer data held by private companies is still a big issue, and some are working independently on projects to strengthen the laws in this area. However, the Digital Due Process coalition is focused only on government access to private data.

    There are several reasons for not including strictly private sector privacy issues in the coalition's proposed reforms. The coalition itself is remarkably diverse: it includes major companies as well as think tanks from across the political spectrum. Throwing a sweeping proposal to address private sector privacy laws into our ECPA reform principles would make it far more difficult to 1) gain consensus from the coalition's members and 2) convince lawmakers and government officials that the law should be updated to reflect our principles. So, at this time, we are trying to focus our resources on ECPA rather than overhaul the entire U.S. privacy legal framework.

    If I may touch briefly on your second point, the ECPA reform principles put forth by DDP do not include any data retention requirements. However, this could be something the government eventually pushes for if the movement to reform ECPA gains significant traction. Some DDP coalition members strongly oppose any data retention requirement being built into IP laws, while other members may feel differently. Like private sector privacy laws, DDP coalition members are currently addressing this issue as individuals and not as a group.

    Thank you!

    Harley Geiger
    Counsel
    Center for Democracy & Technology
    http://www.cdt.org

  • http://srynas.blogspot.com/ Steve R.

    Not at all. I believe in equal opportunity for the private sector to enjoy the same legal constraints as government.

    As previously noted, there is a bit of schizophrenia on this issue. We get all worked-up over certain aspects of government data collection but then ignore other aspects. The New York Times recently published an incredibly dumb article concerning how automating utility meters would be a threat to privacy, but then when it comes to laws such as the Pro-IP Act there is only a small whisper concerning the loss of privacy and personal freedom resulting from increased governmental intrusion. Jim Harper did a post two years ago (December 2007). Jim wrote “These new federal bureaucrats would essentially have one responsibility — protecting the business interests of the biggest names in movies, music, and software.” Clearly if we want to keep an ever growing government out of our lives (especially when it comes to laws that serve a special interest group) I would hope that the TLF would take a greater interest in exposing these unfortunate laws.

  • billr54

    While I agree with Steve R that the private sector has not done a particularly good job of protecting data and in fact does sell it whenever they can make a buck on it, at least I can opt out if I do the work. I can't opt out of government intrusions. We need better protections from both and this is a good start. For the private sector, an expiration date for data might be useful. Doesn't work for remotely stored backups of course but for email, messaging, etc., it seems that automatic deletion after a 'brief' period of time would be a much welcomed consumer friendly policy. It would also limit how far back governments could go with or without search warrants.

  • Ryan Radia

    That's a fair point. Unfortunately, however, threats to liberty are abundant while TLFers (and cyberlibertarians in general) are scarce. As a group, perhaps we could do a better job being “equal opportunity” critics of infringements on freedom. But like most group blogs, our areas of focus are in large part determined by the expertise and interests of our contributors. And from time to time TLFers do touch on some of the issues you raise (Cord's discussion of the Special 301 Watchlistand Jerry's recent post on ACTA, for instance).

  • http://srynas.blogspot.com/ Steve R.

    Yes, those were good posts.

  • Pingback: Digital Due Process: Protecting Americans’ Privacy by Restoring Constitutional Limits to Government in ECPA (Ryan Radia/Technology Liberation Front) | TechCombo

  • http://srynas.blogspot.com/ Steve R.

    I still don't believe that there is a clearly articulated case concerning what constitutes a “right to privacy”. First, I find this post disappointing since it typically focuses on government collecting your data while ignoring the abuse of private companies. Now, I am not going to defend the collection of data by government, but I find the assertions that “the private sector has generally done a good job of safeguarding individual data, with rare exceptions.” to be totally unsupported. Furthermore, there really is NO incentive for private companies to actually protect your data since they make money by trading your personal information.

    Allegorical evidence, I have been sent (on several occasions) new credit credit cards because of data security breaches. Companies routinely trade/sell/rent your information to their “partners”. Companies make it difficult for you to opt-out. For example, when you register Turbotax you enter your personal information. Want to opt-out you have to go through several additional screens and then manually re-enter all the same information. Clearly this is being done by a private company (not the government) to discourage you from keeping your data private.

    TJX Data Security Breach Saga Continues David Johnson wrote “The intrusion involved transactions occurring in 2003 and from May-December 2006. TJX learned about the intrusion in mid-December 2006, but delayed making public notification until January 17, 2007. Reports indicated that approximately 45.7 million customer credit and debit cards were affected by the breach.”

    To change “gears” a bit. I am even more puzzled concerning the assertion that “These proposed reforms, if enacted, would go a long way toward ensuring that individuals enjoy the same legal protections online that the Fourth Amendment has long provided in the offline world. “. It seems that proposed laws are actually going in the opposite direction. (This example from Sweden) From TechDirt Once Again Privacy Laws And Anti-Piracy Data Retention Laws Conflict. Mike Masnick wrote “We've noticed in the past that there are two massively conflicting ideas pushed by politicians: privacy laws that require companies to dump data they collect on users and data-retention laws that require companies to hold onto data for law enforcement or anti-piracy efforts.” also there is potential “big” government involvement based on the article Biden's “IP roundtable” brings together Big Content, FBI in Ars Technica by Nate Anderson

    The comments by Nate and Mike raise the following concern. Since the TLF is opposed government intrusion, why are there so few posts on the TLF condemning the attempts of lawmakers to pass laws that invade a person's privacy in the name of fighting the red-herring of piracy?

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    So… are you saying you don't support increased protections from government access, Steve?

  • http://www.cdt.org/ HLGCDT

    Steve R.:

    Several members of the Digital Due Process coalition agree that the treatment of consumer data held by private companies is still a big issue, and some are working independently on projects to strengthen the laws in this area. However, the Digital Due Process coalition is focused only on government access to private data.

    There are several reasons for not including strictly private sector privacy issues in the coalition's proposed reforms. The coalition itself is remarkably diverse: it includes major companies as well as think tanks from across the political spectrum. Throwing a sweeping proposal to address private sector privacy laws into our ECPA reform principles would make it far more difficult to 1) gain consensus from the coalition's members and 2) convince lawmakers and government officials that the law should be updated to reflect our principles. So, at this time, we are trying to focus our resources on ECPA rather than overhaul the entire U.S. privacy legal framework.

    If I may touch briefly on your second point, the ECPA reform principles put forth by DDP do not include any data retention requirements. However, this could be something the government eventually pushes for if the movement to reform ECPA gains significant traction. Some DDP coalition members strongly oppose any data retention requirement being built into IP laws, while other members may feel differently. Like private sector privacy laws, DDP coalition members are currently addressing this issue as individuals and not as a group.

    Thank you!

    Harley Geiger
    Counsel
    Center for Democracy & Technology
    http://www.cdt.org

  • http://srynas.blogspot.com/ Steve R.

    Not at all. I believe in equal opportunity for the private sector to enjoy the same legal constraints as government.

    As previously noted, there is a bit of schizophrenia on this issue. We get all worked-up over certain aspects of government data collection but then ignore other aspects. The New York Times recently published an incredibly dumb article concerning how automating utility meters would be a threat to privacy, but then when it comes to laws such as the Pro-IP Act there is only a small whisper concerning the loss of privacy and personal freedom resulting from increased governmental intrusion. Jim Harper did a post two years ago (December 2007). Jim wrote “These new federal bureaucrats would essentially have one responsibility — protecting the business interests of the biggest names in movies, music, and software.” Clearly if we want to keep an ever growing government out of our lives (especially when it comes to laws that serve a special interest group) I would hope that the TLF would take a greater interest in exposing these unfortunate laws.

  • billr54

    While I agree with Steve R that the private sector has not done a particularly good job of protecting data and in fact does sell it whenever they can make a buck on it, at least I can opt out if I do the work. I can't opt out of government intrusions. We need better protections from both and this is a good start. For the private sector, an expiration date for data might be useful. Doesn't work for remotely stored backups of course but for email, messaging, etc., it seems that automatic deletion after a 'brief' period of time would be a much welcomed consumer friendly policy. It would also limit how far back governments could go with or without search warrants.

  • Ryan Radia

    That's a fair point. Unfortunately, however, threats to liberty are abundant while TLFers (and cyberlibertarians in general) are all too scarce. As a group, we're admittedly not perfect when it comes to being “equal opportunity” critics of infringements on freedom. But like most group blogs, our areas of focus are in large part determined by the expertise and interests of our contributors. And from time to time TLFers do touch on some of the issues you raise (Cord's discussion of the Special 301 Watchlist and Jerry's recent post on ACTA, for instance).

  • http://srynas.blogspot.com/ Steve R.

    Yes, those were good posts.

  • Pingback: The Politics of ECPA Reform: Protecting Us from the Real Big Brother

  • Pingback: TechFreedom, CEI & ATR’s DigitalLiberty.net Applaud Proposed ECPA Reforms

  • Pingback: Blackburn DC Privacy Roundtable 9/14: The Free-Market, Pro-Data Approach

  • Pingback: Copyright, Done Right: Warrantless Factory Searches Aren’t the Right Way to Stop DVD Piracy

  • Pingback: Proposed law to protect privacy introduced in US | Freedomwatch

Previous post:

Next post: