Tag Archives: Legislation

ECPA Reform Reintroduced in House and Senate

On February 4, 2015, bills to reform the outdated Electronic Communications Privacy Act (ECPA) were re-introduced in both the U.S. House and Senate with bipartisan support.  The bills would update ECPA and provide important privacy protections for electronic communications.  ECPA, a law passed in 1986, has not kept pace with evolving technologies and permits agencies to access documents or communications stored online that are older than 180 days without a warrant.  ECPA has led to an absurdity that affords greater protection to hard copy documents than electronic communications.

The House version of the bill, known as the Email Privacy Act, was introduced by Representatives Yoder (R-KS) and Polis (D-CO) and already has 228 co-sponsors.  In the last Congress, the House version attracted 270 co-sponsors.  The Senate version, known as the Electronic Communications Privacy Act Amendments Act, was introduced by Senators Lee (R-UT) and Leahy (D-VT).

After twenty-nine years since ECPA’s passage, the time for reform is long overdue.  Congress should pass these bills updating ECPA to ensure that 4th Amendment protections apply in today’s digital world.

On Data Privacy Day, ARL Urges Congress to Reform Outdated Online Privacy Law

Today is Data Privacy Day, a day for organizations, companies, and individuals to advocate for stronger privacy rights. One area that is badly in need of reform is the Electronic Communications Privacy Act (ECPA), a law that was passed in 1986 that governs when government agencies can access e-mails and other online communications. This law has clearly not kept pace with evolving technologies and permits agencies to access documents or communications that are older than 180 days and stored online with merely a subpoena, meaning that no warrant or prior judicial consideration is necessary. This result is an absurd one, affording online communications with less protection than hard copy documents stored in an office or filing cabinet.

As libraries and universities move services into the cloud and more communications take place online, it is critical that Fourth Amendment protections continue to apply even in the digital world. The way individuals communicate and interact today has clearly changed since ECPA’s enactment in 1986 and the law must be updated to protect civil liberties. ARL has been a member of a broad coalition that includes civil liberties groups (such as ACLU, CDT, EFF and others) as well as technology companies (such as Google and AT&T) and trade associations (such as CCIA), to advocate for updates to ECPA.

In the last Congress, ARL celebrated when the Email Privacy Act, a bill that would provide much needed updates to ECPA, reached a milestone of 218 co-sponsors in the House of Representatives on June 17, 2014 representing a majority of support from members in the House. The Email Privacy Act ultimately attracted 270 cosponsors with broad, bipartisan support. The Senate had its own version of the bill, which passed committee, but never reached the floor.

Twenty-nine years have passed since ECPA was enacted and today’s digital world is very different from the one that existed in 1986. Congress has waited long enough to act on this important issue and we urge re-introduction and swift passage of the Email Privacy Act.

76 Companies and Organizations Urge Congress to Ensure Privacy of Online Communications

On September 8, 2014, the Association of Research Libraries joined a broad coalition of seventy-six technology companies as well as privacy and public interest organizations in sending a letter to Senate Majority Leader Harry Reid (D-NV) and House Majority Leader Kevin McCarthy (R-CA) urging reform of the Electronic Communications Privacy Act (ECPA). Both the Senate and House have considered bills to update ECPA and ensure that Fourth Amendment privacy protections extend to the online communications. The House version of ECPA reform, H.R. 1852 reached a milestone of 218 co-sponsors on June 17, 2014 representing a majority of the House and the bill enjoys broad bipartisan support. Since that date, additional co-sponsors have been added to H.R. 1852 and more than 260 Members have joined in their support of this bill. The Senate bill, S. 607, also enjoys bipartisan support and was introduced by Senators Leahy (D-VT) and Lee (R-UT) and was approved by the Senate Judiciary Committee in 2013.

ECPA reform is necessary to ensure that the Fourth Amendment guarantees of privacy apply equally to digital information as it does to physical property. ECPA, enacted in 1986, has not kept pace with evolving technologies and allows government agencies to access online communications that are older than 180 days without obtaining a warrant, thereby affording digital information, such as that which is stored in the cloud, less protections than data stored locally in a home or office. The bills considered by Congress would require warrant-for-content, a standard that the U.S. Department of Justice already follows. Civil regulatory agencies want an exception, however, allowing the collection of content directly from third-party service providers. The letter states clear opposition to a “carve-out of regulatory agencies or other rules that would treat private data differently depending on the type of technology used to store it.”

As libraries and universities increasingly used cloud-based services and more communications take place online, ensuring that the Fourth Amendment extends to information in the digital world becomes critical. ECPA reform would avoid the current absurdity that currently affords online communications and information less protection than physical documents.

Broad Coalition Opposes Cyber Information Sharing Act of 2014

On June 26, 2014 the Association of Research Libraries joined with thirty-four other organizations opposing the Cyber Information Sharing Act of 2014 (CISA). This broad coalition sent a letter to Majority Leader Harry Reid (D-NV), Minority Leader Mitch McConnell (R-KY), U.S. Senate Select Committee on Intelligence Chairman Dianne Feinstein (D-CA), and U.S. Senate Select Committee on Intelligence Vice Chairman Saxby Chambliss (R-GA) expressing concerns that the bill would create a loophole in existing privacy laws and does not prevent the government from requesting “voluntary” cooperation from private companies in sharing information, including content of communications.

The letter raises a number of concerns, including threats the bill poses to whistleblowers and transparency. Additionally, with respect to specific privacy concerns, the letter notes that the bill creates a “danger of a potential end-run around the Foreign Intelligence Surveillance Act (“FISA”), the Electronic Communications Privacy Act (“ECPA”), the Fourth Amendment and other crucial privacy protections [which] is compounded by the potentially broad immunity conferred on sharing ‘in accordance’ with the act, and the additional absolute defense when sharing occurs in violation of the act but in ‘good faith’ reliance on the mistaken belief that the sharing is lawful.”

This letter makes several specific recommendations:

  • Ensure that DHS is the custodian of cybersecurity information voluntarily shared by the private sector, and has the authority to prevent sensitive information from being transmitted to the intelligence community and military without appropriate privacy protections;
  • Ensure that information shared is “reasonably necessary” to describe a cybersecurity threat;
  • Restrict the use of information received under the sharing authority to actual cybersecurity activities, the prosecution of cybercrimes, the protection of individuals from imminent threat of physical harm or death, or to protect children from serious threats;
  • Limit FOIA restrictions to those provided by 6 U.S.C. §§ 131-34 (2012).14
  • Require public disclosure of annual reports from relevant inspectors general describing what information is received, how it is used, who gets it and how it is treated to protect privacy.
  • Include a sunset provision in the bill keyed to these reports, which will allow the measure to expire if abuse or misuse is disclosed;
  • Allow individuals harmed by inappropriate sharing to sue the government if it intentionally or willfully violates the law.

Majority of House of Representatives Co-Sponsor Email Privacy Act; ARL Applauds Milestone in ECPA Reform Efforts

The Association of Research Libraries (ARL) is pleased that on June 17, 2014, the Email Privacy Act, H.R. 1852, reached a milestone of 218 co-sponsors, representing a majority of support from the members of the House of Representatives.

The Email Privacy Act, originally introduced by Rep. Yoder (R-KS) on May 7, 2013, would update an outdated law known as the Electronic Communications Privacy Act (ECPA) and ensure that important Fourth Amendment privacy protections extend to online communications. ECPA was enacted in 1986 and has not kept pace with evolving technologies. The law permits government agencies to access e-mails, documents and other communications that are older than 180 days and stored online without obtaining a warrant, affording online communications with less protection than hard copy documents stored in a filing cabinet.

As libraries and universities move services into the cloud and more communications take place online, it is critical that Fourth Amendment protect information long considered to be private—including what individuals are reading or researching, and to whom they are talking—even in the digital world. The growth of the Internet has launched new forms of communications and changed the way individuals interact since ECPA’s enactment in 1986. The Email Privacy Act would change the absurd results of ECPA and require agencies to obtain a warrant for content, thereby ensuring that Fourth Amendment protections extend to online documents and communications.

A majority of the House of Representatives clearly supports the restoration of these important privacy rights and ARL urges Congress to act quickly to pass the Email Privacy Act. There is no logical reason to grant greater privacy protection for hard copy documents or traditional forms of communication than for documents stored in the cloud or e-mail and social media communications. The Email Privacy Act provides a practical solution to this absurdity.

White House Report to President Obama on Big Data

On May 1, 2014, a report by Administration officials to President Obama on big data was released. The report was signed by John Podesta, Counselor to the President; Penny Pritzker, Secretary of Commerce; Ernest J. Moniz, Secretary of Energy; John Holdren, Director of the Office of Science & Technology Policy; and Jeffrey Zients, Director of the National Economic Council. The report is the result of a ninety-day study by the review group, convened at the request of President Obama at a January 17 speech at the Justice Department.

The report discusses some of the concerns and challenges with respect to big data and ultimately makes several recommendations. The report is broken into six parts: 1) Big Data and the Individual; 2) Obama Administration’s Approach to Open Data and Privacy; 3) Public Sector Management of Data; 4) Private Sector Management of Data; 5) Policy Framework for Big Data; and 6) Conclusions and Recommendations. Highlights from the report, including are included below.

Big Data and Education
One portion of the report specifically focuses on big data and education, recognizing the wide range of technology and platforms used at all levels of education. The report notes that new technologies allow institutions to personalize education and improve learning, but also raise concerns regarding student privacy. For example, the report states that:

Data from a student’s experience in massive open online courses (MOOCs) or other technology-based learning platforms can be precisely tracked, opening the door to understanding how students move through a learning trajectory with greater fidelity, and at greater scale, than traditional education research is able to achieve. This includes gaining insight into student access of learning activities, measuring optimal practice periods for meeting different learning objectives, creating pathways through material for different learning approaches, and using that information to help students who are struggling in similar ways. [… ]

The big data revolution in education also raises serious questions about how best to protect student privacy as technology reaches further into the classroom. While states and local communities have traditionally played the dominant role in providing education, much of the software that supports online learning tools and courses is provided by for-profit firms. This raises complicated questions about who owns the data streams coming off online education platforms and how they can be used. Applying privacy safeguards like the Family Educational Rights and Privacy Act, the Protection of Pupil Rights Amendment, or the Children’s Online Privacy Protection Act to educational records can create unique challenges.

The report further notes that user information from education platforms “can be very personal” and that the U.S. Department of Education released guidelines for online educational services in February 2014. These guidelines highlight the importance of compliance with FERPA when entering into agreements with third parties regarding student data. The report concludes that “The Administration is committed to vigorously pursuing these questions and will work through the Department of Education so that all students can experience the benefits of big data innovations and teaching and learning while being protected from potential harms.”

Privacy and Law Enforcement
The report also recognizes that while big data can be a useful tool for law enforcement and security, “they also pose difficult questions about their appropriate uses.” Big data can be used to better understand criminal organizations through pattern analysis, but gathering of such data can also include information about individuals not subject to investigation. It also cautions that use of predictive technologies, while potentially useful in anticipating and preventing crimes, is controversial. It is therefore necessary to balance civil liberties and privacy interests with law enforcement goals.

Data Held by Third Parties
The big data report summarizes Fourth Amendment case law, particularly with respect to data held by third parties. It cites the seminal Supreme Court cases from the 1970s in United States v. Miller and Smith v. Maryland, both of which held that an individual does not have a legitimate expectation of privacy in information voluntarily turned over to third parties, also known as the “third party doctrine.”

In light of Supreme Court jurisprudence in this area, Congress enacted the Privacy Act of 1974, the Electronic Communications Privacy Act of 1986 (ECPA) and the Pen/Trap Act, which provide statutory protection for records held by third parties. However, these pieces of legislation may be seen as outdated and, “In light of technological advances, especially the creation of exponentially more electronic records about personal interactions, some commentators have called for a reexamination of third-party doctrine.” The report notes that the Court of Appeals for the Sixth Circuit ruled in United States v. Warshak that a subscriber has a reasonable expectation of privacy in his e-mail, analogous to a letter or phone call that would be protected. Similarly, in the recent Supreme Court case, United States v. Jones, Justice Sotomayor wrote a concurrence expressing the concern that the third-party doctrine may be “ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

The report notes that while post-Warshak, warrants are required for content, metadata is being collected and obtained under the third-party doctrine and suggests that examination of the metadata issue, even beyond intelligence activities, should be expanded.

The authors of the report recognize that evolving technologies have created a need to re-evaluate current practices:

ECPA was originally passed in 1986. It has served to protect the privacy of individuals’ stored communications. But with time, some of the lines drawn by statute have become outdated and no longer reflect ways in which we use technology today. In considering how to update the Act, there are a variety of interests at stake, including privacy interests and the need for law enforcement and civil enforcement agencies to protect public safety and enforce criminal and civil law. Email, text messaging, and other private digital communications have become the principal means of personal correspondence and the cloud is increasingly used to store individuals’ files. They should receive commensurate protections.

Similarly, many protections afforded to metadata were calibrated for a time that predated the rise of personal computers, the Internet, mobile phones, and cloud computing. No one imagined then that the traces of digital data left today as a matter of routine can be reassembled to reveal intimate personal details. Today, most law enforcement uses of metadata are still rooted in the “small data world”, such as identifying phone numbers called by a criminal suspect. In the future, metadata that is part of the “big data” world will be increasingly relevant to investigations, raising the question of what protections it should be granted.

The report also acknowledges the challenge that “once data is collected, it can be very difficult to keep anonymous.”

Conclusions and Recommendations

The authors of the report conclude by making six policy recommendations:

  1. Advance the Consumer Privacy Bill of Rights. The Department of Commerce should take appropriate consultative steps to seek stakeholder and public comment on big data developments and how they impact the Consumer Privacy Bill of Rights and then devise draft legislative text for consideration by stakeholders and submission by the President to Congress.
  2. Pass National Data Breach Legislation. Congress should pass legislation that provides for a single national data breach standard along the lines of the Administration’s May 201 Cybersecurity legislative proposal.
  3. Extend Privacy Protections to non-U.S. Persons. The Office of Management and Budget should work with departments and agencies to apply the Privacy Act of 1974 to non-U.S. persons where practicable, or to establish alternative privacy policies that apply appropriate and meaningful protections to personal information regardless of a person’s nationality
  4. Ensure Data Collected on Students in School is Used for Educational Purposes. The federal government must ensure that privacy regulations protect students against having their data being shared or used inappropriately, especially when the data is gathered in an educational context.
  5. Expand Technical Expertise to Stop Discrimination. The federal government’s lead civil rights and consumer protection agencies should expand their technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes, and develop a plan for investigating and resolving violations of law.
  6. Amend the Electronic Communications Privacy Act. Congress should amend ECPA. To ensure the standard of protection for online, digital content is consistent with that afforded in the physical world—including by removing archaic distinctions between email left unread or over a certain age.

ARL Supports Amash-Conyers Amendment to End Bulk Collection Under Section 215

An amendment to the Defense Appropriations bill proposed by Representatives Justin Amash (R-MI) and John Conyers (D-MI) would return Section 215 to a reasonable scope, allowing the collection of important information about suspected terrorists but barring large-scale collection of information about innocent Americans. The Association of Research Libraries strongly supports this amendment, which would curtail the National Security Agency’s (NSA) program to collect the phone records of millions of Americans.

Section 215 is often referred to as the ‘library records provision,’ because libraries have been sounding the alarm about its massive scope for years. The breadth of the statute made overreach nearly inevitable; revelations about the NSA’s bulk collection of information about innocent Americans makes reform imperative.

The Amash-Conyers Amendment is a rare opportunity to send a strong, bipartisan message to the NSA that its surveillance activities have gone too far. ARL applauds Representatives Amash and Conyers and urges other Representatives to join them in voting to restore balance to the NSA’s surveillance practices.

One Step Closer to Getting What You Pay For

photo courtesy of hern42 by CC license

If you pay taxes, then you are contributing to the over $60 billion (with a “B”) the federal government spends annually to support basic and applied scientific research projects in hundreds of universities and labs around the country. It’s not surprising that the richest country in the world would invest some of its public resources in research that can save lives and jump-start new technologies. What is surprising is that after the government spends millions of your dollars supporting this research, the results are made available only through private companies third parties that charge you a fee for access even though you already paid for the research!

Last Thursday the House of Representatives moved to downsize this double-billing system by introducing the Federal Research Public Access Act (aka H.R. 5037, identical to the bill already pending in the Senate, S.1373). More after the jump on what’s in the bill and how you can help get it passed.

Known to its friends as “FRPAA” (rhymes with “sherpa”), the bill would require recipients of research funding from the 11 federal agencies and departments with extramural research budgets of $100 million or more to place a digital copy of the full text of any final manuscript resulting from that funding into an online, interoperable repository, to be made publicly accessible no later than 6 months after publication in a peer-reviewed journal. This gives journals a 6-month window to profit from the journal literature they make available (more than enough to recover costs in the lucrative journal market, where institutions pay millions for up-to-the-second access to bleeding-edge research), but insures free public access thereafter.

The bill’s original co-sponsors are Rep. Doyle (D-PA), Rep. Waxman (D-CA), Rep. Wasserman-Schultz (D-FL), Rep. Harper (R-MS), Rep. Boucher (D-VA), and Rep. Rohrabacher (R-CA). Many other members have expressed interest, and we hope more co-sponsors will be added over the next few weeks.

The Alliance for Taxpayer Access has a nice action page where you can find helpful information about how you can show your support for this important legislation. The main thing you can do: contact your Representative and urge them to support the bill. If they are already a co-sponsor, thank them. If they are not, suggest that they sign on to co-sponsor the bill.

This should be an issue everyone can get behind. It’s not a question of whether information should be “free,” because this research is paid for. FRPAA just gives taxpayers access to the science we bought.