Digital Due Process: Protecting Americans’ Privacy by Restoring Constitutional Limits to Government in ECPA

Digital Due Process: Protecting Americans’ Privacy by Restoring Constitutional Limits to Government in ECPA

March 30, 2010

By Ryan Radia and Berin Szoka

Today a broad array of civil liberties groups, think tanks, and technology companies launched the Digital Due Process coalition. The coalition’s mission is to educate lawmakers and the public about the need to update U.S. privacy laws to better safeguard individual information online and ensure that federal privacy statutes accurately reflect the realities of the digital age.

Over 20 organizations belong to the Digital Due Process coalition, including such odd bedfellows as AT&T, Google, Microsoft, the Center for Democracy & Technology, the American Civil Liberties Union, the Electronic Frontier Foundation, The Progress & Freedom Foundation (where Berin works), the Competitive Enterprise Institute (where Ryan works), the Internet Technology & Innovation Foundation, Citizens Against Government Waste, and Americans for Tax Reform. The full member list is available at the coalition’s website.

Amidst the heated tech policy wars, it’s not every day that such a diverse group of organizations comes together to endorse a unified set of core principles for legislative reform. Over two years in the making, the Digital Due Process coalition, spearheaded by the Center for Democracy & Technology, is a testament to the broad consensus that’s emerged among business leaders, activists, and scholars regarding the inadequacies of the current legal regime intended to protect Americans’ privacy from government snooping and the need for Congress to revisit decades-old privacy statutes. It also represents a revival of a bipartisan consensus on the need for reform reached back in 2000, when the Republican-led House Judiciary Committee voted 20-1 to approve very similar reforms (HR 5018).

Today, in the digital age, robust privacy laws are more important than ever. That’s because U.S. courts have been unwilling to extend the Fourth Amendment’s protection against unreasonable search and seizure to individual information stored with third parties such as cloud computing providers. Thus, while government authorities must get a search warrant based on probable cause before they can lawfully rifle through documents stored in your desk, basement, or safe deposit box, information you store on the cloud enjoys no Constitutional protection. (Some legal scholars argue this interpretation of the Fourth Amendment, referred to as the Third Party Doctrine, is outdated and deficient. See, for example, Jim Harper’s excellent 2008 article in the American University Law Review.)

To be sure, this doesn’t mean that data stored in the cloud is completely without legal protection. In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA), a then-forward-looking law that established several new privacy protections limiting governmental access to consumer data stored or transmitted by “remote computing service providers” and “electronic communications service providers.” Thanks to this law, along with earlier statutes such as the Wiretap Act, most electronic communications transmitted today enjoy some degree of legal protection. Unfortunately, the law’s provisions don’t reflect the reality of modern digital communications, nor do they offer sufficient protections for sensitive items like emails, mobile device locational information, and instant messages.

To remedy these deficiencies, the Digital Due Process coalition has offered four principles for Congress to consider as it revisits ECPA. In essence, they would require that government obtain:

  • A search warrant from the court, upon the showing of “probable cause” required by the Fourth Amendment, before compelling “cloud” providers to disclose most kinds of private communications or mobile location information;
  • A court order subject to meaningful judicial review before compelling providers to disclose dialed number information or email to and from information; and
  • Judicial approval, rather than a mere subpoena, before compelling providers to disclose non-particularized information about individual accounts.

These proposed reforms, if enacted, would go a long way toward ensuring that individuals enjoy the same legal protections online that the Fourth Amendment has long provided in the offline world. The principles would also empower cloud computing and mobile service providers to offer more robust privacy assurances to users. Such assurances will help strengthen user trust in of cloud computing and, consequently, may spur innovation in cloud computing services that involve highly sensitive data like health information.

This call to action is also a reminder that restricting the power of government, not the private sector, is the solution to the privacy challenges of the digital age. Privacy advocates and zealots alike often focus on the risks of private data collection. Yet the greatest, and most demonstrable, of these risks comes not from private firms but from the real Big Brother: the risk that government will get its hands on private data without meaningful judicial oversight.

As we’ve long argued (see Ryan’s essay with Wayne Crews, “Selling Out Online Advertising,” and Berin’s comments to the FTC’s Exploring Privacy Roundtable last November), the consumer benefit of individualized data collection and use is nothing short of spectacular. Without it, services like Gmail, Google search, and Facebook likely wouldn’t exist. (And it’s only 2010—the best is yet to come!) Simply put, there is no free lunch!

But data collection has a real downside: As long as sensitive information remains stored on a provider’s server, there’s a risk that it will end up in the wrong hands. Through smart information security practices and privacy policies enforced both by the FTC and strong reputational forces, the private sector has generally done a good job of safeguarding individual data, with rare exceptions. Yet, today, no amount of security or legalese or good intentions can protect against a government subpoena issued in compliance with ECPA’s outdated, inconsistent and downright byzantine legal standards—which vary widely depending on whether messages have been opened, how long they’ve been on the server, etc.

The reforms proposed by the Digital Due Process Coalition would fix this gaping hole in America’s privacy laws, allowing individuals to rest assured that their personal information won’t end up in the hands of government unless probable cause is shown before a court of law. That’s the promise enshrined in the Fourth Amendment—a promise we seek to restore.

Ryan Radia is associate director of technology studies at the Competitive Enterprise Institute. Berin Szoka is a Senior Fellow and the Director of the Center for Internet Freedom at The Progress and Freedom Foundation in Washington, D.C.