US law fails to protect internet privacy
- Monday, 24 October 2011
21st century technology needs 21st century laws
The Electronic Communications Privacy Act is the basis from which all US laws regarding civil rights in the use of electronic communications stem from. ECPA has turned 25 years old and, despite being created at a time the Internet did not yet exist, it has been left essentially (and intentionally?) unchanged throughout all these years. With the expansion of the World Wide Web, the ambiguity of a law in the US can have repercussions in the rest of the world as well.
ECPA was a forward-thinking set of bills for the year it was passed, 1986. Law-wise, it can hardly be considered old. Technology-wise though, anything twenty-five years old belongs to a museum, carefully encased in glass.
When ECPA was adopted, e-mails did not stay on servers for long periods of time, as they were downloaded to the recipients’ computers in order to be read. Any e-mail staying on the servers for longer than six months was therefore considered abandoned and could be accessed by the authorities without a warrant.
The new e-mail service providers though operate in a different way. Beside the e-mail server, they offer on-site the required software to read, write and storage e-mails. E-mails do not get downloaded to a personal computer anymore, but stay stored in the “cloud” almost indefinitely. Thus, authorities can access all e-mails that are older than six months old, without acquiring a warrant first, since they are still considered “abandoned”. The number of people affected by this old loophole is huge. Yahoo mail reported 302 million users in August 2011 (see the About page here), Hotmail claims 360 million unique users per month and Gmail had 193 million users by the end of 2010.
The six months rule does not apply only to emails, but on all kinds of files. In an age where cloud-based file sharing services like Dropbox and social media like Facebook and Twitter have millions of users, such legal anachronisms are unacceptable.
Another murky part of ECPA has already become a favourite in TV shows and movies, where authorities or technology-savvy bad guys use cell phone GPS to track people. GPS services in cell phones and other mobile Internet services constantly generate location data, which ECPA fails to protect adequately.
Technology has long bypassed law. Due to inertia and, since 9-11, the willingness of politicians to surrender civil rights in the name of national security and executive power, ECPA has been left to stagnate. The situation cannot remain as it is and a number of groups and diverse coalitions like the Digital Due Process have emerged to lobby for change. It will also be interesting to follow the results from the Silicon Value Human Rights Conference, though change will be hard to achieve, given that both Bush and Obama administrations have so far blasted proposals to modernize ECPA.