An emerging dispute over electronic privacy is testing whether President Obama will live up to his promise to protect Americans' online rights.
Earlier this week, the U.S. Department of Justice criticized changes backed by Internet companies and privacy groups that would update a 1986 federal law to extend greater legal protections to cloud-computing and mobile-device users.
Yet strengthening privacy laws is precisely what Obama pledged during the 2008 presidential campaign. He told CNET at the time that: "I will work with leading legislators, privacy advocates, and business leaders to strengthen both voluntary and legally required privacy protections."
Well, that was then. Now the Obama administration has come under fire for neglecting to honor the president's commitment, even though the Digital Due Process coalition has been active and advocating for reform for more than a year. Members include Amazon.com, AOL, eBay, Google, Microsoft, Intel, AT&T, the ACLU, and Americans for Tax Reform.
"You're not doing what you said you're going to do," says Brad Jansen, head of the Center for Financial Privacy and Human Rights and a coalition member. "A lot of us had higher expectations for President Obama, so there's a bit of disappointment."
Obama's privacy promise was a cornerstone of his technology platform. His campaign Web site pledged that as president, he would "strengthen privacy protections for the digital age." (PDF)
The coalition is hoping to update the 1986 Electronic Communications Privacy Act, or ECPA, which is notoriously convoluted and difficult even for judges to follow. Under ECPA, Internet users enjoy more privacy rights if they store data locally, a legal hiccup that coalition members fear could slow the shift to cloud-based services unless it's changed to require police to obtain a search warrant to access private communications.
In addition, they say that search warrants supported by the Fourth Amendment's requirement of probable cause should be required to track locations of mobile devices--a requirement that's not always the case today. (See CNET Q&A with Democratic Sen. Ron Wyden about his location privacy proposal.)
But the Justice Department has now laid out a point-by-point rejoinder to three of the coalition's four principles, which it says would, if adopted, have an "adverse impact" on investigations. Last year, federal prosecutors told an appeals court that Americans enjoy no reasonable expectation of privacy in their--or their mobile device's--location.
Another way to put it, perhaps, is that law enforcement concerns are where pro-privacy initiatives go to die.
The White House did not immediately respond to a request for comment.
James Baker, an associate deputy attorney general, told the Senate Judiciary Committee on Wednesday that the administration has not yet figured out where it stands on reforming ECPA. "We don't have a cleared position yet from the administration on these proposals," he said.
One reason is that the Commerce Department has advocated a more pro-business perspective in discussions that have been taking place behind closed doors. The department's general counsel, Cameron Kerry, said the discussions are ongoing and they're "moving as quickly as we can toward an administration white paper."
Kerry, the younger brother of former presidential candidate John Kerry, and Assistant Attorney General Christopher Schroeder last October were named co-chairmen of an interagency subcommittee on privacy. It's charged with developing a "public policy direction" for the entire administration; other members represent the Treasury Department, the Department of Homeland Security, and White House cybersecurity staff.
"It takes time to sort through those views and come to a consensus," said Greg Nojeim, senior counsel at the Center for Democracy and Technology, which is coordinating the Digital Due Process coalition.
"Instead of devoting his political capital to imposing a 'Do Not Track' regulatory regime," Radia says, "the president's top priority should be to instruct the Justice and Commerce departments to support extending the probable cause requirement to cover law enforcement access to the contents of electronic communications and cell (location) information."
This week, a group of conservative and libertarian groups sent a letter to senators urging them to move "immediately" to "extend the Fourth Amendment's protections against the unreasonable search and seizure of digital documents and other electronic information." (PDF) It was signed by groups including the Competitive Enterprise Institute, TechFreedom, FreedomWorks, and the Liberty Coalition.
History suggests that it can take years to reach an agreement on privacy when law enforcement's views are diametrically opposed to those of businesses and civil libertarians. Perhaps the closest parallel was the political trench warfare over encryption regulations in the 1990s, during which the FBI successfully blocked attempts to reform the Cold War-era laws that were supported by a similarly broad coalition of consumer groups and technology companies.
There was no rhetorical mountain too steep for then-FBI director Louis Freeh to climb. In 1997, Freeh told a Senate panel that "uncrackable encryption will allow drug lords, terrorists, and even violent gangs to communicate with impunity." He predicted that relaxing federal regulations would let crypto "proliferate to the point where any kidnapper or any drug dealer could purchase it off the shelf and connect up with a network which would make all of those activities covert."
It took the better part of a decade for the White House to side with privacy interests over law enforcement. In an echo of the Digital Due Process coalition today, the Clinton administration's eventual decision was catalyzed by the Americans for Computer Privacy lobby group, which brought together the leading tech companies of the era: Microsoft, Netscape, and Oracle. The Center for Democracy and Technology helped to organize it, as it has helped to coordinate the Digital Due Process coalition, and the ACLU and the Electronic Frontier Foundation also lent a hand.
"The real test is how Obama as president will referee these institutional vested interests," says Brad Jansen of the Center for Financial Privacy and Human Rights. "He could choose not to choose--in which case he's essentially siding with the Department of Justice as opposed to updating the laws and taking new technologies into consideration."
Here's how the Justice Department's testimony squares with the coalition's principles:
Digital Due Process Coalition Principle No. 1 An Internet or telecommunications provider may "disclose communications that are not readily accessible to the public only with a search warrant issued based on a showing of probable cause."
Justice Department's response (PDF): A warrant is too restrictive because "if a person stores documents in her home, the government may use a subpoena to compel production of those documents." In addition, "not all federal agencies have authority to obtain search warrants." Finally, there's the potential "adverse impact on criminal as well as national security investigations if a probable cause warrant were the only means to obtain such stored communications."
Digital Due Process Coalition Principle No. 2: Police may access "prospectively or retrospectively, location information regarding a mobile communications device only with a warrant."
Justice Department's response: For less precise information from cell towers, a "requirement of probable cause has hampered the government's ability to obtain important information in investigations of serious crimes." A warrant should be used only for "prospective E-911 Phase II geolocation data," typically "derived from GPS or multilateration."
Digital Due Process Coalition Principle No. 3: Police should be allowed to access "prospectively or in real time, dialed number information, e-mail to and from information, or other data currently covered by the authority for pen registers and trap and trace devices only after judicial review and a court finding" that specific and articulable facts show it's relevant and material to an ongoing criminal investigation. That's a lower standard than a search warrant's probable cause requirement, but in practice perhaps not that much lower.
Justice Department's response: It "makes sense that a person using a communication service should be able to consent to another person monitoring addressing information associated with her communications." (In a 2006 brief to the Sixth Circuit in Warshak, the Justice Department argued there could be a terms-of-service exemption: "The Fourth Amendment allows a third party to consent to the search of another's container when the owner expressly authorize[s] the third party to give consent...Any expectation of privacy can be waived, even in a service available to the public.")