Google, AOL, AT&T, the ACLU, Microsoft, Salesforce.com and other members of a newly formed coalition called “Digital Due Process” are proposing that the federal government update laws on government access to email and private files stored by third-party service providers in the cloud — or any other storage system.
Currently, third-party storage of digital data is a legal gray area. The vagueness of the laws has allowed the Department of Justice to prevail with the argument that all it needs is a subpoena or court order to obtain customer data from companies. The coalition would like to see clear laws requiring warrants for such requests.
In addition to calling for stronger protection for email and other data stored in the cloud, the organization is also voicing concerns over the handling of locational data sent out by cellular phones — that is, the tracking data all cellphones transmit when they are turned on.
The Justice Department “argues that it is mere signaling information” and not relevant to current wiretap or other privacy laws, according to Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which is a member of the coalition.
“We argue that this is uniquely pervasive information and should be accorded full constitutional protections,” Dempsey told the E-Commerce Times.
There have already been dozens of court cases dealing with locational tracking data, mostly at the federal magistrate level, Dempsey noted. “Most of the judges have rejected the Justice Department’s view of real-time monitoring, while some have accepted it.”
In general, the laws surrounding these issues “are a complete mess,” remarked Dempsey, “and the Justice Department continues to push an aggressive posture that this information should be available without a warrant.”
This issue was a heated one during the Bush administration, given its stance in support of warrantless wiretaps. The seeds of the current problem, which has been exacerbated by the growing number of services and data that are being placed in the cloud or otherwise stored at a business or third party site — can be found in earlier laws that did not envision how technology would evolve.
Current legal practices are grounded in a 1967 Supreme Court decision that established constitutional protections for phone calls as they moved over wires, Dempsey said.
In 1986, Congress extended that decision in the Electronics Communications Privacy Act to cover email and other communications, focusing on the “in transit” concept. That is, a warrant would be required to seize email en route from sender to receiver. Congress didn’t pay as much attention to the matter of safeguarding email after delivery, however.
“In 1986, Congress assumed no one would store email. Storage space was very expensive then, and they assumed service providers would delete emails in a short period of time,” Dempsey said.
Fight or Give In?
With no obvious legal mandate requiring a warrant, the government has been free to insist that companies hand over customer data in response to a subpoena — or, in the case of mobile location data, a court order, Dempsey said.
“When the government comes at you with a subpoena, sometimes a company will resist, and sometimes it won’t. It costs them little to comply and a lot to resist,” he pointed out.
As part of its advocacy on this issue, the Digital Due Process coalition is reaching out to government officials and law enforcement agencies in the hope of developing a consensus to update the law.
Governments Know Too Much
One of the reasons the government knows much more than it should about its citizens is because there has been a breakdown in the statutory protections for users of the Internet, said Electronic Privacy Information Center Executive Director Marc Rotenberg.
“We saw that breakdown with the use of national security letters with the warrantless wiretaps,” he told the E-Commerce Times.
The Digital Due Process initiative only addresses half of the problem, Rotenberg said, noting that “there is an awful lot that businesses know about us that they shouldn’t as well.”
To play it safe, consumers should just assume that almost everything they do online can be uncovered by some other entity — whether in the government or private sector, said C. David Gammel, president of High Context Consulting.
“We leave such a rich trail behind us — even just through our browsing habits — that our expectations of privacy online need to be set very low,” he warned. “It is just too easy to be tracked or followed.”