Sweeping bill would update privacy law

Senator introduces long-awaited measure updating a 1986 privacy law to protect location privacy and data kept in the cloud. But in crucial areas, it maintains the status quo.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read

The U.S. Congress took the first major step today toward updating a 1986 law, crafted in the pre-Internet era of telephone modems and the black-and-white Macintosh Plus, to protect the privacy of Americans who use mobile phones, Web e-mail, and services like Google Docs, Flickr, and Picasa.

Sen. Patrick Leahy (D-Vt.), the chairman of the Judiciary committee, introduced sweeping legislation that would, in many cases, require police to obtain a search warrant to access private communications and the locations of mobile devices.

"Updating this law to reflect the realities of our time is essential to ensuring that our federal privacy laws keep pace with new technologies and the new threats to our security," Leahy said.

But his proposal, called the Electronic Communications Privacy Act Amendments Act of 2011 (PDF), doesn't go as far as privacy advocates and civil liberties groups had hoped.

It doesn't, for instance, require cops to obtain a search warrant to peruse your cell phone's previous whereabouts, even if the location data are only an hour old. It also adopts a proposal suggested by the FBI that would broaden how controversial "national security letters" can be used to obtain private information in a way that bypasses the court system.

Kevin Bankston, senior staff attorney at the Electronic Frontier Foundation, said that he's delighted with portions of Leahy's legislation. "We think this is an absolutely necessary and critical update of the law to protect privacy adequately in a cloud-based Internet economy," he said.

But, Bankston said, "we're disappointed that the bill does not recognize that records of your past location can be just as sensitive as your current location, and just as deserving of strong privacy protections."

Similarly, the ACLU said it's "concerned" that the proposal doesn't include a warrant for previous location information, more reporting requirements for oversight of government surveillance, and legal protections saying information that police and prosecutors obtain in violation of this law would be inadmissible in court.

Related links
Senate bill amounts to death penalty for Web sites
Justice Department opposes digital privacy reforms
Tech coalition pushes rewrite of online privacy law

The Obama Justice Department has already attacked some of the components of Leahy's legislation on different grounds. Last month, a Justice Department official said that granting cloud computing users more privacy protections and requiring court approval before tracking Americans' cell phones would hinder "the government's ability to obtain important information in investigations of serious crimes." A Justice Department spokesman told CNET that his agency "has no formal views" on Leahy's bill and pointed to last month's remarks for its general position on the topic.

The 1986 law in question, called the Electronic Communications Privacy Act, or ECPA, is notoriously convoluted and difficult even for judges to follow. Its labyrinthine wording means that currently, Internet users enjoy more privacy rights if they store data locally, a legal hiccup that some companies fear could slow the shift to cloud-based services unless it's changed.

In March of last year, CNET was the first to report the existence of the Digital Due Process coalition, composed of companies including Google, Facebook Microsoft, Loopt, and AT&T, along with liberal, libertarian, and conservative advocacy groups including EFF that have urged Congress to update the law.

The coalition has suggested four principles, including that a warrant signed by a judge should be required for the contents of communications and a warrant should be required to access location data. Leahy's bill, Bankston says, fulfills "1.5 of our core principles."

The broader Obama administration does not--at least not yet--have a public position on how ECPA should be changed. An interagency task force has been meeting, but has not reached a public consensus or produced a recommendation, and the Commerce Department has taken a position (PDF) that's more favorable toward privacy and business interests.

In case after case over the last decade, the Justice Department has said that successful criminal investigations depend on being able to obtain electronic data about Americans without search warrants. Prosecutors told a federal appeals court in Philadelphia last year, for instance, that Americans enjoy no "reasonable expectation of privacy" in their, or at least their mobile phones', whereabouts.

The sensitivity of location data, especially, has been the focus of recent attention on Capitol Hill in the wake of revelations about what geoinformation is stored on iPhones and other mobile devices. One Senate committee held a hearing last week on the topic, and a subcommittee of Leahy's own panel will convene one on Thursday morning.

In 2005, CNET disclosed that police were engaging in warrantless tracking of cell phones. In a subsequent Arizona case, agents from the Drug Enforcement Administration tracked a tractor trailer with a drug shipment through a GPS-equipped Nextel phone owned by the suspect. Texas DEA agents have used cell site information in real time to locate a Chrysler 300M driving from Rio Grande City to a ranch about 50 miles away. Verizon Wireless and T-Mobile logs showing the location of mobile phones at the time of calls became evidence in a Los Angeles murder trial.

Last updated at 6 p.m. PT