Privacy Protection for Documents Stored in the Cloud Gets DoJ Nod

The Department of Justice is giving a qualified endorsement of an update to a 1986 privacy law that leading cloud-service providers, public-interest groups and others argue is woefully out of step with the current methods of sending and storing communications.

In testimony before a House subcommittee on Tuesday, Elana Tyrangiel, acting assistant attorney general at the DoJ's Office of Legal Policy, affirmed the Obama administration's support for an overhaul of the Electronic Communications Privacy Act (ECPA) to provide stronger privacy protections for Webmail, documents stored online and other cloud services.

Google, Microsoft and Facebook Join Reform Advocates

Advocates of ECPA reform, including tech heavyweights like Google, Microsoft and Facebook, point to incongruities in the law concerning the ways that law enforcement authorities can access personal communications.

As the law currently stands, authorities can obtain emails and other communications that have been stored with a third-party provider for more than six months on the strength of a subpoena, rather than a warrant issued by a judge.

In spite of periodic updates to ECPA, Tyrangiel says, "many have noted, and we agree, that some of the lines drawn by the statute have failed to keep up with the development of technology and the ways in which we use electronic and stored communications."

"We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old. Similarly, it makes sense that the statute not accord lesser protection to open emails than it gives to emails that are unopened," she adds.

"Acknowledging these things is an important first step," Tyrangiel says . "The harder question is how to update the statute in light of new and changing technologies while maintaining protections for privacy and adequately providing for public safety and other law enforcement imperatives."

Senate Looks to Revise ECPA

There is also movement in the Senate to overhaul ECPA. The same day that the House Judiciary Committee's subcommittee on crime held its hearing, Sens. Patrick Leahy (D-Vt.) and Mike Lee (R-Utah) introduced a bill to revise the statute, dispensing with the "180-day rule," among other reforms.

When ECPA was enacted, "no one could have imagined just how the Internet and mobile technologies would transform how we communicate and exchange information today," Leahy says in a statement. "Privacy laws written in an analog era are no longer suited for privacy threats we face in a digital world."

Earlier this year, a bipartisan group of House members introduced their own ECPA-reform bill in a bid to strengthen the protections for cloud and location-based services.

The path to revising ECPA has been slowed by the protests of law enforcement agencies, which have warned that reforms undertaken in the name of protecting privacy could impede criminal investigations.

Richard Littlehale, a special agent with the Tennessee Bureau of Investigation, told lawmakers that irrespective of the level of proof required to obtain access to emails and other communications, law enforcement authorities face other, more significant "logistical hurdles," chiefly the failure of service providers to turn over records in a timely fashion.

"The reality is that legal barriers are not the only ones that keep communications out of our hands," Littlehale says.

"As Congress considers simplifying the legal requirements for obtaining communications records, and whether or not to change the standards law enforcement must meet to obtain those records, these other barriers to access must have a place in the discussion," he notes in his written testimony:

In counterpoint at Tuesday's hearing was Google's Richard Salgado, the search giant's director of law enforcement and information security, who was especially critical of what he described as an arbitrary distinction between communications older than six months and those that are newer.

"ECPA was passed in 1986, when electronic communications services were in their infancy. With the dramatic changes that we've seen since then, the statute no longer provides the privacy protection that users of these services reasonably expect," Salgado says. "If one could discern a policy rationale for this 180-day rule in 1986, it's not evident any longer and contravenes users' reasonable expectation of privacy."

TechAmerica, a leading industry trade group, commended both the leaders of the House subcommittee and Sens. Leahy and Lee for unveiling their bill on Tuesday, what the group dubbed "ECPA Reform Day on Capitol Hill."

Revamping that statute is a top legislative priority for TechAmerica, according to Kevin Richards, the group's senior vice president of federal government affairs, who says Leahy's bill "presents a big step toward making sure that the information Americans store in the cloud receives the same level of protection as the information stored in the physical world."

ECPA a Tricky Political Issue

But given the opposing views that law enforcement authorities and cloud providers take as a starting point in the debate, ECPA reform -- hardly a new issue -- has proven difficult as a political proposition.

"To amend ECPA we're going to need to have a balancing act, which means that neither law enforcement or the service community are going to get everything they want," says subcommittee Chairman Jim Sensenbrenner (R-Wis.). "[T]rying to do a balancing act to come up with something that protects the privacy of Americans as well as allows law enforcement to do their job, particularly against people who use the Internet for criminal purposes, is going to be kind of a tough nut to crack."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for Follow everything from on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Read more about government in CIO's Government Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags email priviacyonline privacyElectronic Communications Privacy ActManagement Topics | Governmentcloud computinginternetprivacyFacebookWebmail privacyc;loud-based privacyManagement TopicsGoogleMicrosoftsecurityECPAbusinessgovernmentdojU.S. Department of Justice

More about Department of JusticeFacebookGoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place