Senate Panel Mulls ECPA Update for Cloud Era
The chairman of the Senate Judiciary Committee on Wednesday pledged to begin work drafting an update to an aging statute governing the security and privacy of electronic data that critics say has fallen out of step with cloud computing and the new ways that consumers and businesses store and access information.
At a hearing this morning, Patrick Leahy (D-Vt.) said that committee staffers hope to begin developing draft language for an overhaul of the 1986 Electronic Communications Privacy Act (ECPA), a bill that a broad coalition of technology companies and advocacy groups are pushing to revise.
"We will start work on this very soon," Leahy said. "This is going to a priority -- bringing this up to date -- in this committee."
At the same time, acknowledging the political realities of an election-shortened calendar and a bitterly divided Congress, Leahy said he hoped to begin work on updating ECPA in short order, but acknowledged that enacting any reform to the statute isn't likely to be accomplished before the next session.
"This is the most dysfunctional session of Congress I can remember," he said, adding that ECPA reform "should not be a partisan effort."
But the statute does bring to light a significant friction between the privacy advocates and technology vendors backing reform and some members of the law-enforcement community, who have warned that strengthening ECPA protections could undermine criminal investigations and prosecutions.
One of the central goals of Digital Due Process, a coalition working for ECPA reform, is to bring the rules for government access to data stored in the cloud in line with the protections governing access to files on a user's PC.
As a practical matter, those rules mean that law enforcement authorities require a different level of legal authorization to obtain access to the contents of a user's email account if it is a locally stored client, such as Outlook, than they would for a cloud-based Webmail service such as Gmail. In the case of the former, authorities generally require a warrant issued by a judge, whereas law enforcement can often wrest cloud-based records from a service provider only on the strength of a subpoena.
So if investigators were trying to obtain the email exchange of an Outlook user, for instance, they might have an easier time leaning on a cloud-based service provider for the records of a person with whom he was corresponding.
"The reality today is that ECPA increasingly falls short of a common sense test," said Brad Smith, Microsoft's (NASDAQ: MSFT) general counsel. "Not because the law was flawed when it was written in 1986, but because technology in some cases -- not every case, but in some cases -- has simply passed it by. Why should email in somebody's inbox be subjected to a different standard than email in somebody else's sent mail folder?"
That might be a tougher sell to law enforcement authorities who worry that expanding the requirements for demonstrating probable cause could slow criminal investigations, though James Baker, associate deputy attorney general at the Department of Justice, stressed at today's hearing that the administration has not yet taken a position on ECPA reform.
Nevertheless, Baker emphasized that the 1986 statute, which has been subject to numerous incremental updates, has proven generally enduring. Moreover, he argued that the distinction between the contents of a user's computer and information housed remotely with a service provider in the cloud is firmly rooted in legal precedent.
"There is a difference," Baker said. "The law recognizes -- and has for a long time -- differences when information is stored with a third party than when it's stored in your home."
James Dempsey, vice president of public policy at the Center for Democracy and Technology, the group that is spearheading the Digital Due Process coalition, argued that to cast ECPA reform at odds with law enforcement is a false choice.
"A fundamental premise of our recommendations is that it is necessary to preserve the building blocks of criminal investigations," he said.
Dempsey explained that his group is not looking for a wholesale rewrite of the law, but only targeted reforms to address the cloud computing disparity and to enact additional protections for location-based data.
"We focused on a very few of the most salient problems," he said. "We want to be careful in our amendment of ECPA to avoid collateral damage. We want to be incremental. We're not proposing a general overhaul of the statute. We can't fix everything."