Obama’s talked a big game about online privacy. He promised reform during the 2008 campaign. A year ago, the White House proposed a “Privacy Bill of Rights.” But so far, the Administration’s delivered little more than fine words. Worse, they’ve focused on the wrong problems.
Government has an important role to play in protecting consumer privacy, but its snooping and surveillance are far bigger problems—which have only grown worse. While Washington talks of a new commercial privacy “Bill of Rights,” the real Bill of Rights is in peril.
The American Revolution erupted, in large part, out of seething resentment at British privacy intrusions—without judicial supervision. Virginia adopted its own Bill of Rights shortly before the Declaration of Independence, including what later became Madison’s Fourth Amendment to the Constitution: “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” Law enforcement must generally obtain a warrant before conducting a search—which means convincing a judge that probable cause exists to believe a crime has been committed.
The Fourth Amendment applies to digital files just like paper files—but only if you don’t give them to a third party. That caveat makes some sense offline: if you gave your diary away, would you really expect it will stay secret? But online, it makes no sense at all: we increasingly store our most private communications on in the “cloud”—on servers owned by Dropbox, Google, Facebook, etc. Congress attempted to fill this judge-made gap in Fourth Amendment protections by passing the Electronic Communications Privacy Act in 1986. But the law protects only data held for short periods—and thus no longer protects us.
Meanwhile, government snooping has grown significantly. Google last week published an updated report showing the company received nearly two and a half times as many requests from law enforcement for user data as in the same period in 2009. Most of these came without a warrant. That isn’t necessarily a problem, since these numbers include both requests for “content” (emails, documents) and basic subscriber information (name, etc.)—and even the Fourth Amendment doesn’t require a warrant for the latter. (After all, law enforcement needs to be able to build an investigation to establish probable cause.) Google, like Facebook, Yahoo! and Microsoft all insist on getting warrants for content information. But smaller companies with fewer lawyers probably don’t. No one really knows how much unconstitutional snooping goes on because Google’s transparency report is quite unusual.
Those internet companies that do insist on warrants generally started doing so only after a federal appellate court in 2010 ruled that the Fourth Amendment requires them—despite that pesky “third party doctrine.” Shortly after the White House report, the Supreme Court handed down a landmark decision in U.S. v Jones requiring a warrant for planting a tracking device on a car. More importantly, five justices called on Congress to craft new legislative protections for location data. Justice Sotomayor lamented the lack of effective protection for content data.
There’s bipartisan support for such reforms but it’s thin. The Senate finally passed a warrant requirement for content in December, handing the matter over to the House. The good news is that the House Republican and Senate Democratic chairmen of the judiciary committees have pledged to work together on a fix. The bad news is that the issue hasn’t yet been made a priority by either party’s leadership. And the Republican-led bill to require a warrant for location data faces a harder fight from law enforcement agencies that still insist they shouldn’t have to bother convincing courts for permission to track our movements.
And still, the Administration has said nothing. The Commerce Department, which drafted the “Bill of Rights” report, is supposed to promote American competitiveness—but doesn’t realize that many American businesses hesitate to adopt cloud-based enterprise software solutions, lest they give a backdoor into their files to Obama’s regulators—who boldly talk about “crucifying ” American companies. That mistrust is an even bigger problem overseas: American companies like Amazon and Salesforce dominate the cloud computing market, yet struggle to get Europeans, in particular, to trust them. Respecting our Constitution would be good for business—if we did it.
Still worse is the mistrust at home and abroad created by the Foreign Intelligence Surveillance and Patriot Acts, which allow national security agencies to snoop online with little judicial oversight—and often without any notice to those whose online communications have been wiretapped. Obama just signed an extension to FISA, despite promises he made as a Senator to filibuster any such bill. Many worry the act legalizes a surveillance program that inadvertently sweeps up Americans’ communications even though its aim is to collect information outside the U.S. The Administration offered no support when a bipartisan coalition tried to “require a report on the impact of the FISA Amendments Act of 2008 on the privacy of the people of the United States.”
Europeans bitterly resent these laws, particularly because they deny recourse to non-U.S. citizens who might be spied on. They’re now threatening to block data transfers to the U.S., essentially shutting off digital trade, by deeming that the U.S. no longer has “adequate” privacy protections. Yet the Commerce Department and the Federal Trade Commission have stayed mum. Why?
As the chief U.S. privacy regulator, the FTC holds the bully pulpit. They haven’t been shy about calling for new legislation to grow their own powers—but haven’t said a word about the problem of unchecked government access. They’ve spent the last four years talking about the threat posed by tracking—by advertisers, not government, as if anyone ever went to jail because of getting the wrong online ad. They want to make our approach to privacy regulation more European to maintain our “adequacy” status—but ignore the Europeans’ bigger concern: government snooping.
They’ve also failed to focus on bigger privacy threats to consumers—like identity theft, the number one complaint at the FTC for over a decade. Under Bush, the FTC focused its limited resources on combating the theft and breach of sensitive online information. Obama’s FTC has held a flurry of privacy workshops, but none focused on identity theft. Congress has failed to pass legislation to set minimum standards for securing consumer data, and the FTC has not used its rulemaking power in the one area where regulation is quite justified. This has left the agency to set security standards piecemeal, in a series of enforcement actions that do little to guide companies on sound data security. The FTC now faces its first court challenge about this approach—and could lose.
In short, if 2012 was a good year for privacy, it’s only because the bar has been set so low—and it wasn’t because the Administration delivered the kind of “Change” he promised on the 2008 campaign. 2013 could turn out better. The ECPA content fix could pass quickly, especially if Republicans eager to shed their stodgy image decide to make it a signature issue. But ECPA reform will be incomplete until it includes the location fix and the other principles around which 77 civil liberties groups, companies and trade associations have rallied in the “Digital Due Process” coalition, founded nearly three years ago. FISA doesn’t seem likely to get better anytime soon, but there is some cause for celebration on government access: Late last year, Congress finally reconstituted the Privacy and Civil Liberties Oversight Board, a key recommendation of the 9/11 Commission. Congress now just needs to confirm the Board’s chairman and appropriate $2 million to fund it—a small price to pay for some degree of oversight on government access. Finally, the retirement of FTC Chairman Jon Leibowitz seems imminent. The new chairman’s confirmation hearings offer a golden opportunity to make clear that privacy protection from government is inextricably intertwined with protection by government against corporate abuses and the negligence that leads to real harms like identity theft.
Any of these developments would be well worth celebrating on Privacy Day 2014.
[Crossposted at Forbes.com]