Privacy Protection for Documents Stored in the Cloud Gets DoJ Nod

The Department of Justice is giving a qualified endorsement of an update to a 1986 privacy law that leading cloud-service providers, public-interest groups and others argue is woefully out of step with the current methods of sending and storing communications.

In testimony before a House subcommittee on Tuesday, Elana Tyrangiel, acting assistant attorney general at the DoJ’s Office of Legal Policy, affirmed the Obama administration’s support for an overhaul of the Electronic Communications Privacy Act (ECPA) to provide stronger privacy protections for Webmail, documents stored online and other cloud services.

Google, Microsoft and Facebook Join Reform Advocates

Advocates of ECPA reform, including tech heavyweights like Google, Microsoft and Facebook, point to incongruities in the law concerning the ways that law enforcement authorities can access personal communications.

As the law currently stands, authorities can obtain emails and other communications that have been stored with a third-party provider for more than six months on the strength of a subpoena, rather than a warrant issued by a judge.

In spite of periodic updates to ECPA, Tyrangiel says, “many have noted, and we agree, that some of the lines drawn by the statute have failed to keep up with the development of technology and the ways in which we use electronic and stored communications.”

“We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old. Similarly, it makes sense that the statute not accord lesser protection to open emails than it gives to emails that are unopened,” she adds.

“Acknowledging these things is an important first step,” Tyrangiel says . “The harder question is how to update the statute in light of new and changing technologies while maintaining protections for privacy and adequately providing for public safety and other law enforcement imperatives.”

Senate Looks to Revise ECPA

There is also movement in the Senate to overhaul ECPA. The same day that the House Judiciary Committee’s subcommittee on crime held its hearing, Sens. Patrick Leahy (D-Vt.) and Mike Lee (R-Utah) introduced a bill to revise the statute, dispensing with the “180-day rule,” among other reforms.

When ECPA was enacted, “no one could have imagined just how the Internet and mobile technologies would transform how we communicate and exchange information today,” Leahy says in a statement. “Privacy laws written in an analog era are no longer suited for privacy threats we face in a digital world.”

Earlier this year, a bipartisan group of House members introduced their own ECPA-reform bill in a bid to strengthen the protections for cloud and location-based services.

The path to revising ECPA has been slowed by the protests of law enforcement agencies, which have warned that reforms undertaken in the name of protecting privacy could impede criminal investigations.

Richard Littlehale, a special agent with the Tennessee Bureau of Investigation, told lawmakers that irrespective of the level of proof required to obtain access to emails and other communications, law enforcement authorities face other, more significant “logistical hurdles,” chiefly the failure of service providers to turn over records in a timely fashion.

“The reality is that legal barriers are not the only ones that keep communications out of our hands,” Littlehale says.

“As Congress considers simplifying the legal requirements for obtaining communications records, and whether or not to change the standards law enforcement must meet to obtain those records, these other barriers to access must have a place in the discussion,” he notes in his written testimony:

“I urge Congress to ensure that regardless of the level of process it ultimately decides is appropriate, steps are taken to guarantee that law enforcement will be able to access the required communications transactional records reliably and quickly once that process is obtained.”

In counterpoint at Tuesday’s hearing was Google’s Richard Salgado, the search giant’s director of law enforcement and information security, who was especially critical of what he described as an arbitrary distinction between communications older than six months and those that are newer.

“ECPA was passed in 1986, when electronic communications services were in their infancy. With the dramatic changes that we’ve seen since then, the statute no longer provides the privacy protection that users of these services reasonably expect,” Salgado says. “If one could discern a policy rationale for this 180-day rule in 1986, it’s not evident any longer and contravenes users’ reasonable expectation of privacy.”

TechAmerica, a leading industry trade group, commended both the leaders of the House subcommittee and Sens. Leahy and Lee for unveiling their bill on Tuesday, what the group dubbed “ECPA Reform Day on Capitol Hill.”

Revamping that statute is a top legislative priority for TechAmerica, according to Kevin Richards, the group’s senior vice president of federal government affairs, who says Leahy’s bill “presents a big step toward making sure that the information Americans store in the cloud receives the same level of protection as the information stored in the physical world.”

ECPA a Tricky Political Issue

But given the opposing views that law enforcement authorities and cloud providers take as a starting point in the debate, ECPA reform — hardly a new issue — has proven difficult as a political proposition.

“To amend ECPA we’re going to need to have a balancing act, which means that neither law enforcement or the service community are going to get everything they want,” says subcommittee Chairman Jim Sensenbrenner (R-Wis.). “[T]rying to do a balancing act to come up with something that protects the privacy of Americans as well as allows law enforcement to do their job, particularly against people who use the Internet for criminal purposes, is going to be kind of a tough nut to crack.”

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.