Skip to main content

Revising privacy law for the 'cloud' era

By Nate Anderson
Digital Due Process is a campaign that aims to convince U.S. legislators to rethink Internet privacy law.
Digital Due Process is a campaign that aims to convince U.S. legislators to rethink Internet privacy law.
  • A new campaign aims to get the U.S. to rethink its privacy laws
  • The effort, called Digital Due Process, says laws don't fully protect privacy
  • As people store more information online, laws need to adapt, the campaign says
  • Microsoft, Google and AT&T are among its supporters

(Ars Technica) -- The government needs a search warrant to bust into your house, search your files, and pull out any incriminating documents. It needs the same warrant for files stored on your computer. So why doesn't the same standard apply when the same information is stored in online servers operated by third parties like Google or Microsoft?

The answer is 1986's Electronic Communications Privacy Act, drafted in a different era. Many of its distinctions no longer make sense today, such as the one between "private" and "third-party" records. The government has found numerous ways to access material stored in remote servers -- notably e-mail -- without the traditional warrant and judicial oversight required in the past. And new sources of data, such as cell phone location records, weren't even envisioned by the earlier law.

To drag the law into the modern era, a coalition of strange bedfellows has formed: the Electronic Frontier Foundation, the American Civil Liberties Union, Microsoft, Google, AT&T, the Progress & Freedom Foundation, the Center for Democracy and Technology, and others.

They kicked off a new campaign today called Digital Due Process, which asks for several major changes to existing law. For instance:

* All "private content" held by a service provider should be protected by the same standard as material on your laptop: a warrant must be obtained. Currently, the rules are murky and confusing; the government can go after server e-mail older than 180 days, for instance, with only a subpoena (no judge needed), while more recent e-mail needs a warrant.

* Warrants must be sought to access location information. Currently, says the Center for Democracy and Technology, GPS location data is protected by warrant, but other data (such as that from cell phones) is not. Courts have been "all over the ballpark" on this issue, the group says.

* For "transactional" data (i.e. data that might include e-mail headers but not message content), the coalition says that a judge should be involved, though a warrant may not be needed.

* Subpoenas should only be used where government has a particular person whose data they seek; they shouldn't be used for bulk requests on many subscribers at once without a court order.

The group has plenty of heavy hitters on board and appears to be well-funded, with a slick Web site and snazzy animated video.

The civil liberties groups want the rules clarified and tightened, of course, but so do the businesses. Cloud computing providers like Google and Internet service providers like AT&T each want a predictable, unambiguous set of rules to govern these issues. The cloud providers also know that their own business is at stake here if people come to feel like they can't trust the protections offered to online content.

As for when the changes might get made, that's hard to say. These questions have been percolating for more than a decade without action, and Digital Due Process isn't expecting any legislative action this year.