The law that protects the privacy of consumer data in the cloud, the Electronic Communications Privacy Act (ECPA), was written in 1986 before the cloud even existed, and the White House has now endorsed a petition to have the law upgraded.
At its We The People petition website, the White House yesterday officially endorsed a petition called “Reform ECPA: Tell the Government to Get a Warrant.”
The issue of cloud data ownership, and government access to data, has been heating up in the corridors of power over the past few months.
As things stand now, the ECPA could allow law enforcement access to email or other data that is more than 180 days old without a warrant. It’s also used by law enforcement to justify forcing U.S. companies to hand over data stored in overseas data centers, again, without a warrant.
That last item is particularly troubling to some U.S. tech businesses that offer web services and store the resulting data in the cloud.
And it’s especially concerning considering that the world is moving quickly toward mobile computing and away from the desktop. Mobile computing devices aren’t designed for storage, so all the data we generate or access on mobile is stored in some cloud or other. This can include anything from sensitive medical and financial information to family pictures and email.
So the security and privacy of that data is of paramount importance.
In the wake of revelations about NSA data surveillance in the last few years, foreign companies have experienced a drop in confidence when it comes to storing data in the clouds of U.S. companies, says Morgan Reed, executive director of The App Association.
European leaders have even proposed a Europe-only cloud. “And these proposals aren’t coming from fringe actors,” Reed points out in a recent article. “German Chancellor Angela Merkel and former European Commission Vice President Neelie Kroes are among the leading voices calling for these drastic steps.”
The Department of Justice claims it can legally access personal data stored anywhere in the world if it’s stored by an American company. In fact, the DOJ has recently argued in court that American law supersedes the law of other countries where a company might have a data center. So the DOJ could access data from that data center even if the laws in that country clearly prohibit such an action.
While the ECPA establishes a warrant standard for law enforcement access to cloud documents, it doesn’t address the DOJ’s claim to extraterritorial warrants to access data stored in overseas servers.
But another bill — the Law Enforcement Access to Data Stored Abroad Act (LEADS) — establishes a clear set of rules governing how law enforcement can access data stored abroad.
The bill was introduced in the Senate by Senators Chris Coons, Orrin G. Hatch and Dean Heller, and in the House by Representatives by Suzan DelBene and Tom Marino.
The issue of government access to cloud data took center stage today at a House Judiciary Committee hearing on the Internet of Things. Watch the opening comments of App Association’s Reed.
Here’s Rep. Ted Poe making a big push for ECPA reform during the hearing.
Here’s Congresswoman Suzan DelBene (sponsor of the LEADS Act & co-chair of Internet of Things caucus) talking about government access to data in the cloud.
Both the LEADS Act and the ECPA overhaul could play a role in reforming consumer cloud data protections. The Obama Administration points out that while it supports ECPA reform, it’s not backing any particular bill at this time.