Legal experts and law enforcement agents say new and updated laws are required to protect user privacy while allowing law enforcement to catch cybercriminals.
A revamp to the 1986 Electronic Communications Privacy Act will help set policy around new technology that the creators of that law didn't imagine, panelists said during a cybercrime conference hosted by the University of Washington's School of Law on Friday.
The act was written long before current email systems were devised. "In 1986, no one thought email would be stored indefinitely, so the statute says that 180-day-old email is stale and therefore not in need of protection," explained Sharon Nelson, formerly the director of the Shidler Center for Law, Commerce and Technology at the University of Washington School of Law.
That means law enforcement doesn't need a warrant to access emails from 180 days ago, or emails and other data stored in the cloud, experts said.
Law enforcement and privacy advocates disagree on exactly how the law should be updated to accommodate data saved in the cloud.
Groups like the Center for Democracy and Technology want law enforcement to be required to get a warrant in order to access information stored in the cloud. Companies including Google and Microsoft are also backing this idea; they're part of a group called Digital Due Process working for changes in the ECPA.
The Department of Justice appears to think that the current laws around cloud data work. Today, prosecutors require a subpoena, which gives people the opportunity to challenge the request, in order to access data in the cloud, said Jason Weinstein, deputy assistant attorney general for the Department of Justice.
ECPA reform has been a sticky issue, which became clear during the panel discussion. "To listen to them, we're a bunch of jack-booted thugs who want to vacuum up as much information about Americans as we can," Weinstein said, referring to those pushing for tougher privacy rules.
"The danger is that in making changes to ECPA ... we could intentionally or unintentionally hinder law enforcement to protect public safety and national security," he said.
He complained that people focus too much on trying to limit government access to data while ignoring the way that companies or criminals abuse personal information.
In fact, the largest aggregator of personal information is the private sector, not the government, said Jenny Durkin, U.S. attorney in the Western District of Washington.
Indeed, there are two sets of regulations that would provide clarity in order to allow business to flourish, said Brad Smith, general counsel at Microsoft.
When Smith is in Brussels, he said, people commonly point out that the EU has data privacy laws while the U.S. doesn't. That's only partly true, he said. The EU has laws that govern practices companies must follow regarding consumer data, but there is no European-level legislation governing data retention between the government and citizens. The U.S. doesn't have legislation around how companies must handle consumer data but it does have laws, like ECPA, about how the government can access data.
Microsoft thinks it's very important to have clear and balanced laws in both areas. "We are supportive of this because we see it as essential in the long term for building a healthy marketplace," Smith said.
Laws around the use of personal data by companies would help track down security holes, said Chris Hoofnagle, a professor at the University of California Berkeley School of Law.
"We have no ability to tell how personal information traverses the market economy," he said. As a result, if someone tries to sue a company because of identity theft, the company has a great defense because hundreds of organizations likely have the same personal information about the person. That means the person can't prove where the data leak happened.
Companies are notoriously reticent to say who they sell customer data to. Hoofnagle and his students sought to collect a list of companies that the top 100 websites sell customer data to. They reached out to the websites and most didn't respond, others declined to share the information and others said they didn't know, he said.
While it might be complicated to put systems in place to govern the flow of personal data, the concept isn't unprecedented, said Jan Whittington, assistant professor at the University of Washington. "We have put in place extravagant systems to protect consumers," she said. For instance, the U.S. has elaborate systems to ensure that clean water flows through taps in people's homes, she said.
While all of the panelists agreed that some reform is necessary to at the very least clarify existing laws, most thought such reforms are likely under the current Congress.