Google, Microsoft Push Feds to Fix Privacy Laws

A coalition of the net’s biggest online service providers, including Google and Microsoft, are joining with the top internet rights groups to demand Congress modernize the nation’s privacy laws. Among the reforms pushed by the so-called Digital Due Process coalition is a requirement that law enforcement get warrants from a judge when they want to […]

digitaldueprocessA coalition of the net's biggest online service providers, including Google and Microsoft, are joining with the top internet rights groups to demand Congress modernize the nation's privacy laws.

Among the reforms pushed by the so-called Digital Due Process coalition is a requirement that law enforcement get warrants from a judge when they want to force companies to turn over your e-mails, documents and location data. But despite issuing a clarion call to change privacy laws, none of the companies that are pushing citizens to store more and more sensitive information online announced any change to their own practices.

The coalition announced its four principles in a conference call with reporters Tuesday. The group says they've briefed the White House, the FBI and Congress on the proposed changes and expect hearings this year. Congress isn't expected to act before 2011, because of a crowded legislative agenda.

Changes in technology dictate the need to update the nation's electronic privacy law, known as the 1986 Electronic Communications Protection Act, according to Jim Dempsey of the Center for Democracy and Technology.

"With the emergence of location services and the transfer of a huge amount of data to the cloud and our huge reliance on cloud storage of e-mail messages, the law has become outdated and needs to be updated," Dempsey said in the conference call.

For instance, when the law was crafted, e-mail was almost always downloaded from a central server to a user's computer. Any messages left after 180 days were considered abandoned, so the law allows police to obtain any e-mail older than six months simply by issuing a subpoena -- meaning no judge is involved. If those e-mails had been downloaded to a user's computer and removed from the server, the police would need a search warrant, based on probable cause, to get at them.

But now that Americans store gigabytes of e-mails on Yahoo's, Google's and Microsoft's servers, those different standards make no sense, and the law should be platform independent, according to Dempsey.

Corporate members of the coalition made no commitment to transparency on Tuesday, even as they continue to encourage users to store more and more data on the companies' servers. Earlier this year, Microsoft tried to suppress publication of its surveillance manual, which told law enforcement what data the company collects through its online services such as Hotmail and Xbox Live. The document also included sample language for subpoenas.

For its part, Google has refused for years to divulge how often it is served with search warrants, law enforcement subpoenas or civil subpoenas for the immense amount of data it collects. Nothing in the law prevents Google or Yahoo or AOL from publishing that information, but all of them refuse (though Google laudably makes a point of publishing copyright takedown notices on ChillingEffects.org.)

With the announcement, Google and Microsoft are tacitly acknowledging that their services, combined with the deficiencies in the law, put their users at risk. However, there's no mention of these problems in their respective privacy policies. There's no option to delete all documents and e-mails older than 180 days. And there's no reminders to users about the holes in the law.

Instead the companies are signing onto four principles, which essentially would require a judge to approve any law enforcement request for online data.

  1. The government has to get a warrant based on a showing of probable cause in order to get at non-publicly available e-mails, Facebook postings, documents or photos. This includes communications shared in a small group, but not made publicly. This would not protect you if you happen to friend an undercover police officer and share photos or online postings with that officer.
  2. The government has to get a warrant -- based on probable cause -- to get at location data from mobile devices. Currently, the courts are split on the standard necessary, and the Obama administration has followed the Bush administration's lead in seeking this data using a lower standard.
  3. Any time the governmental law enforcement agents want to get at the names of the people you e-mailed or the digits that you dialed, whether in real-time or from stored records, it needs to get a judge's approval.
  4. The government can only use a subpoena (self-issued) to get at data on a particular individual. If it wants to know all the identity of all mobile phone users in a particular area at a particular time, or wants bulk search records, it needs to get a judge's approval.

Taken on their own, the principles are a great start -- though they should also require law enforcement to report more information to the public on their use of such warrants, and make it illegal to use information gleaned from improper requests in court.

Microsoft decided to sign on to the principles as part of its support of "cloud computing," according to Michael Hintze, an associate general counsel for the software giant. As Microsoft encourages individuals and its enterprise customers to embrace its hybrid desktop/cloud technology, the company is finding that customers are concerned about security and privacy, Hintze said.

"The principles restore what we think is the right balance that is in keeping with customers' expectations," Hintze said. "We know there is a legitimate need for law enforcement to access data to fight crime online."

He also defends the lack of transparency to customers about the hole in electronic privacy law. "Trying to explain that to customers in way they can understand is nearly an impossible task," he said. "We don't always know what rules will apply."

As for transparency, Hintze says Microsoft does not publish numbers on legal requests for customer information, though it has a large team that handles subpoenas and warrants. "We would like to see more transparency across the industry," Hintze said. "But no one company wants to stick its head up to talk about numbers."

As for the takedown of Cryptome for its publishing of a law enforcement surveillance manual, Hintze called that an "unfortunate situation" where the intellectual property lawyers at Microsoft didn't realize the impact of their use of a copyright takedown notice. "In the future, we will draft them with the expectation that they probably should be public," Hintze said.

For its part, a Google spokesperson cut off a question about how many subpoenas it handles a year, saying "You know we don't discuss that."

Asked about its responsibility to inform users of the privacy hole in federal law, Google's law enforcement and information security counsel Richard Salgado says the rules are too complicated, so it's pushing to make them simpler.

"You have judges with decades of experience struggling with this statute," said Salgado, a former federal cybercrime prosecutor. "That's one of the reasons we need to improve it so that users can understand the protections they are afforded."

Kevin Bankston at the EFF sees the announcement as a good start for companies his organization has long criticized for encouraging users to put their documents online without pushing hard for changes to privacy laws.

"That's their duty as good corporate citizens," Bankston said. "Today is the beginning of that push."

"We hope and expect that the larger members are going to push this as hard as they can, so that their businesses can grow without creating new privacy holes," Bankston said.

The principles do not apply to Patriot Act powers -- such as the much-abused National Security Letter power, or to the massive spying power handed to the National Security Agency in July 2008, when then Senator Barack Obama voted to legalize President Bush's warrantless wiretapping program and retroactively throw out lawsuits filed against the nation's telecoms that abetted the extrajudicial spying on Americans' e-mails and phone calls.

The biggest beneficiary of retroactive immunity -- AT&T, which installed NSA spying rooms inside its facilities and faced multiple lawsuits from citizens -- is also a member of the so-called Digital Due Process group.

Other members of the coalition include the Electronic Frontier Foundation (the lead group suing AT&T), mobile location service Loopt, the ACLU, the American Library Association, Salesforce.com and the libertarian-leaning Progress and Freedom Foundation. Noticeably absent is Yahoo, though it is indirectly a member through its membership in the Net Coalition, which signed on.

Senator Patrick Leahy (D - Vermont) has already announced plans to hold a hearing, and in press release, praised the announcement, saying it is "clear that our federal electronic privacy laws are outdated."

*Editor's note: We corrected the spelling of Microsoft's associate general counsel, Michael Hintze. *

Home Page Art: WallyG / Flickr

See Also: