Last October the well-known hacking group Chaos Computer Club revealed that the German state police had been monitoring the computers of ordinary citizens using specially designed surveillance software. This spyware could peek into users’ files, record keystrokes, take screenshots of Web pages users happened to be visiting, and even commandeer Web cams and microphones, giving the cops an open window into the home. The revelations invited comparisons to the Stasi, the infamous police force that operated in the former East Germany.
It was a clear violation of citizens’ rights—and about as quaint as a cold war spy movie. Nowadays governments have far more comprehensive ways of monitoring citizens than merely tapping computers on desktops or in briefcases. Hardly any of us still keep our private data solely in any one machine; instead it resides on corporate servers far from our homes. E-mail providers save messages in giant server farms distributed around the world. Online services such as Google Docs, Dropbox and iCloud store spreadsheets and word-processing files in the “cloud” so that we can work on critical documents wherever we happen to be. Wireless phone companies keep records of the individual towers our cell phones connect to as we move around our communities. We tend to assume that these data are ours to keep private, just as we expect that the data on our machines are private. But here the law fails us.
The last wholesale revision to U.S. electronic privacy law was the Electronic Communications Privacy Act of 1986 (ECPA), which prevented law enforcement from eavesdropping on digital files as they moved through the nascent Internet. (Before then, the Department of Justice had argued that monitoring anything that wasn’t a voice call wasn’t a wiretap and therefore didn’t require a warrant.) Yet much has since changed. In 1986, when digital storage was expensive, an e-mail provider would send a file to the recipient’s computer and delete the message from its own servers soon thereafter. Congress therefore let the protections of the act expire after a file had been stored for 180 days. In 1986 cell phones were still mostly called “car phones” because the briefcase-size boxes they required were usually kept in a vehicle. The first satellite that would make up the Global Positioning System was still three years away from launch, as was the World Wide Web. In 1986 Facebook genius Mark Zuckerberg was two.
Law-enforcement agencies have been making active use of all the new data these technologies generate. Google reports that U.S. government agencies send it nearly 1,000 requests for user information every month; the company complied with 93 percent of them between January and June of last year (the most recent period for which statistics are available). Verizon executives told Congress in 2007 that law-enforcement agencies send the company 90,000 requests for user details a year, including information on the specific locations of cell-phone customers.
In part because of this deluge, a broad coalition of technology companies, think tanks and privacy advocates called Digital Due Process has formed to ask Congress to update the ECPA for the modern age. Its demand is simple enough: if a law-enforcement agency wants to look at private user data—whether e-mails, documents or cell-phone location information—it needs a warrant. This reasonable demand for clarity is fully in keeping with the spirit of the original ECPA, as well as the Fourth Amendment of the Constitution’s prohibition “against unreasonable searches and seizures.” Indeed, the Digital Due Process coalition has brought together some uncommon allies—the American Civil Liberties Union, the Competitive Enterprise Institute, Amazon, Americans for Tax Reform and AT&T, to name just a few near the top of the alphabet. It deserves support from all members of Congress, too.
It is important to maintain a balance between the needs of security and the right of each citizen to lead a private life. Cops should be able to investigate a suspect’s e-mail, location and other data. But first they should have to ask a judge.