1986 Privacy Law Is Outrun by the Web
Concerned by the wave of requests for customer data from law enforcement agencies, Googlelast year set up an online tool showing the frequency of these requests in various countries. In the first half of 2010, it counted more than 4,200 in the United States.
Google is not alone among Internet and telecommunications companies in feeling inundated with requests for information. Verizon told Congress in 2007 that it received some 90,000 such requests each year. And Facebook told Newsweek in 2009 that subpoenas and other orders were arriving at the company at a rate of 10 to 20 a day.
As Internet services — allowing people to store e-mails, photographs, spreadsheets and an untold number of private documents — have surged in popularity, they have become tempting targets for law enforcement. That phenomenon became apparent over the weekend when it surfaced that the Justice Department had sought the Twitter account activity of several people linked to WikiLeaks, the antisecrecy group.
Many Internet companies and consumer advocates say the main law governing communication privacy — enacted in 1986, before cellphone and e-mail use was widespread, and before social networking was even conceived — is outdated, affording more protection to letters in a file cabinet than e-mail on a server.
They acknowledge that access to information is important for fighting crime and terrorism, but say they are dealing with a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty.
“Some people think Congress did a pretty good job in 1986 seeing the future, but that was before the World Wide Web,” said Susan Freiwald, a professor at the University of San Francisco School of Law and an expert in electronic surveillance law. “The law can’t be expected to keep up without amendments.”
Law enforcement agencies have reacted in the aftermath of 9/11 and argue the opposite side of the coin, fearing that changing communications technology will impede their access to crucial information.
Last year, for example, the Justice Department argued in court that cellphone users had given up the expectation of privacy about their location by voluntarily giving that information to carriers. In April, it argued in a federal court in Colorado that it ought to have access to some e-mails without a search warrant. And federal law enforcement officials, citing technology advances, plan to ask for new regulations that would smooth their ability to perform legal wiretaps of various Internet communications.
“When your job is to protect us by fighting and prosecuting crime, you want every tool available,” said Ryan Calo, director of the consumer privacy project at the Center for Internet & Society at Stanford Law School. “No one thinks D.O.J. and other investigative agencies are sitting there twisting their mustache trying to violate civil liberties. They’re trying to do their job.”
Even Google, when it posted its online tool, acknowledged that the majority of requests it received “are valid and the information needed is for legitimate criminal investigations.”
Still, Internet companies chafe at what they say is the weaker protection under the law afforded online data. They contend that an e-mail should have the same protection from law enforcement as the information stored in a home. They want law enforcement agencies to use a search warrant approved by a judge or a magistrate rather than rely on a simple subpoena from a prosecutor to obtain a person’s online data.
While requests for information have become routine, the way Internet companies respond is not. In the WikiLeaks case, Twitter took the unusual step of seeking to unseal the court order so it could follow its own internal policies and notify its customers, the WikiLeaks members, that the government wanted information about them. Privacy experts praised Twitter for this.
Most of the time, companies do no such thing; they are not required to do so under the patchwork of rules that govern law enforcement access to customer data.
But as the data requests mount, companies like Google, Twitter and Facebook find themselves on the front lines of the tug of war between security concerns and the need to protect privacy.
The rules established by the 1986 Electronic Communications Privacy Act depend on what type of information is sought and how old it is. And courts in different jurisdictions have interpreted the rules differently.
But in many cases, the government does not notify people that they are searching their online information or prove probable cause, and if the government violates the law in obtaining information, defendants are generally unable to exclude that evidence from a trial, Ms. Freiwald said.
Generally law enforcement officials do not need a warrant to read e-mail messages that are more than 180 days old. This makes online surveillance different from surveillance of postal mail or phone calls. For example, when wiretapping phones, law enforcement must get a court order and when searching homes, they must obtain a warrant.
At the same time, since the attacks of 9/11, it has become increasingly common for law enforcement to demand that its requests for information be sealed from the people who are the target of the investigation, as the Justice Department initially did in the WikiLeaks case.
In contrast, Twitter’s policy “is to notify users of requests for their information prior to disclosure unless we are prohibited from doing so by statute or court order.”
In the WikiLeaks case, Twitter has told the targets of the government investigation that it would turn over the information after 10 days unless they went to court to seek to block the release of the data, according to online postings by Birgitta Jonsdottir and Robbert Gonggrijp, two of the people who said they had received notices from Twitter.
Electronic privacy and civil rights advocates say they worry that because the WikiLeaks court order gained such widespread attention, it could have a chilling effect on people’s speech on the Internet. But it could also teach unknowing Web users about the limits of the law, they said.
In the absence of updated regulations, meanwhile, the tension between Internet companies and law enforcement is causing diplomatic strain as well. The Iceland government, of which Ms. Jonsdottir is a member, has said it will ask the American ambassador to explain the request for information about her. And in a recent post to Twitter, Ms. Jonsdottir said she was talking with American lawyers about her legal options.