Lawmakers consider changes to wiretapping law to protect cloud services

E-mail, cloud app users deserve the same protections from searches as with laptops, witnesses tell House subcommittee

Users of e-mail and cloud computing services need to have the same protections from law enforcement searches as do people who leave information on laptops or in office cabinets, witnesses told a U.S. House of Representatives subcommittee.

Congress should rewrite the 1986 Electronic Communications Privacy Act (ECPA), a law governing law enforcement agencies' access to electronic information, to account for changes in technology in the past two decades, representatives of Microsoft and the Center for Democracy and Technology (CDT) said during a hearing Wednesday.

There's widespread confusion over the law, said James Dempsey, CDT's vice president for public policy.

The U.S. Department of Justice has asserted that federal agents do not need a court-issued warrant to request the contents of e-mail from vendors that store the e-mail, even though agents would need a warrant to see a document stored on a laptop or in a file cabinet, said Dempsey. Some courts have required warrants for stored e-mail, however.

In addition, beyond the confusion over warrants for e-mail stored for less than 180 days, the ECPA doesn't require a warrant for e-mail stored by a vendor for longer than 180 days, even though many e-mail users expect those documents to be private, Dempsey said.

Many telecom and Internet service providers don't understand the rules about what customer communications they are required to turn over, added Albert Gidari Jr., a partner with the Perkins Coie law firm in Seattle.

"These service providers are caught in the middle every day," he said. "The best way to determine whether ECPA is out of balance is to take a look at what service providers do every day -- that is, essentially, guess."

Several members of the House Judiciary Committee's Constitution, Civil Rights, and Civil Liberties Subcommittee said they were open to a revamp of the ECPA, although subcommittee chairman Jerrold Nadler, a New York Democrat, said Wednesday's hearing would be the first of several on the subject.

A wide range of new technologies available since the ECPA was passed create challenges the law doesn't address, Nadler said. "These robust new communications technologies bring with them new opportunities for law enforcement agencies, charged to protect us from ... criminals, to intervene in our private lives," he said.

In March, a group of tech vendors and civil liberties group, calling itself the Digital Due Process Coalition, launched a campaign for ECPA reform, saying Congress needs to make clearer wiretapping and surveillance rules for electronic communication.

Typically, law enforcement officials would have to get a court-ordered warrant to search a suspect's PC or file cabinets, but law enforcement agencies can get access to some e-mail information, instant messages and other information stored in the cloud, as well as mobile-phone tracking information, through simple subpoenas, members of the coalition said.

The coalition's launch came after the U.S. Department of Justice, in a February court hearing, asserted that it does not need a court-issued warrant to obtain cell site tracking information from mobile-phone carriers.

Representative Hank Johnson, a Georgia Democrat, called on Congress to rewrite the ECPA. "I would hate to see a [communications] company turned into an agency for law enforcement at the expense of their customers," he said.

While several lawmakers appeared sympathetic to the arguments from Dempsey and Gidari, others seemed to struggle with the technologies discussed in the hearing. Representative Mel Watt, a North Carolina Democrat, said he hadn't heard of the term "cloud computing" until Wednesday.

Watt also questioned if there were "horror stories" of law enforcement abuses because of confusion over the ECPA.

A handful of recent court cases deal with problems in the ECPA, Dempsey said. But cloud-based e-mail users should be concerned that their warrant protections expire after 180 days, he added.

"Every one of us probably has five, six, maybe 10 years of e-mail stored," he said.

Back in 1986, service providers didn't store e-mail, because of the cost of storage, Dempsey said. "You read it, you downloaded it, it was deleted from the computer," he said. "Congress thought 180 days would be the absolute, conceivable outside limit, and after that, it was sort of like abandoned property."

Join the discussion
Be the first to comment on this article. Our Commenting Policies