This morning, over two dozen major tech companies, civil rights organizations, lawyers, and privacy advocates banded together to launch Digital Due Process, a coalition that is focused on helping modernize digital privacy laws. Specifically, the coalition is looking to revamp the Electronic Communications Privacy Act, which defines the laws that govern online privacy and how law enforcement can retrieve information from online service providers. ECPA was approved in 1986, when the Internet was in its infancy, and the coalition contends that it has become confusing and doesn’t include enough safeguards to protect user data. Among the coalition’s members are AOL, Google, Microsoft, Intel, Salesforce, Loopt, AT&T, the ACLU, and the EFF.
Here are the four core principles on the DDP website:
A governmental entity may require an entity covered by ECPA (a provider of wire or electronic communication service or a provider of remote computing service) to disclose communications that are not readily accessible to the public only with a search warrant issued based on a showing of probable cause, regardless of the age of the communications, the means or status of their storage or the provider’s access to or use of the communications in its normal business operations.
A governmental entity may access, or may require a covered entity to provide, prospectively or retrospectively, location information regarding a mobile communications device only with a warrant issued based on a showing of probable cause.
A governmental entity may access, or may require a covered entity to provide, prospectively or in real time, dialed number information, email to and from information or other data currently covered by the authority for pen registers and trap and trace devices only after judicial review and a court finding that the governmental entity has made a showing at least as strong as the showing under 2703(d).
Where the Stored Communications Act authorizes a subpoena to acquire information, a governmental entity may use such subpoenas only for information related to a specified account(s) or individual(s). All non-particularized requests must be subject to judicial approval.
Google has written a blog post outlining the same principles (the wording is a bit easier to understand). Google has also produced the video below to explain the issue.
- Better protect your data stored online: The government must first get a search warrant before obtaining any private communications or documents stored online;
- Better protect your location privacy: The government must first get a search warrant before it can track the location of your cell phone or other mobile communications device;
- Better protect against monitoring of when and with whom you communicate: The government must demonstrate to a court that the data it seeks is relevant and material to a criminal investigation before monitoring when and with whom you communicate using email, instant messaging, text messaging, the telephone, etc.; and
- Better protect against bulk data requests: The government must demonstrate to a court that the information it seeks is needed for a criminal investigation before it can obtain data about an entire class of users.