Senate considers update to Electronic Communications Privacy Act

Today in Washington, the Senate Judiciary Committee held a hearing on updating the Electronic Communications Privacy Act (ECPA), the landmark 1986 legislation that governs the protections citizens have when they communicate using the Internet or cellphones.

The statements of the witnesses before the Senate from the Commerce Department, Justice Department and witnesses are embedded in ths post. Below, find an exclusive interview with digital privacy and security researcher Chris Soghoian, who until recently was the resident geek at the Federal Trade Commission, and some context on “Digital Due Process,” the coalition of industry and privacy advocates advocating for an ECPA update.

“From the perspective of industry and definitely the public interest groups, people shouldn’t have to consider government access as one of the issues when they embrace cloud computing,” said Soghoian. “It should be about cost, about efficiency, about green energy, about reliability, about backups, but government access shouldn’t be an issue.”

While the tech blogosphere may be focused on Twitter, Facebook and inside baseball among the venture capitalists of Silicon Valley’s today, the matter before Congress should be earning more attention from citizens, media and technologists alike. Over at Forbes, Kashmir Hill made the case that industry will benefit from a clearer Electronic Communications Privacy Law. Take it one step further: updates to the ECPA have the potential to improve the privacy protections for every connected citizen, cloud computing provider or government employee. As she pointed out there:

One of the most egregious ECPA issues is how it treats the protection of email. “Why should email in someone’s inbox be treated different from something in someone’s sent folder?” asked Smith [Microsoft’s general counsel]. “Why is something unread in my junk folder subjected to greater privacy than something read in my inbox? Why does an email I sent in April have fewer privacy protections than one I sent in September?”

Smith discussed security and privacy concerns with respect to cloud computing after the hearing: Get Microsoft Silverlight

It’s important to be clear: Congress is unlikely to move on updating ECPA before the mid-term elections or in the lame duck session. That said, the hearing in the Senate today and the hearing on ECPA reform and the revolution in cloud computing in the House of Representatives tomorrow will inform any legislative action in the next Congress.

Chairman Patrick Leahy was clear in his opening statement today: American innovation has outpaced digital privacy laws.

When Congress enacted ECPA in 1986, we wanted to ensure that all Americans would enjoy the same privacy protections in their online communications as they did in the offline world, while ensuring that law enforcement had access to information needed to combat crime. The result was a careful, bipartisan law designed in part to protect electronic communications from real-time monitoring or interception by the Government, as emails were being delivered and from searches when these communications were stored electronically. At the time, ECPA was a cutting-edge piece of legislation. But, the many advances in communication technologies since have outpaced the privacy protections that Congress put in place.

Today, ECPA is a law that is often hampered by conflicting privacy standards that create uncertainty and confusion for law enforcement, the business community and American consumers.

For example, the content of a single e-mail could be subject to as many as four different levels of privacy protections under ECPA, depending on where it is stored, and when it is sent. There are also no clear standards under that law for how and under what circumstances the Government can access cell phone, or other mobile location information when investigating crime or national security matters. In addition, the growing popularity of social networking sites, such as Facebook and MySpace, present new privacy challenges that were not envisioned when ECPA was passed.

Simply put, the times have changed, and so ECPA must be updated to keep up with the times. Today’s hearing is an opportunity for this Committee to begin to examine this important issue.

“There does seem to be wide agreement that current ECPA standards are a muddled mess,” said Julian Sanchez, a research fellow at the libertarian Cato Institute, and contributing editor for Reason Magazine. “The fear about “uncertainty” expressed by Baker is ridiculous when you consider the scholarly consensus and the evident confusion in the courts trying to apply it. In reality, DOJ finds the ambiguity convenient, since they can jurisidiction-shop for magistrates whose interpretations they find congenial.”

Jim Dempsey of the Center for Democracy and Technology made the following statement on ECPA, promoting security and protecting privacy:

Justice Brandeis famously called privacy “the most comprehensive of rights, and the right most valued by a free people.” The Fourth Amendment embodies this right, requiring a judicial warrant for most searches or seizures, and Congress has enacted numerous laws affording privacy protections going beyond those mandated by the Constitution.

In setting rules for electronic surveillance, the courts and Congress have sought to balance two critical interests: the individual’s right to privacy and the government’s need to obtain evidence to prevent and investigate crimes, respond to emergency circumstances and protect the public. More recently, as technological developments have opened vast new opportunities for communication and commerce, Congress has added a third goal: providing a sound trust framework for communications technology and affording companies the clarity and certainty they need to invest in the development of innovative new services.

Today, it is clear that the balance among these three interests – the individual’s right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust – has been lost as powerful new technologies create and store more and more information about our daily lives. The protections provided by judicial precedent and statute have failed to keep pace, and important information is falling outside the traditional warrant standard.

The personal and economic benefits of technological development should not come at the price of privacy. In the absence of judicial protections, it is time for Congress to respond, as it has in the past, to afford adequate privacy protections, while preserving law enforcement tools and providing clarity to service providers.

Dempsey’s full testimony is embedded below:
Jim Dempsey Testimony on ECPA Update

The American Civil Liberties Union also had specific recommendations for Congress on ECPA reform. “The Electronic Communications Privacy Act was written in 1986 before the Web was even invented and is in desperate need of an upgrade,” said Laura W. Murphy, Director of the ACLU Washington Legislative Office. “While Americans have embraced technology as an essential part of everyday life, they have not surrendered their fundamental right to privacy. Congress must ensure that our privacy laws reflect the technology Americans use every day.”

The testimony of the ACLU on ECPA reform is embedded below:

ACLU statement on update to ECPA

The written testimony of Microsoft general counsel Brad Smith is embedded below:

Microsoft counsel Brad Smith’s Testimony before Senate

The written testimony of he Honorable James A. Baker, Esq., Associate Deputy Attorney General, United States Department of Justice, is embedded below:

Baker Testimony on ECPA Updates

The written testimony of the Honorable Cameron F. Kerry, Esq., General Counsel of the United States Department of Commerce is embedded below:

Cameron Kerry Testimony before the Senate

The written testimony of attorney Jamil Jaffer Testimony is below:

Jamil Jaffer Testimony before the Senate Judiciary Comittee

Digital Due Process

Earlier this year, I reported on the launch of DigitalDueProcess.org, a coalition pushing for an ECPA update for online privacy in cloud computing age. A powerful collection of organizations has been pushing for an update to ECPA. Members of the coalition include Google, Microsoft, AT&T, AOL, Intel, the ACLU and the Electronic Frontier Foundation. The guidance from the coalition would enshrine principles for “digital due process,” online privacy and data protection in the age of cloud computing within an updated ECPA.

The coalition set up a website, DigitalDueProcess.orgcontaining its proposals for updating ECPA in the face of new cloud computing security and online privacy challenges. Google Public Policy released a video, embedded below, describing the concept of “digital due process,”

What does Gov 2.0 have to do with cloud computing?

Last week, Gartner analyst Andrea DiMaio rendered his opinion of what Gov 2.0 has to do with cloud computing. In his post, he writes that “ironically, the terms “cloud” and “open” do not even fit very well with each other,” with respect to auditability and compliance issues.

I’m not convinced. Specifically, consider open source cloud computing at NASA Nebula and the OpenStack collaboration with Rackspace and other industry players, or Eucalyptus.For more, read my former colleague Carl Brooks at SearchCloudComputing for extensive reporting in those areas. Or watch NASA CTO for IT Chris Kemp below:

Aside from the work that CloudAudit.org is doing to address cloud computing, after reading DiMaio’s post, I was a bit curious about how familiar he is with certain aspects of what the U.S. federal government is doing in this area. After all, Nebula is one of the pillars of NASA’s open government plan.

Beyond that relationship, the assertion that responsibility for cloud computing deployment investment resides in the Office for Citizen Engagement might come as a surprise to the CIO of GSA. McClure certainly is more than conversant with the technology and its implications — but I have a feeling Casey Coleman holds the purse strings and accountability for implementation. Watch the GSA’s RFP for email in the cloud for the outcome there.

To Adriel Hampton’s point on DiMaio’s post about cloud and Gov 2.0 having “nothing to do with one another,” I’d posit that that’s overly reductive. He’s right that cloud in of itself doesn’t equal Gov 2.0. It’s a tool that enables it.

Moving Recovery.gov to Amazon’s cloud, for instance, is estimated to save the federal government some $750,000 over time and gives people the means to be “citizen inspector generals.” (Whether they use them is another matter.) Like other tools borne of the Web 2.0 revolution, cloud has the potential enable more agile, lean government that enables better outcomes for citizens, particularly with respect to cost savings, assuming those compliance concerns can be met.

The latter point is why Google Apps receiving FISMA certification was significant, and why Microsoft has been steadily working towards it for its Azure platform. As many observers know, Salesforce.com has long since signed many federal customers, including the U.S. Census.

DiMaio’s cynicism regarding last week’s Summit is interesting, although it’s not something I can spend a great deal of time in addressing. Would you tell the Gov 2.0 community to stop coming together at camps, forums, hearings, seminars, expos, summits, conferences or local government convocations because an analyst told you to? That’s not a position I’m coming around to any time soon, not least as I look forward to heading to Manor, Texas next week.

In the end, cloud computing will be one more tool that enables government to deliver e-services to citizens in a way that was simply not possible before. If you measure Gov 2.0 by how technology is used to arrive at better outcomes, the cloud is part of the conversation.

[*Note Gartner’s reply in the comments regarding the resolution of the magic quadrant suit. -Ed.]

Exploring the future of online privacy with Jules Polonetsky

How will regulations and laws that address the new challenges of online privacy evolve? What are the tradeoffs between societal benefit and individual rights? How should the opportunities inherent in data mining be balanced with harm-based standards? What are the responsibilities of governments, businesses and citizens to protect privacy?

Yesterday at the Gov 2.0 Summit in Washington, my interview with Jules Polonetsky covered all of those topics and more. Polonestsky is the Co-chair and Director of the Future of Privacy Forum, a think tank seeking to improve the state of online privacy by advancing responsible data practices. His writing and research can be found at Futureofprivacy.org.

State CIOs rank cloud computing, green IT and social media as top emerging tech

According to a March 2010 survey of state chief information officers by NASCIO , Grant Thornton and Tech America, public IT executives in the United States are looking seriously at investing in the cloud and green IT. 50% of the 40 CIOs, IT resource management officials and OMB representatives surveyed planned to invest in cloud computing. Additionally, some two thirds of those surveyed are using social media. The report is embedded below.

2010 Tech America Federal CIO Survey Final Report

[Hat Tip: Governing People]