Senators at a Judiciary Committee hearing last week expressed strong support for updating and clarifying a key law affecting the government’s ability to access remotely stored, or “in the cloud,” data.
Consumers and businesses are rapidly adopting cloud-based technology, senators and hearing witnesses noted. But the Electronic Communications Privacy Act (ECPA), passed in 1986, has not accounted for fast-developing technologies such as e-mail, social networking, and location-based tracking capabilities. Such advancements have given the government excessive power to access private data—often in ways that seem inconsistent, senators and witnesses said.
The government can now “gain information on our lives that was simply impossible 24 years ago,” said James Dempsey, vice president of the non-profit Center for Democracy and Technology. Nineteen-eighty-six “was light years ago in Internet time.”
One witness, James Barker, associate deputy attorney general at the Justice Department, urged the committee to use caution in making any changes. Remotely stored data frequently provides the “basic building blocks” in “[criminal] investigations.”
Senators and other witnesses acknowledged the importance of maintaining law enforcement interests. Some said reform would likely be most effective if undertaken incrementally, focusing on some key privacy-related areas.
Law enforcement’s access to e-mail under ECPA is confusing and inconsistent, said Committee Chairman Senator Patrick Leahy (D-VT). Depending on where they are stored and other factors, messages can be “subject to as many as four different levels of privacy protections.” E-mail stored on personal computers typically requires a judicial warrant for access, but remotely stored messages need less authority, senators and witnesses said. Messages that are under 180 days old or that have been opened are also more easily accessible than older or unopened messages. Such rules would likely confuse and surprise many consumers, said some senators. “Americans have an expectation of privacy that isn’t matched…by what folder you happen to drop [an e-mail] into,” said Sen. Sheldon Whitehouse (D-RI).
Regarding location-based data, law enforcement must obtain court-issued warrants to access GPS-related data, said Baker, which is a stricter standard than for cell phone location data, which tends to be less precise. But the significant and ongoing development of location-based technology since ECPA’s passage and its potential to violate privacy could make legal standards surrounding it a particularly important area for review, said Senator Leahy.