James Bond had it wrong — diamonds aren’t forever. Data is.
Its privacy ought to be, too.
Unfortunately, laws regarding who may access your data, how it’s accessed — and when — haven’t caught up to data storage technology.
As recently as 10 years ago, most data that was older than 180 days got automatically deleted from servers to make room for new data. This was necessary because of the physical storage limits of the servers in use at the time. The upside — privacy-wise — of this disappearing data was that it was no longer available to the government.
Which, under an out-of-date law, was legally empowered to access data older than 180 days without a warrant — or even probable cause. But today, there’s a huge problem, privacy-wise, because server storage capacity is now effectively infinite. Data is no longer automatically deleted after 180 days. It will probably still be there 180 years from now.
But the law allowing government to dig in to this data is still the same.
It is the Reagan-era Electronic Communications Privacy Act (ECPA), enacted back in 1986 — when people still rented Betamax tapes at Blockbuster and made calls on corded wall phones.
The ECPA never anticipated limitless server capacity — or even e-mails. There was no Internet back in ’86. A “server” was someone who brought you food. If you’d asked the ECPA’s authors what a “cloud” is, they’d have answered, “Those cottonball-looking things in the sky.”
But today, “cloud” has another meaning.
It is the term used to describe server storage remotely located and accessed via the Internet. Most home computer users (and smartphone users) now routinely upload data to the cloud — both as a backup and to avoid maxing out the still-limited storage capacity of their desktop PC or handheld device.
But once this data goes out — and gets stored in a cloud — Uncle can access it, 180 days from now or 180 years from now.
That’s one gaping hole in privacy protections arising from the EPCA — which created a different (much less restrictive) standard for government snooping through our online stuff. It was — and still is — legally necessary to get a specific warrant based on specific probable cause before government agents could rifle through a physical desk drawer and read physical correspondence, such as a letter.
Another problem with ECPA recently surfaced in the course of a government investigation of a person suspected of drug trafficking who stored data with Microsoft — which stored that data in servers outside the United States. The Feds pressured Microsoft to turn over the data, notwithstanding there was no legal warrant and notwithstanding that the country where the servers (and data) were located — Ireland — took issue issue with a foreign government (that’s our government, in this case) asserting sovereignty on its territory.
Microsoft — and in principle, other countries doing business overseas — were put in the position of flouting the laws of countries in which they did business (probably not good for future business) or annoying the Feds for failing to “cooperate” (probably not good for business, either).
There was also the tertiary problem of annoyed foreign governments deciding to flout U.S. laws, given the U.S. wasn’t respecting their laws.
A few months back, Microsoft won an appeal, with New York Circuit Court Judge Sarah Carney writing in her opinion that the ECPA “does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer emails” stored on foreign servers.
But there is still the issue of the 180 day “exemption” on warrants and probable cause, deriving from the geriatric ECPA.
Like Betamax, it’s a museum piece.
Sen. Orrin Hatch of Utah, along with Sens. Chris Coons of Delaware and Dean Heller of Nevada, have put forward a bill to bring the law up to date with the state of current technology. Titled the International Communications Privacy Act, it would effectively replace the ECPA and specifically addresses the privacy issues and international business-legal issues that the ECPA left either wide open or didn’t address at all.
Instead of “cowboy” Ollie North-style operations by the Feds to strong-arm data stored on servers outside the physical borders and outside the legal jurisdiction of the United States (and vice versa), governments would agree to Mutual Legal Assistance Treaties formally establishing a legal framework binding on both parties regarding how and under what circumstances data stored outside their jurisdictions be accessed.
And — perhaps most critically — the warrant and probable cause requirements that applied under ECPA to data less than 180 days old would apply to all data, regardless of its vintage.
This latter reform is particularly important given that most of our communications are now done online. People send emails and PDFs over the Net rather than envelopes via the Postal Service. Digitally transmitted correspondence (and other data) is no less deserving of protection under the law than the old-fashioned physical kind stored in desk drawers rather than servers.
The International Communications Privacy Act would — for once — enhance rather than diminish our privacy. That’s no small thing these days.