We applaud Sen. Mike Lee (R-UT) and Sen. Patrick Leahy (D-VT) for introducing the ECPA Modernization Act of 2017 to protect user privacy in cloud content and geolocation information. As part of a congressional effort to reform the Electronic Communications Privacy Act, the Senate bill complements the Email Privacy Act (H.R. 387), which the House passed in February 2017 by voice vote—the second time the House has passed this legislation with overwhelming bipartisan support.
Think about the last time you gave up your personal data to a large corporation. Chances are it was within the last few hours especially if you’ve shopped on Amazon, watched Netflix, or even walked into a Rite Aid, Target, or Macy’s with the store app open on your phone.
And if you can’t remember exactly where you were, you can check out your Google Maps Timeline, which stores a year’s worth of information about the routes you’ve traveled. Did you mean to give up all that data?
We support these bills and urges Congress to enact ECPA reform legislation this year. Both the House and Senate bills require law enforcement to obtain a probable cause warrant from a judge to access private content stored by third-party service providers. This would codify the 2010 Sixth Circuit Court of Appeals decision in Warshak v. United States, which held that the government violated the Fourth Amendment when it obtained emails stored by a third-party service provider without a probable cause warrant. This would also be consistent with the 2015 Ninth Circuit Court of Appeals decision in United States v. Kitzhaber, which held that the defendant had a reasonable expectation of privacy in his emails stored by a third-party service provider.
Additionally, the Senate bill:
- Requires the government to obtain a probable cause warrant from a judge to access geolocation information stored by third-party service providers;
- Requires the government to notify a user when it obtains a warrant to access the user’s cloud content or stored geolocation information;
- Requires the government to obtain a probable cause warrant from a judge in order to acquire real-time geolocation information, for example, via a cell-site simulator (a.k.a., IMSI catcher or Stingray) or GPS tracking device. This is consistent with the 2012 U.S. Supreme Court decision in United States v. Jones, in which five justices agreed that ongoing electronic surveillance by the government of an individual’s movements implicates that individual’s reasonable expectation of privacy.
- Provides a suppression remedy if the government accesses cloud content or stored or real-time geolocation information without a warrant or otherwise in violation of the law. This means that a court can deem such data inadmissible as “evidence in any trial, hearing, or other proceeding in or before any court, grand jury, department, officer, agency, regulatory body, legislative committee, or other authority of the United States, a State, or a political subdivision thereof.”
- Heightens the standard for the government to obtain a pen register order (to capture numbers dialed) or trap-and-trace order (to track an incoming caller) from a court.
The Senate bill thus embodies the first three principles of the Digital Due Process coalition, a diverse group of civil liberties non-profits, technology companies, trade associations, and others that support ECPA reform.
However, the Senate bill isn’t perfect. For example, we would prefer that the government be required to provide notice to a user after it obtains real-time geolocation information. The bill does not explicitly require this. While Federal Rule of Criminal Procedure 41(f)(2)(C) requires after-the-fact notice, a statutory notice mandate would preempt attempts to amend the court rules.
Marketers claim that when you give up your personal data, you are participating in a rational trade-off. You decide that the benefits of using online tools including search, recommendations and personalized shopping outweigh potential privacy concerns. Indeed, studies have shown that some customers are starting to see targeted advertising as an alternative form of online currency that’s exchanged for free products or customization.
But people also respond more favorably to targeted ads when they have the ability to control their privacy settings. But do we feel that we have that control?
Consider how much you agree or disagree with the following two statements:
1) “I want to have control over what marketers know about me online.”
2) “I’ve come to accept that I have little control over what marketers can learn about me online.”
If you agree with both statements, as 58% of Americans did in a 2015 national survey from the University of Pennsylvania, then you’re part of a generation of consumers going through a process of resignation. We want to control our personal data and how it is used, but we’ve mostly given up.
We don’t believe these technologies are half as problematic for the following reasons:
Online stores track us more extensively and warrant more focus from a privacy standpoint (although that distinction may matter less in an increasingly omni-channel world).
For beacons to track us, they interact with the store app, which we have to install in the first place — although retailers can also track us through partner apps.
Consumer data and analytics deliver great value such as personalized recommendations on Amazon and Netflix.
We do not completely discount the potential value but are not enthused by it either. In fact, personalized promotions are an example of something that might seem valuable but is not. To see his point, take a look at this next set of statements. Do you agree with them?
1) “Price discrimination is illegal in the United States.”
2) “Most large U.S. corporations engage in price discrimination.”
If you answered yes to the first question, you side with a majority of Americans, who purportedly believe that price discrimination is illegal both online and in stores. Indeed, there are a host of anti-discrimination, privacy, and consumer protection laws in place.
But most people underestimate the extent to which price discrimination is a reality in a world of personalized promotions. Companies are increasingly using personalized discounts to engage in a form of price discrimination that may not be desirable. Stores like Walmart, Target, and Macy’s use beacons to track where customers are in their stores so its apps can send them personalized offers. You might be standing in the diaper aisle and be sent a better deal than the person next to you. And the algorithm that determines that discount might use all kinds of factors such as past purchases and zip codes to make that decision.
Some consumers might lose out while being left in the dark. Although personalized discounts have been around for a while, mainly based on broader demographic categories, access to data and technology now allows these companies to seamlessly scale targeted advertising and marketing offers.
So what can you do if this makes you uncomfortable? It’s not clear that walking away is an option either. By refusing to give up your data, you might miss personalized discounts and end up paying even higher prices.
Either way, corporations are teaching us that in order to get along in the 21st century, we need to give up some personal data. One study showed that individuals assign decidedly different values to their personal data, but are in general more willing to disclose sensitive information when others around them are doing the same.
Is it fair to make the disclosure of personal information a necessary condition for a consumer and firm to transact? And what is a way forward that does not require us to go back to the world before digital and mobile technologies?
Today, the answer is not so clear. But because the stakes are high, marketers and privacy advocates will continue to work towards a solution.
One potential answer comes from advertising. Driven by their frustration with online advertising, consumers have started installing ad blockers in their browsers. Ad blocking hurts advertising revenues, so it’s no surprise that this practice has gotten the industry’s attention. To address the issue, the Interactive Advertising Bureau (IAB), an advertising industry organization, has proposed the LEAN advertising program.
LEAN — an acronym for light, encrypted, ad choice supported, non-invasive ads — suggests a number of guidelines aimed at protecting user privacy and improving their overall experience with interactive ads. Among the guidelines is the expectation of compliance with the Digital Advertising Alliance’s consumer privacy program. It’s too soon to tell whether LEAN will be widely adopted, but the initiative shows how consumers can take control and get the industry to take action.
The time for ECPA reform is long overdue. ECPA was first passed in 1986 and provides modest privacy protections against government access to electronic communications and content stored by third-party service providers—and it doesn’t even contemplate geolocation information.
The law has not kept pace with advances in technology and the habits of users. With the rise of cloud computing, individuals have come to rely on technology companies to store private emails, text messages, social media posts, photos and other documents, often indefinitely. While such content might contain the most personal of thoughts and details about an individual, many users do not realize that an email stored on a Google or Microsoft server has less protection than a letter sitting in a desk drawer at home. And users often can’t control how and when their whereabouts are being tracked by technology.
We urge Congress to act quickly to enact ECPA reform legislation, which would provide critical privacy protections for users of modern technology without unduly hindering law enforcement.