by Vivek Mohan
Washington can often be the last thing on an entrepreneur’s mind. And naturally so – the culture of bureaucracy and reputation for being out of touch is the last thing that someone working on the cutting edge of technology wants to think about. Developing innovative products, especially ones that are data-driven, often requires an out-of-the-box style of thinking that can seem directly antithetical to the lethargic enforcement mechanisms of the government. But there are many good reasons for those working on the cutting edge to think about the issues that are “top of mind” for law enforcement and regulators during product development – and in Washington, DC, privacy is undoubtedly one of the key issues of the day.
Over the course of a series of blog posts, I’ll discuss some of the various facets of “privacy” that entrepreneurs should think about. Most of you – especially those of you that work with personally identifiable information, or, even more sensitive health information – are probably familiar with data security. Countless articles have led to the (somewhat justified) widespread fear of the risks of identity theft given a data breach or unauthorized disclosure of such information. Yet among the informed public, fear of misuse of personal information is not limited to a wary eye towards cyber criminals – increasingly, concern has been voiced at the increasing power of the government in electronic surveillance.
Justice William O. Douglas, one of the leading lights on privacy of the 20th century, famously lamented in the 1966 case Osborn v. United States – “We are rapidly entering the age of no privacy, where everyone is open to surveillance at all times; where there are no secrets from government.” The last half-century has not quite seen our society devolve into this predicted dystopia; but the combination of rapidly evolving technology, changing social norms, and outdated laws have led us far closer to the edge than most expect.
Today, we’ll take a look at how laws can age in ways that we didn’t expect. Despite the best intentions of the drafters, changing technology and behavior have impacted the operation of various laws to create counter-intuitive – and sometimes downright crazy – incentives. The Electronic Communications Privacy Act of 1986, known as “ECPA,” which sets the standards that government agencies must adhere to when seeking to access an individual’s electronic communications, provides an excellent case in point.
Cloud computing has fundamentally changed the way we store and access data; now, as our most sensitive information is increasingly stored remotely by third parties, the law creates a set of perverse incentives for providers of that storage space. In the late 1980s, email was delivered in a method much analogous to the postal service – email was “sent,” where it would reside upon a server until it was “pulled down” by the local machine that received the message. Acting upon the belief that such basic precepts of electronic communications would endure, ECPA built upon this analogy. In the physical world, mail that has been “abandoned” or discarded is no longer provided Fourth Amendment protections against search and seizure. In other words, the government does not need a warrant to root through your trash. ECPA, for reasons that made sense in the 1980s, defined mail that had been read but was left on a remote server for more than six months as “abandoned” – thereby allowing the government to access it without a warrant. Unread mail, however, no matter the age, was considered to still be “in transmission,” and the government needs a warrant – issued by a court after a showing of probable cause – to access it.
Let’s stop to think about this for a second: in the age of cloud-based email, what does this mean? Continue reading here.
Vivek Mohan is a Fellow of Information & Communications Technology Policy at the Harvard Kennedy School of Government. A graduate of Columbia Law School, Vivek is a native of the Bay Area, and formerly worked as an attorney for Microsoft in Washington DC.