Tag Archives: ecpareform

76 Companies and Organizations Urge Congress to Ensure Privacy of Online Communications

On September 8, 2014, the Association of Research Libraries joined a broad coalition of seventy-six technology companies as well as privacy and public interest organizations in sending a letter to Senate Majority Leader Harry Reid (D-NV) and House Majority Leader Kevin McCarthy (R-CA) urging reform of the Electronic Communications Privacy Act (ECPA). Both the Senate and House have considered bills to update ECPA and ensure that Fourth Amendment privacy protections extend to the online communications. The House version of ECPA reform, H.R. 1852 reached a milestone of 218 co-sponsors on June 17, 2014 representing a majority of the House and the bill enjoys broad bipartisan support. Since that date, additional co-sponsors have been added to H.R. 1852 and more than 260 Members have joined in their support of this bill. The Senate bill, S. 607, also enjoys bipartisan support and was introduced by Senators Leahy (D-VT) and Lee (R-UT) and was approved by the Senate Judiciary Committee in 2013.

ECPA reform is necessary to ensure that the Fourth Amendment guarantees of privacy apply equally to digital information as it does to physical property. ECPA, enacted in 1986, has not kept pace with evolving technologies and allows government agencies to access online communications that are older than 180 days without obtaining a warrant, thereby affording digital information, such as that which is stored in the cloud, less protections than data stored locally in a home or office. The bills considered by Congress would require warrant-for-content, a standard that the U.S. Department of Justice already follows. Civil regulatory agencies want an exception, however, allowing the collection of content directly from third-party service providers. The letter states clear opposition to a “carve-out of regulatory agencies or other rules that would treat private data differently depending on the type of technology used to store it.”

As libraries and universities increasingly used cloud-based services and more communications take place online, ensuring that the Fourth Amendment extends to information in the digital world becomes critical. ECPA reform would avoid the current absurdity that currently affords online communications and information less protection than physical documents.

Broad Coalition Opposes Cyber Information Sharing Act of 2014

On June 26, 2014 the Association of Research Libraries joined with thirty-four other organizations opposing the Cyber Information Sharing Act of 2014 (CISA). This broad coalition sent a letter to Majority Leader Harry Reid (D-NV), Minority Leader Mitch McConnell (R-KY), U.S. Senate Select Committee on Intelligence Chairman Dianne Feinstein (D-CA), and U.S. Senate Select Committee on Intelligence Vice Chairman Saxby Chambliss (R-GA) expressing concerns that the bill would create a loophole in existing privacy laws and does not prevent the government from requesting “voluntary” cooperation from private companies in sharing information, including content of communications.

The letter raises a number of concerns, including threats the bill poses to whistleblowers and transparency. Additionally, with respect to specific privacy concerns, the letter notes that the bill creates a “danger of a potential end-run around the Foreign Intelligence Surveillance Act (“FISA”), the Electronic Communications Privacy Act (“ECPA”), the Fourth Amendment and other crucial privacy protections [which] is compounded by the potentially broad immunity conferred on sharing ‘in accordance’ with the act, and the additional absolute defense when sharing occurs in violation of the act but in ‘good faith’ reliance on the mistaken belief that the sharing is lawful.”

This letter makes several specific recommendations:

  • Ensure that DHS is the custodian of cybersecurity information voluntarily shared by the private sector, and has the authority to prevent sensitive information from being transmitted to the intelligence community and military without appropriate privacy protections;
  • Ensure that information shared is “reasonably necessary” to describe a cybersecurity threat;
  • Restrict the use of information received under the sharing authority to actual cybersecurity activities, the prosecution of cybercrimes, the protection of individuals from imminent threat of physical harm or death, or to protect children from serious threats;
  • Limit FOIA restrictions to those provided by 6 U.S.C. §§ 131-34 (2012).14
  • Require public disclosure of annual reports from relevant inspectors general describing what information is received, how it is used, who gets it and how it is treated to protect privacy.
  • Include a sunset provision in the bill keyed to these reports, which will allow the measure to expire if abuse or misuse is disclosed;
  • Allow individuals harmed by inappropriate sharing to sue the government if it intentionally or willfully violates the law.

Majority of House of Representatives Co-Sponsor Email Privacy Act; ARL Applauds Milestone in ECPA Reform Efforts

The Association of Research Libraries (ARL) is pleased that on June 17, 2014, the Email Privacy Act, H.R. 1852, reached a milestone of 218 co-sponsors, representing a majority of support from the members of the House of Representatives.

The Email Privacy Act, originally introduced by Rep. Yoder (R-KS) on May 7, 2013, would update an outdated law known as the Electronic Communications Privacy Act (ECPA) and ensure that important Fourth Amendment privacy protections extend to online communications. ECPA was enacted in 1986 and has not kept pace with evolving technologies. The law permits government agencies to access e-mails, documents and other communications that are older than 180 days and stored online without obtaining a warrant, affording online communications with less protection than hard copy documents stored in a filing cabinet.

As libraries and universities move services into the cloud and more communications take place online, it is critical that Fourth Amendment protect information long considered to be private—including what individuals are reading or researching, and to whom they are talking—even in the digital world. The growth of the Internet has launched new forms of communications and changed the way individuals interact since ECPA’s enactment in 1986. The Email Privacy Act would change the absurd results of ECPA and require agencies to obtain a warrant for content, thereby ensuring that Fourth Amendment protections extend to online documents and communications.

A majority of the House of Representatives clearly supports the restoration of these important privacy rights and ARL urges Congress to act quickly to pass the Email Privacy Act. There is no logical reason to grant greater privacy protection for hard copy documents or traditional forms of communication than for documents stored in the cloud or e-mail and social media communications. The Email Privacy Act provides a practical solution to this absurdity.

White House Report to President Obama on Big Data

On May 1, 2014, a report by Administration officials to President Obama on big data was released. The report was signed by John Podesta, Counselor to the President; Penny Pritzker, Secretary of Commerce; Ernest J. Moniz, Secretary of Energy; John Holdren, Director of the Office of Science & Technology Policy; and Jeffrey Zients, Director of the National Economic Council. The report is the result of a ninety-day study by the review group, convened at the request of President Obama at a January 17 speech at the Justice Department.

The report discusses some of the concerns and challenges with respect to big data and ultimately makes several recommendations. The report is broken into six parts: 1) Big Data and the Individual; 2) Obama Administration’s Approach to Open Data and Privacy; 3) Public Sector Management of Data; 4) Private Sector Management of Data; 5) Policy Framework for Big Data; and 6) Conclusions and Recommendations. Highlights from the report, including are included below.

Big Data and Education
One portion of the report specifically focuses on big data and education, recognizing the wide range of technology and platforms used at all levels of education. The report notes that new technologies allow institutions to personalize education and improve learning, but also raise concerns regarding student privacy. For example, the report states that:

Data from a student’s experience in massive open online courses (MOOCs) or other technology-based learning platforms can be precisely tracked, opening the door to understanding how students move through a learning trajectory with greater fidelity, and at greater scale, than traditional education research is able to achieve. This includes gaining insight into student access of learning activities, measuring optimal practice periods for meeting different learning objectives, creating pathways through material for different learning approaches, and using that information to help students who are struggling in similar ways. [… ]

The big data revolution in education also raises serious questions about how best to protect student privacy as technology reaches further into the classroom. While states and local communities have traditionally played the dominant role in providing education, much of the software that supports online learning tools and courses is provided by for-profit firms. This raises complicated questions about who owns the data streams coming off online education platforms and how they can be used. Applying privacy safeguards like the Family Educational Rights and Privacy Act, the Protection of Pupil Rights Amendment, or the Children’s Online Privacy Protection Act to educational records can create unique challenges.

The report further notes that user information from education platforms “can be very personal” and that the U.S. Department of Education released guidelines for online educational services in February 2014. These guidelines highlight the importance of compliance with FERPA when entering into agreements with third parties regarding student data. The report concludes that “The Administration is committed to vigorously pursuing these questions and will work through the Department of Education so that all students can experience the benefits of big data innovations and teaching and learning while being protected from potential harms.”

Privacy and Law Enforcement
The report also recognizes that while big data can be a useful tool for law enforcement and security, “they also pose difficult questions about their appropriate uses.” Big data can be used to better understand criminal organizations through pattern analysis, but gathering of such data can also include information about individuals not subject to investigation. It also cautions that use of predictive technologies, while potentially useful in anticipating and preventing crimes, is controversial. It is therefore necessary to balance civil liberties and privacy interests with law enforcement goals.

Data Held by Third Parties
The big data report summarizes Fourth Amendment case law, particularly with respect to data held by third parties. It cites the seminal Supreme Court cases from the 1970s in United States v. Miller and Smith v. Maryland, both of which held that an individual does not have a legitimate expectation of privacy in information voluntarily turned over to third parties, also known as the “third party doctrine.”

In light of Supreme Court jurisprudence in this area, Congress enacted the Privacy Act of 1974, the Electronic Communications Privacy Act of 1986 (ECPA) and the Pen/Trap Act, which provide statutory protection for records held by third parties. However, these pieces of legislation may be seen as outdated and, “In light of technological advances, especially the creation of exponentially more electronic records about personal interactions, some commentators have called for a reexamination of third-party doctrine.” The report notes that the Court of Appeals for the Sixth Circuit ruled in United States v. Warshak that a subscriber has a reasonable expectation of privacy in his e-mail, analogous to a letter or phone call that would be protected. Similarly, in the recent Supreme Court case, United States v. Jones, Justice Sotomayor wrote a concurrence expressing the concern that the third-party doctrine may be “ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

The report notes that while post-Warshak, warrants are required for content, metadata is being collected and obtained under the third-party doctrine and suggests that examination of the metadata issue, even beyond intelligence activities, should be expanded.

The authors of the report recognize that evolving technologies have created a need to re-evaluate current practices:

ECPA was originally passed in 1986. It has served to protect the privacy of individuals’ stored communications. But with time, some of the lines drawn by statute have become outdated and no longer reflect ways in which we use technology today. In considering how to update the Act, there are a variety of interests at stake, including privacy interests and the need for law enforcement and civil enforcement agencies to protect public safety and enforce criminal and civil law. Email, text messaging, and other private digital communications have become the principal means of personal correspondence and the cloud is increasingly used to store individuals’ files. They should receive commensurate protections.

Similarly, many protections afforded to metadata were calibrated for a time that predated the rise of personal computers, the Internet, mobile phones, and cloud computing. No one imagined then that the traces of digital data left today as a matter of routine can be reassembled to reveal intimate personal details. Today, most law enforcement uses of metadata are still rooted in the “small data world”, such as identifying phone numbers called by a criminal suspect. In the future, metadata that is part of the “big data” world will be increasingly relevant to investigations, raising the question of what protections it should be granted.

The report also acknowledges the challenge that “once data is collected, it can be very difficult to keep anonymous.”

Conclusions and Recommendations

The authors of the report conclude by making six policy recommendations:

  1. Advance the Consumer Privacy Bill of Rights. The Department of Commerce should take appropriate consultative steps to seek stakeholder and public comment on big data developments and how they impact the Consumer Privacy Bill of Rights and then devise draft legislative text for consideration by stakeholders and submission by the President to Congress.
  2. Pass National Data Breach Legislation. Congress should pass legislation that provides for a single national data breach standard along the lines of the Administration’s May 201 Cybersecurity legislative proposal.
  3. Extend Privacy Protections to non-U.S. Persons. The Office of Management and Budget should work with departments and agencies to apply the Privacy Act of 1974 to non-U.S. persons where practicable, or to establish alternative privacy policies that apply appropriate and meaningful protections to personal information regardless of a person’s nationality
  4. Ensure Data Collected on Students in School is Used for Educational Purposes. The federal government must ensure that privacy regulations protect students against having their data being shared or used inappropriately, especially when the data is gathered in an educational context.
  5. Expand Technical Expertise to Stop Discrimination. The federal government’s lead civil rights and consumer protection agencies should expand their technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes, and develop a plan for investigating and resolving violations of law.
  6. Amend the Electronic Communications Privacy Act. Congress should amend ECPA. To ensure the standard of protection for online, digital content is consistent with that afforded in the physical world—including by removing archaic distinctions between email left unread or over a certain age.