Proposed Privacy Law Demands Court Warrants for Cloud Data

Photo: Ronnie Garcia/Flickr

Two Democratic congressmen are proposing sweeping changes to a U.S. privacy law that for the first time would require the government to obtain a probable-cause warrant to access data stored in the cloud.

The law that the measure would amend is the Electronic Communications Privacy Act, which has seen few updates following President Ronald Reagan’s 1986 signature on the measure.

The proposal represents yet another attempt to rewrite legislation that generally grants the government wide powers to access Americans’ cloud-stored data without a probable-case showing.

“Communications technology is evolving at an exponential rate and, as such, requires corresponding updates to our privacy laws,” said Rep. Jerrold Nadler (D-New York), who is sponsoring the package with Rep. John Conyers Jr. (D-Michigan). “This new legislation will ensure that ECPA strikes the right balance between the interests and needs of law enforcement and the privacy interests of the American people.”

Adopted when CompuServe was king, ECPA allows the government to acquire a suspect’s e-mail or other stored content from an internet service provider without showing probable cause that a crime was committed, as long as the content had been stored on a third-party server for 180 days or more. E-mail and other cloud-stored data younger than six months is protected by the warrant requirement, as is all data stored on a personal computer drive.

ECPA was adopted at a time when e-mail, for example, wasn’t stored on servers for a long time. Instead it was held there briefly on its way to the recipient’s inbox. E-mail more than six months old on a server was assumed abandoned, and that’s why the law allowed the government to get it without a warrant. At the time there wasn’t much of any e-mail for the government to target because a consumer’s hard drive — not the cloud — was their inbox.

But technology has evolved, and e-mail often remains stored on cloud servers indefinitely, in gigabytes upon gigabytes — meaning the authorities may access it without warrants if it’s older than six months.

The same rule also applies to content stored in the cloud. That includes files saved in Dropbox, communications in Facebook, and Google’s cloud-storage accounts. Such personal storage capabilities were nearly inconceivable when President Reagan signed the bill.

“Rapidly advancing technology has made it necessary to update the Electronic Communications Privacy Act,” Conyers said.

Despite the need to bring this privacy law into the 21st century, we doubt the Nadler-Conyers proposal (.pdf) would survive a committee hearing, if it even gets one.

Senate Judiciary Committee Chairman Patrick Leahy (D-Vermont) proposed similar legislation last year, and it never even got a hearing in the committee he chairs.

All the while, your cloud-storage data — e-mail and other documents six months or older — is at risk as the authorities may obtain it by stating that it is “relevant” to an investigation.

The amount of data that the government is already collecting under the law is unclear. Google said in June that government agencies across the United States sought user data 6,321 times for the six months ending December 2011, up from 5,950 the six months prior.

Google, which offers e-mail, cloud storage, a blogging platform, web search, and other services, said the U.S. government targeted 12,243 Google accounts, compared to 11,057 in the six months before.

But neither Google nor any other ISP releases how many times it turns over user data in the United States without a probable-cause warrant. Perhaps the numbers are too frightening.

The Nadler-Conyers bill also would require the authorities to notify targets within three days that the government has obtained their data unless “the existence of the warrant may have an adverse result.” The proposal also requires ISPs to report the number of instances it handed over data.