The debate over the government's role in setting restrictions for online behavioral targeting puts a wide gulf between privacy advocates and right-of-center civil libertarian groups. But when it comes to government surveillance, it's easier to build a bridge.
A broad and diverse coalition of often-feuding advocacy groups and businesses, including Microsoft (NASDAQ: MSFT) and Google (NASDAQ: GOOG), on Tuesday launched a campaign to update a more than two-decades-old statute that they say has fallen dangerously out of step with the way people are using the Internet to communicate and share information.
The Electronic Communications Privacy Act (ECPA), signed into law in 1986, established safeguards designed to block unauthorized government access to electronic data, but critics have long warned that the law contains significant loopholes that don't protect the sensitive personal or location-based information people are uploading to Web services.
In the era of cloud computing, when e-mails, photos and other information are stored on far-flung corporate servers, a law that sets the rules for government and law-enforcement access rooted in the earliest days of the Internet has is in sore need of an update, according to the Digital Due Process coalition.
"At the time, ECPA worked pretty well. It was a very forward-looking statute," Jim Dempsey, vice president of public policy at the Center for Democracy and Technology, told reporters on a conference call announcing the coalition. "[But] 1986 was light years ago in Internet terms and it's now time to update ECPA."
Dempsey said that today's launch was the culmination of a two-year period of study and consultation with a broad array of current and former law-enforcement officials, industry representatives and other groups. Over the past month, the coalition has met with members of Congress on both sides of the aisle to pitch its proposal for ECPA reform, as well as officials from the White House, Justice Department, FBI and the Department of Commerce.
The group looks ahead to congressional hearings on updating the statute this year, though in an election-shortened year its leaders aren't holding out hope for legislative action until the next session, at the earliest.
"We're not expecting that these [reforms] will be enacted this year," Dempsey said. "But it is time to begin the dialogue."
In a statement, Senate Judiciary Chairman Patrick Leahy (D-Vt.) praised the group's work on the issue, and promised that his committee would hold hearings on updating ECPA this year.
"While the question of how best to balance privacy and security in the 21st century has no simple answer, what is clear is that our federal electronic privacy laws are woefully outdated," Leahy said. "I appreciate the coalitions ideas in this area, and I encourage others in Congress to work with me to address these important privacy and law enforcement issues."
Focusing on privacy in the cloud
Dempsey's group, the CDT, has also been active in pressing for tougher consumer privacy protections in Internet marketing, an area where a coalition such as the one announced today would be impossible to organize. Joining in the fight for ECPA reform are groups like the Progress and Freedom Foundation and the Competitive Enterprise Institute, market-oriented Washington think tanks that routinely oppose efforts to enact regulations in the Internet sector.
In addition to Google and Microsoft, the coalition counts as members companies like AT&T (NYSE: T), Intel (NASDAQ: INTC) and AOL (NYSE: AOL).
For service and cloud providers, the idea of clarifying the ECPA statute carries a real business incentive.
"A lot of the distinctions in the statute are illogical or unclear or inconsistent, which creates challenges in terms of compliance," said Mike Hintze, Microsoft's associate general counsel.
Hintze also pointed a recent study Microsoft commissioned regarding consumer attitudes toward cloud services, which identified concerns over privacy and security as a chief barrier to adoption.
"As we have increased our investments in cloud services, we've been looking at things like what are the hindrances to cloud adoption," he said. "We just want to make sure that the standards are clear ... that we can inform users what those standards are and that they can understand those standards."
Under ECPA, courts have generally found that data stored on an individual's personal computer is more tightly protected from law enforcement than personal data stored on a company's servers. To access a user's home computer, law enforcement officers require a warrant or a court order, while authorities have been able to obtain information from service providers with only the strength of a subpoena, which Dempsey quipped "is Latin for 'no judge has ever reviewed this.'"
"A subpoena, unlike a warrant or unlike a court order -- most lay people don't realize this -- is literally issued by the prosecutor," he said. "Those are issued at the discretion of an executive branch official," he added.
"There really are no checks and balances there that are meaningful."
The group is also pushing to tighten up protections for location-based data, an area that has generated considerably more confusion when it has come under judicial review.
Kevin Bankston, an attorney with the Electronic Frontier Foundation, said that lower courts have offered varying opinions, but "the trend is toward warrant protection, and we want to codify that protection."