ECPA

Don’t get too comfortable – the need for tension between government and tech companies

As I’ve always said, “We don’t want the relationship between companies and government to be without tension; we want friction”.  Actually, Anupam Chander said this at Monday’s privacy lecture at Berkeley, but it’s the kind of statement that I wish I’d said.  This idea of an optimum level of friction is a good frame of reference at a time when law enforcement and companies trade words as to whether encryption will create the “phone of choice for the pedophile” or simply mean that “privacy doesn’t stop because of a government information request”.

At the same lecture, James Aquilina of Stroz Friedberg noted that a great travesty of the Snowden revelations was that it destroyed the relationship between government and companies.  He explained that the trust built after 9/11 has been completely eroded and the relationship destroyed.  The problem with this relationship breakdown is that the public still expects the government to be able to protect them.  While this might seem to be at odds with Chander's statement, I think that these statements can actually be seen as reflecting questions about how much tension there should be.

Much of our legal and political system is based on the idea that the best outcome is achieved when opponents representing different sides of a debate are able to battle it out; the separation of powers between executive, legislature, and judiciary; the adversarial court process; and the halls of Congress all rely on the tension between opposing views.  While I wouldn’t advocate for a relationship based on the level of tension within Congress, we also don’t want tech companies to be the government’s lapdogs.  It’s hard to know where the right line is on facilitating legitimate government investigations and ensuring individuals’ right to privacy. 

Twitter’s new legal fight to publish full transparency figures reminds us that the right level of tension can’t necessarily be quietly negotiated.  Instead, it may need to be lobbied and litigated.  This is particularly important when legislative change is glacially slow.  Where does this leave smaller companies, who don’t necessarily have the deep pockets to fight it out in court?  I’ve had conversations with a small, very pro-user tech company where the C-suite has agreed that if they get a national security letter, they’ll close their US operations rather than hand over the data.  But this isn’t an approach that many companies would be willing or able to take. 

As a baseline, companies of all sizes should insist on a search warrant (or the appropriate legal process under the Electronic Communications Privacy Act) before handing over user data and notify users (wherever permitted).  Companies should be proactive in their own privacy policies and procedures, paying attention to what personal information they’re collecting and storing, where they store it, and with whom they share it for commercial purposes.  Whereas the US Government has been happy to overlook the rights of non-US persons, companies that operate in the global marketplace should take a principled approach to all users (see my explanation of the glaring gaps in ECPA with respect to foreign government requests).  And if you happen to have deeper pockets and in-house legal support, consider having your day in court.

At the moment, we’re headed back into another round of the cryptowars between government and industry.  Hopefully we will soon be able to reach some kind of détente where we have a set of clearer, more appropriate boundaries for where privacy ends and legitimate government access begins.  In the meantime, let’s not shy away from a good fight.

ECPA reform is not just a U.S. issue

Cross-posted from https://cyberlaw.stanford.edu/blog/2014/04/ecpa-reform-not-just-us-issue If US law enforcement officers want to access your private emails, they need to follow the requirements in the Electronic Communications Privacy Act.  ECPA is an old and imperfect piece of legislation.  Industry and civil society have long been pushing to update ECPA so that it is “technology neutral”; just as government agencies require a warrant to compel disclosure of a person’s locally-stored documents, government should have to obtain a warrant to access private documents stored in the cloud.  While this argument may seem self-evident, reform has been frustratingly slow.  Today, blogs have fired up (such as herehere, and here) with arguments in favor of reform and criticising the Securities and Exchange Commission's opposition to reform.  However, what is missing in the current debate is that ECPA has implications beyond US borders. Technology neutrality is an important principle that should underpin the reform of ECPA.  However, I believe that the ECPA discussion should also include the question of “location neutrality” ie. foreign law enforcement officers' access to user data should be based on the same principles as access by US law enforcement.

How is foreign access to non-content regulated?

It doesn’t matter where in the world a police officer is, if he or she wants to access an individual’s Gmail or Facebook records (or many other US-based products), that access is governed by ECPA.  ECPA providessome limits on US law enforcement access to non-content information by requiring at least an administrative subpoena.  However, ECPA completely overlooks access by foreign governments because it defines “government entities” to mean only US government agencies.  This means that when foreign law enforcement officers ask for a user’s subscriber details or email contacts, it is up to the companies to decide whether or not they hand over that information.  Some companies refuse to provide any information voluntarily and insist on a request under a mutual legal assistance treaty (MLAT), supported by a court order.  Other companies will hand over information if they feel that it is appropriate in the circumstances.  In practice, there is no consistency, transparency, or oversight into when non-content information is handed over to foreign law enforcement.

What about content?

Foreign law enforcement must go through the MLAT process in order to access user content held in the US.  Before you get too excited in thinking that this provides good legal and procedural protections, you need to look a little more closely.  The current MLAT-based system for content access is basically due to a legislative oversight, not because of a well-reasoned policy decision.  ECPA doesn't mention whether or not a foreign law enforcement officer should be able to obtain either a subpoena or court order directly from a US court.  In order to overcome this, a foreign government can make an MLAT request, which effectively asks the US Government to obtain a warrant on behalf of the foreign government.

When it comes to the content of users’ emails, the current system might seem good on first glance because it only allows foreign governments to access user data through the MLAT system, which involves a US warrant process.  However, the MLAT system is not designed to cope with the large volume of requests for online data that are now being made or the tight timeframes that cyber-investigations demand (the President’s Review Group found that MLAT requests for online records take an average of 10 months!).  This means that either (1) legitimate criminal investigations and prosecutions are compromised because the evidence cannot be obtained quickly enough or (2) police find “creative” work-arounds and “informal” means to obtain the data, which undermines transparency, accountability and user protections.  Neither of these is a good outcome.

Where to from here?

In the context of ECPA, technology neutrality means that a user should have the same protections for their personal data, regardless of whether it is stored in physical format, in a locally-based electronic format, or in the cloud.  I suggest that another principle for ECPA should be location neutrality – ie a user’s personal data should have the same protections from all law enforcement agencies, regardless of whether that agency is based in the US or abroad.

The reform of ECPA is certainly not just a US issue; it impacts millions of users outside of the US.  It would be a great step forward to protect users’ data from unwarranted US law enforcement snooping.  However, this is only half the picture; we need to start talking about foreign law enforcement access to electronic communications as part of the ECPA reforms.