Americans are moving more and more of their personal data onto the Internet. We send and save emails through Hotmail and Gmail. We share photos with Flickr and post videos on YouTube. We set up everything from our calendars to video rentals so they can be managed remotely from our cellphones and multiple computers.
What most Americans don’t realize is that if the government wants to read your emails, look at your pictures or gain access to any data that you have stored online for more than 180 days on sites including Yahoo!, Google Docs, and online backup sites, it can do so without a search warrant. Data saved online is not protected by the Fourth Amendment in the same way that information is protected if it is stored on a home computer, CD, or detachable hard drive.
A new bill introduced by Sen. Patrick Leahy, Vermont Democrat, is a good step toward closing this huge loophole. The bill would extend due-process provisions against illegal wiretapping in the ancient and outdated 25-year-old Electronic Communications Privacy Act (ECPA). It would update the ECPA to include personal files and information that is stored in online data centers owned and operated by third parties, known in tech circles as the “cloud.” Under Mr. Leahy’s bill, the government would be forced to secure a warrant if it wanted access to emails or other information you have stored online.
Right now, the law only protects the privacy of data while it’s moving across the network. It leaves vulnerable any information that might be saved in the thousands of data centers nationwide. These are virtual lockboxes, with no functional distinction from a home PC disk drive, which in turn has little functional distinction from a locked desk drawer. As online services and applications evolve and become more popular, it is critical that these privacy and due process protections extend to data saved online. Public cloud infrastructure, applications and platforms are growing rapidly. A comScore study calculated that more than 153 million people visited Web-based email providers in November 2010 alone. And the International Data Corp. found that at the end of 2010, 34 percent of Internet users stored personal pictures online, 7 percent stored personal videos, 5 percent paid to store files and 5 percent backed up their hard drives by uploading data to websites. These numbers are all expected to grow.
Today, the government can access most of that personal data without even bothering to get a search warrant. And law enforcement agencies already have shown that they will take advantage of any lack of specific constitutional safeguards to access private data. Using the PATRIOT Act, the FBI demanded that phone companies turn over thousands of calling records of U.S. citizens in what amounted to a fishing expedition under the guise of the war on terror. The courts found this illegal. The new bill would codify this and require federal, state, and local law enforcement agencies to provide a name, address, and probable cause before demanding a search warrant for private phone records. The same would apply to Internet Protocol (IP) addresses and the geolocational information that cellphones and dashboard navigational devices collect.
This protection is badly needed. At the same time, the bill could be strengthened even more if, as the American Civil Liberties Union suggests, there were stricter reporting requirements about the use of online surveillance and greater safeguards against the use of “emergency exemptions” that could undermine the bill’s aims.
The current ECPA was passed in 1986 and is in desperate need of updating. It was written when communications were mostly done over land-line phones. The Internet was just in its infancy and still unknown to most. The Fourth Amendment delineates the right of citizens to be “secure in their persons, houses, papers, and effects.” Our legal system needs to keep up with technology instead of giving government ways to use it for end runs around the Constitution.
Steven Titch is a telecommunications policy analyst at Reason Foundation. This column originally appeared in The Washington Times.