A broad coalition of interest groups, non-profits and private companies, including Microsoft, Google, AOL, the ACLU, EFF and others, have come together to set forth four principles that would update Electronic Communications Privacy Act (ECPA). That statute was enacted in 1986 and, in the words of Jim Dempsey, Vice President for Public Policy at the Center for Democracy and Technology, hasn’t kept pace with technology and the way that people use the internet today. The point was made repeatedly that the “internet didn’t even really exist” in 1986.
The principles aim to upgrade and enhance privacy protection for individuals using the internet, sending email and storing data in the cloud. Basically these principles seek to apply the probable cause standard and require a judge-issued warrant before law enforcement officials can gain access to private information or data online. This would include search query logs.
Here are the principles laid out on the new Digital Due Process site:
- A governmental entity may require an entity covered by ECPA (a provider of wire or electronic communication service or a provider of remote computing service) to disclose communications that are not readily accessible to the public only with a search warrant issued based on a showing of probable cause, regardless of the age of the communications, the means or status of their storage or the provider’s access to or use of the communications in its normal business operations.
- A governmental entity may access, or may require a covered entity to provide, prospectively or retrospectively, location information regarding a mobile communications device only with a warrant issued based on a showing of probable cause.
- A governmental entity may access, or may require a covered entity to provide, prospectively or in real time, dialed number information, email to and from information or other data currently covered by the authority for pen registers and trap and trace devices only after judicial review and a court finding that the governmental entity has made a showing at least as strong as the showing under 2703(d).
- Where the Stored Communications Act authorizes a subpoena to acquire information, a governmental entity may use such subpoenas only for information related to a specified account(s) or individual(s). All non-particularized requests must be subject to judicial approval.
Essentially these proposed rules seek to protect all user data that is not “readily accessible to the public.”
These principles will be sent to Congress, which would then need to incorporate them into ECPA or separately enact them in order to become law. However, it was pointed out that these rules are not intended to affect “national security” issues or related enforcement. That represents something of a “loophole” potentially for aggressive law enforcement officials, who might seek to circumvent these rules, if enacted, by using the justification of national security to conduct domestic surveillance.
In general however these proposed rules are very welcome. We should hope they’re enacted to require law enforcement to gain warrants and meet traditional probable cause standards before private online data or activities and history can be accessed.