Confusion Over ECPA Standards Drives Away Business, Google Lawyer Says

The government can get an “incredibly intimate portrait” of a person’s daily life through the inconsistencies and ambiguities in ECPA, and is able to access their e-mail, online documents and mobile location information under low legal hurdles, said Julian Sanchez, Cato research fellow. Law enforcement needs a warrant to search Sanchez’s computer for downloaded e-mail, but can use a subpoena or what’s known as a 2703(b) order, convincing a judge the request is relevant to an investigation, to get draft e-mail stored on a server, he said. Yet when the e-mail is initially sent it’s governed by the Wiretap Act, and subject to a warrant before it’s opened by the recipient. The rules are completely different in the area covered by the 9th U.S. Circuit Court of Appeals, which raised the bar for law enforcement access to server copies until downloaded e-mail messages have “expired in the normal course,” in the words of its precedential opinion. “I don’t think even Judge [Alex] Kozinski could tell you” what he meant by that phrase in the ruling, DeVries said.

These “seemingly trivial distinctions” among how messages are composed, sent and read still matter, Sanchez said. Perhaps most worrying now is there’s no statutory guidance on what protection applies to location data, he said: The CALEA law bans the use of pen registers for acquiring such data but some law enforcement requests have been approved for pen registers when accompanied by a 2703(b) order. The ambiguity leaves service providers “radically unclear on what level of protection applies” to the reams of data now being stored indefinitely as the cost of storage plummets, Sanchez said. New frontiers to worry about include access to social network information, which could fall under legal protections for “membership lists,” and online documents, which remain virtually unregulated, he said.

Google services “don’t map well” to ECPA, given their bent toward retaining indefinitely all data created or updated by a user over long periods, DeVries said. Google Docs is particularly a problem for the law since users rarely download the documents they create, meaning they don’t require a warrant to access, he said. The law is “undermining the growth of our services,” not so much among consumers, who haven’t raised a “major outcry” over the privacy of their material, but among business customers. It’s a common complaint from enterprise users that they don’t know how the law will treat their information should it be called for in litigation, DeVries said: “Many of them, even sophisticated business customers, don’t know what the standards are.” A media company, for example, would probably be more comfortable holding onto material that identifies sources and other sensitive data, and fighting or negotiating down government requests, rather than trusting it to a third party like Google that falls under ECPA, he said.

Google doesn’t mistrust the motives of most law enforcement requests, which are “extremely important to tracking down really bad actors,” but “sometimes it’s a hard call” for Google’s team of legal experts dedicated to ECPA requests, DeVries said. Questions unanswered in court include the standard applied to cloud-hosted documents: Does the 180-day period, after which only a subpoena is required, start when a document is first created, last edited, or last viewed? Such thorny issues “breed both waste and risk” both for companies, who risk litigation from users or letting criminals escape, and law enforcement, which may spend precious hours in a fruitless legal quest, he said. The Justice Department spent a year trying to subpoena opened e-mail less than 180 days old from Yahoo in Colorado, where the 9th Circuit’s confusing precedent applies, and backed off when Google among several other companies and groups filed a friend of the court brief opposing the warrantless request, for example, he said.

The four principles the coalition is advocating are “modest,” due to disagreements among participants in the effort, including Justice computer-crime veterans and prosecutors, CDT’s Nojeim said: There were “a lot of pulls in different directions” over three years of meetings at least every other week. The group decided not to “boil the ocean,” in the words of one law-enforcement veteran, by proposing a whole new statute to replace ECPA, he said. A revised law should apply “neutrality” to all platforms, whether desktop-based or remote, and use a “sliding scale” for law enforcement requests, making it more difficult to get “content” such as full e-mails and easier for transactional data or addresses. The exemptions for emergency access and child porn in the law would remain under the proposal, and intelligence issues wouldn’t be touched, Nojeim said. Much of the proposed structure comes straight out of 1998 bipartisan legislation co-sponsored by current Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., including the warrant standard for information shared privately such as photos and status updates on social networks, he said. The House Judiciary Committee in 2000 also approved a crucial part of the proposal, for the heightened protection of real-time information, Nojeim said.

Not addressed by the proposal is cloud providers’ own terms of service that give the provider the right to view and make use of a user’s information, which would seem to counter a user’s “reasonable expectation of privacy,” an audience member said. Some of those terms simply refer to the business model around some services, like Google’s scanning of e-mail content to serve ads in Gmail, Nojeim said: The principles make clear that such automated use of data doesn’t change a person’s privacy interest. Privacy is always contextual, Sanchez said: A person buying condoms in a drugstore without worry about strangers seeing it might be uncomfortable with someone else taking a picture and sending it to his parents.