Cloud Privacy Update Tackled By Lawmakers

Proposed legislation seeks to bring 26-year-old privacy law up to speed with law enforcement requests in the age of mobile and cloud.
In an effort to update a 26-year-old electronic privacy law, two Congressmen have introduced a new bill that aims to clarify the standards by which authorities can access data in the cloud and on mobile devices.

Congressman Jerrold Nadler (D-NY), the, and Congressman John Conyers, Jr. (D-MI), the Ranking Member of the House Judiciary Committee, on Thursday introduced the Electronic Communications Privacy Act Modernization Act of 2012, a bill that proposes to make electronic privacy protections set forth in the 1986 Electronic Communications Privacy Act (ECPA) more consistent across different electronic services and devices and more clearly delineated.

The bill aspires to balance the needs of law enforcement with the privacy rights of Americans by requiring a warrant based on probable cause before a service provider can be compelled to reveal a user's private communications or online documents. The bill also requires a warrant to compel the disclosure to authorities of location information. And it includes rules for notifying users when service providers comply with such warrants and for delaying notification when disclosure might jeopardize a legitimate investigation.

[ Ready or not, big data is here to stay. Does your enterprise have a strategy? Read How To Find Strategic Advantage From Big Data. ]

"ECPA was passed in 1986, well before we commonly used the Internet for e-mail, much less for 'cloud computing' and remote storage," said Nadler in a statement. "Communications technology is evolving at an exponential rate and, as such, requires corresponding updates to our privacy laws."

The legal standards by which authorities can demand access to an email offer an example of why ECPA needs to be updated. Government access to a person's email is subject to different legal standards, depending on whether the message is being written, is in transit, is stored with a service provider, or has been read. Similarly, authorities seeking to access a document stored on a personal computer generally must obtain a warrant. But that isn't necessarily the case if the document is stored with an Internet service provider.

The Electronic Communications Privacy Act Modernization Act of 2012 supports the position advocated by the Digital Due Process Coalition, a group composed of leading Internet companies, including Amazon, Apple, AT&T, eBay, Facebook, Google, Microsoft, and Twitter, along with privacy groups and legal scholars.

The group notes that ECPA has been criticized by the courts for its inadequate guidance about Internet surveillance and that in the past five years at least 30 federal opinions about government access to mobile phone data have come to different conclusions.

Privacy researcher Christopher Soghoian, via Twitter, called the bill "the best thing in online privacy I've seen come out of DC in several years." But without the backing of a prominent Republican lawmaker, it remains to be seen whether the bill will be approved by the Republican-controlled House of Representatives during an election year.

Expertise, automation, and silo busting are all required, say early adopters of private clouds. Also in the new, all-digital Private Clouds: Vision Vs. Reality issue of InformationWeek: How to choose between OpenStack and CloudStack for your private cloud. (Free with registration.)