Reporter with Silicon Hills News

Matthew Henry, an attorney with the Electronic Frontier Foundation

Matthew Henry, an attorney with the Electronic Frontier Foundation

There are a lot of problems with the existing privacy laws when it comes to electronic communication in the cloud. Not the least of which, from the perspective of a company like Rackspace, is the fact that federal investigators want information from emails and cloud storage services, but they really don’t understand the technology. So they ask Rackspace to do the searching for them.
That was a key point brought up by Perry Robinson, vice president and general counsel for Rackspace at a panel Tuesday night entitled: No Freedom Without Privacy: the ECPA Needs an Upgrade. The reason it’s so easy for the federal investigators—among others—to access people’s email accounts, phone calls and other data in the cloud is that laws protecting privacy of communication haven’t changed in nearly 30 years, according to panelist Matthew Henry, an attorney with the Electric Frontier Foundation. As Henry pointed out, in 1986, a personal computer could only store data equivalent to two digital photographs.
Since there was no storage space on personal computers, unopened email stored on a third party server was considered abandoned property after 180 days. All it took for investigators to get hold of it was a written statement that the contents of the email were needed for an investigation. That’s still the case. Senators Patrick Leahy and Mike Lee have proposed one of several sets of amendments to the Electronic Communications Privacy Act that would require investigators to get a warrant for electronic communications. But those are stalled in Congress.

No Privacy in the Cloud?

Investigators, whose case was represented on the panel Tuesday night by attorney and former prosecutor Arthur Gollwitzer III, question whether citizens should have any privacy in the cloud. After all, Gollwitzer said, privacy laws were created to protect what people did in their own homes. But Robinson, whose company has been deluged with requests to mine information from its customers’ data, argues that U.S. has laws governing communication should be device agnostic. It shouldn’t matter what medium that communication uses.
Gollwitzer, said he is as libertarian-minded as any of roughly 30 people in the room and agrees that the law should change. But he pointed out that a lot of the communication people use today is public. Like Twitter and Facebook. Moreover, he said, U.S. citizens can’t protect against privacy violations on information stored on servers in other countries, like Korea.
“Do you really have a reasonable expectation of privacy in the cloud?” he asked. “I don’t know. That’s debatable…. ”
He pointed out that many people trade privacy for convenience when signing up for services. They wind up clicking “I agree” to contracts they never read that permit those sites to share their data for cross selling opportunities.
The difference between that and having your records open to investigators, Robinson said, is choice. His wife, for example, would prefer a land line to a cell phone and has filters set up to keep her searches private. He joked that it takes five minutes for a page to load on her computer. As for him, he doesn’t care if the pizza place tracks him. After all, he’s letting the pizza guy come to his house.
Choosing to make your information public is different from giving federal agencies open access to use your information to investigate you. Information gleaned during one of these searches, even for a non-criminal investigation, can be shared with other federal agencies or even, as Gollwitzer pointed out, with the media.

Intimidation Tactics

In the past, said Robinson, Rackspace rarely spoke about the requests it got to divulge customers’ information. For one thing, if Rackspace spoke about one agency using them to mine information, others would see the company as a source for the information they sought. But Robinson said they decided to begin speaking out, partly because some investigators use intimidation tactics that many small and medium sized businesses who lack staff attorneys may mistake as actual threats. For example, an investigator might say “The attorney general isn’t going to be happy with your refusal to cooperate. ” As Robinson said, as an attorney, he knows to respond “The attorney general is your boss, not mine” and require that any requests follow proper channels. A company who doesn’t have a staff attorney might not know to do that.
Some investigators have tried to pass the visits to Rackspace off as “The cost of doing business” for a hosting company. Robinson countered that the cost of doing business was taxes, health insurance, setting up an LLP. Not, “Oh, from time to time the government might want to come in and take two employees for six hours and pick their brains about how to get this information…. A lot of folks in government have no idea how tech actually works.”
Some companies charge a fee for that service. So far, Rackspace hasn’t. Gollwitzer supported the idea of charging fees for those services as a kind of checks and balances system. On the small budgets they have, he said, a lot of law enforcement agencies would think twice about asking third party providers to do searches for them if the cost were high enough.
Robinson said that wasn’t the point.

Privacy is Device Agnostic

“ECPA 2.0 needs to talk about protecting information generally,” Robinson said. “ We should protect communications. It shouldn’t matter whether it’s a piece of paper, email or a phone call. Whatever we come out with in the future the protection should apply regardless of the medium.”
The current law leaves too much to the discretion of lawmakers. And agencies like the Securities and Exchange Commission want the same kind of access that criminal investigators and those responsible for national security have.
“Law enforcement officers in order to do their jobs…are accessing loopholes for the specific purpose of getting around some of the protections we have in place,” said Howard. “So for me one of the biggest concerns I have when I look at ECPA is that there are loopholes in the law and they are using them and they shouldn’t be.”
Gollwitzer pointed out that, with the law as it stands, investigators were doing nothing wrong to try to get information from private emails.
Robinson agreed that “Law enforcement will go as far as they’re able to go….Judges don’t just sit and look at laws on their own and say ‘Which ones seem constitutional? Let me take a look at all the laws that came out of Congress last year and figure out which ones to knock out with a line item veto….’” People who want laws to change have to take action.
The panel was sponsored by Google and America’s Future Foundation. Arif Panju, attorney with the Institute for Justice, moderated the panel at Fonda San Miguel.