Technology Companies Are Pressing Congress to Bolster Privacy Protections

Technology Companies Are Pressing Congress to Bolster Privacy Protections

By ELENA SCHNEIDER MAY 26, 2014

WASHINGTON — A Reagan-era law that allows the government to read email and cloud-stored data more than six months old without a search warrant is under attack from technology companies, trade associations and lobbying groups, which are pressing Congress to tighten privacy protections. Federal investigators have used the law to view content hosted by third-party providers for civil and criminal lawsuits, in some cases without giving notice to the individual being investigated.

Nearly 30 years after Congress passed the law, the Electronic Communications Privacy Act, cloud computing companies are scrambling to reassure their customers, and some clients are taking their business to other countries.

Ben Young, the general counsel for Peer 1, a web hosting company based in Vancouver, British Columbia, said his customers were keeping their business out of the United States because the country “has a serious branding problem.”

“We’ve enjoyed a competitive advantage in Canada,” he said, “because the public perception in the business community is that American law enforcement has more access to data than in other parts of the world.”

Places such as Germany, Iceland and Switzerland are trading on a reputation of stronger protections for companies, but such safeguards are not universally tighter than those in the United States. “Some countries are stricter on privacy, and some of them are not,” said Mark Jaycox, a legislative analyst at the Electronic Frontier Foundation, a technology advocacy group.

Privacy has been an increasing concern since Edward J. Snowden’s revelations last year about bulk data collection by the National Security Agency, but an overhaul of the Electronic Communications Privacy Act has failed to break into the national conversation. “Because it’s not sexy,” said Katie McAuliffe, the executive director for digital liberty at Americans for Tax Reform.

The United States’ image problem has caused “real, tangible harm” for businesses, said Christian Dawson, the chief operating officer at ServInt, a web hosting company based in Reston, Va. “It’s very easy for providers outside the country to say, ‘Hey, move your business offshore into an area that cares more about your privacy.’ They don’t have better laws necessarily. They have a better marketing department.”

Silicon Valley giants like Facebook, Twitter and Google say they will no longer hand over their customers’ data without a search warrant. But smaller web hosting and cloud computing companies may be outmuscled by law enforcement officials as they try to protect their customers, said Ron Yokubaitis, the co-chief executive of Data Foundry, a data center company based in Texas.

“Mostly, they are going to comply because they don’t know their rights or can’t spend the money to resist,” he said.

A coalition of technology companies, trade associations and lobbying groups, called Digital Due Process, is pushing Congress to bolster privacy rules. Bipartisan bills in the House and the Senate have brought together a hodgepodge of supporters, including liberals and Tea Party favorites.

Senator Mike Lee, Republican of Utah, co-sponsored the Senate bill. He said in a recent interview that “like most Americans,” he was shocked to find that the 1986 statute was on the books.

“Almost every American thinks that it is frightening that we have a law that suggests that the government has the right to read your email after only 180 days,” Mr. Lee said. “It’s an easy issue in which to achieve bipartisan compromise and consensus.”

The bill would require a search warrant for access to electronic communications, with exceptions for some emergency situations. It would also require the government to notify individuals within 10 days that their information was being investigated. However, it does not address rules for location data, like GPS information from an individual’s cellphone.

The Senate Judiciary Committee approved the bill a year ago, but it has since stalled. One reason is resistance from federal investigating agencies that use subpoenas to gain access to electronic communications in civil cases, particularly the Securities and Exchange Commission.

“The S.E.C. cannot get a search warrant, so a bill that requires a warrant to obtain emails from an I.S.P. would undermine the S.E.C.’s ability to protect American investors and hold wrongdoers accountable,” said Andrew Ceresney, the director of the Division of Enforcement at the S.E.C., referring to Internet service providers. Instead, the S.E.C. would have to rely on an individual’s voluntary disclosure of digital content.

But some legal experts, and at least one appeals court, do not find that argument compelling. “The courts say that email on a server somewhere is like email in your virtual home,” said Orin S. Kerr, a professor at George Washington University Law School. “We wouldn’t say the S.E.C. should have the power to tell your landlord to break into your apartment and get evidence. The same rule should apply.”

The United States Court of Appeals for the Sixth Circuit, in Cincinnati, ruled in 2010 that part of the Electronic Communications Privacy Act was unconstitutional. Since the decision, most major technology companies have required a search warrant for customers’ content.

“They are an administrative agency that is holding up this process because they are demanding unconstitutional new powers,” said Chris Calabrese, legislative counsel at the American Civil Liberties Union, referring to the S.E.C.

Texas has taken the matter into its own hands. Last summer, Gov. Rick Perry, a Republican, signed a bill that will force law enforcement officials to obtain a warrant to view any electronic communications in the state, essentially the same measure that waits on Capitol Hill.

But the S.E.C. has indicated that it is open to negotiations. The agency’s chairwoman, Mary Jo White, “supports a number of other ways to address privacy interests and still allow the S.E.C. and other civil law enforcement agencies to gather critical email evidence from ISPs,” Mr. Ceresney said.

Representative Kevin Yoder, Republican of Kansas and a co-sponsor of the House bill, said that provisions of the Electronic Communications Privacy Act were “frankly much worse” than the N.S.A.’s domestic surveillance program. While the N.S.A. program involves the collection of phone-calling information known as metadata, the privacy act allows law enforcement officials to actually read emails, “and in many cases Americans don’t know it’s happening to them,” Mr. Yoder said.

For cloud computing companies, something is better than nothing when it comes to changes to the law.

“We need a meaningful response from the government,” Mr. Young of Peer 1 said. “It doesn’t have to be sweeping, and it doesn’t have to fix everything overnight. The United States’ status as a leader in Internet innovation is being seriously threatened.”

Mr. Dawson of ServInt just expanded the company’s operations to Amsterdam, and he said the firm was more likely to grow there, “which is a shame.”

http://www.nytimes.com/2014/05/27/us/technology-firms-press-congress-to-tighten-privacy-law.html?partner=rss&emc=rss&smid=tw-nytimes&_r=1