Risk
4/7/2011
05:10 PM
50%
50%

Justice Department Opposes Changes To Electronic Privacy Law

Congress is discussing updating the 1986 Electronic Communications Privacy Act to deal with new technologies like smartphones, cloud computing, and social networking sites.

Privacy protections "must advance with technology" or privacy will "gradually erode as technology advances." So said the Senate Judiciary Committee -- in 1986, the year that the Electronic Communications Privacy Act (ECPA) was passed.

On Wednesday, that committee met to discuss overhauling the aging law. At the meeting, Sen. Patrick Leahy (D-Vt.), who chairs the committee, said that "while still a useful tool for our government, today, ECPA is a law that is hampered by conflicting standards that cause confusion for law enforcement, the business community and American consumers alike."

For example, he said that from a data collection standpoint, the law doesn't clearly specify how mobile phone location information can be accessed during criminal or national security investigations. As a result, law enforcement agencies must grapple with different interpretations from different courts of the ECPA.

The move to overhaul ECPA began last year, after the Digital Due Process group -- which counts Amazon.com, the Center for Democracy & Technology, Google, Microsoft, and Salesforce.com, among other well-known organizations, as members -- began pushing for the law to be updated, clarified, and simplified.

"ECPA's privacy rules reflect the technology of 1986," according to an analysis published by the Center For Democracy & Technology. "For example, when ECPA was drafted, electronic storage was expensive and providers discarded email shortly after the user downloaded it to his or her computer, or after a few months if it was not downloaded. As a result, ECPA treats emails stored with a provider for more than 180 days as if they were abandoned and makes them available to the government with a mere subpoena."

The Department of Justice, however, signaled that it's happy with the current thresholds for accessing people's private information. James A. Baker, associate deputy attorney general for the Department of Justice, told the committee on Wednesday that "the government's ability to access, review, analyze, and act promptly upon the communications of criminals that we acquire lawfully, as well as data pertaining to such communications, is vital to our mission to protect the public from terrorists, spies, organized criminals, kidnappers, and other malicious actors."

Interestingly, he also suggested that people's online privacy is enhanced if the government has easier access to private data. "By authorizing law enforcement officers to obtain evidence from communications providers, ECPA enables the government to investigate and prosecute hackers, identity thieves, and other online criminals. Pursuant to ECPA, the government obtains evidence critical to prosecuting these privacy-related crimes."

What's the way forward? Cameron F. Kerry, general counsel for the U.S. Department of Commerce, told the committee that the departments of Commerce and Justice "have been working together to develop a specific set of legislative proposals." But they're not ready yet, and he offered no timeframe for their completion.

As that suggests, balancing the need to give government agencies the legal tools they require, while also protecting people's privacy, won't be easy -- especially in light of ongoing and rapid advances in technology and communication.

"With the explosion of cloud computing, social networking sites, and other new technologies, determining how best to bring this privacy law into the digital age will be one of Congress's greatest challenges," said Sen. Leahy.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7266
Published: 2015-02-01
Algorithmic complexity vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x through 3.1.2 allows remote attackers to cause a denial of service (CPU consumption) via vectors that trigger colliding hash-table keys. NOTE: this vulnerability exists because of an incomplete fix for CVE-2...

CVE-2014-7269
Published: 2015-02-01
ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earlier, and RT-N56U routers with firmware 3.0.0.4.376....

CVE-2014-7270
Published: 2015-02-01
Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earl...

CVE-2014-8630
Published: 2015-02-01
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shel...

CVE-2014-9200
Published: 2015-02-01
Stack-based buffer overflow in an unspecified DLL file in a DTM development kit in Schneider Electric Unity Pro, SoMachine, SoMove, SoMove Lite, Modbus Communication Library 2.2.6 and earlier, CANopen Communication Library 1.0.2 and earlier, EtherNet/IP Communication Library 1.0.0 and earlier, EM X8...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.