by Vivek Mohan
It is no surprise to those following consumer or enterprise computing that we are moving inexorably towards the cloud. The availability of increased – and of increasingly mobile – connectivity to the Internet has allowed for the development, and widespread usage, of cloud-based services. At the same time, mobile devices have undergone a rapid evolution, expanding both in capability as well as market penetration. Devices such as the iPhone and iPad have revolutionized the marketplace in less than five years since their release.
Individuals are increasingly using the cloud to store vast troves of personal information. From health records to sensitive communications, the convenience of “accessible anywhere” information has proven an irresistible draw to a generation of users. In my recent paper, “Cloud and Mobile Privacy,” I discuss how the law in the United States leaves a vast majority of information that consumers believe to be private and protected from government surveillance available to investigators without so much as a warrant.
The Electronic Communications Privacy Act of 1986, commonly known as “ECPA,” sets the standards that government agencies must adhere to when seeking to access an individual’s electronic communications. Much has changed in the past 25 years, but ECPA has remained the same. As with many laws, ECPA set legal standards based on analogies – analogies that did not stand the test of time.
Mobile devices and cloud computing have changed the way we store and access data; now, as our most sensitive information is increasingly stored remotely by third parties, the law creates a set of perverse incentives for providers of that storage space. Cloud-based email, under certain circumstances, is afforded the same level of protection as physical trash. The government is able to obtain location and “transactional” data from mobile phones, without a warrant. These realities are not only disturbing, but they are also little known by the public at large.
At times, it is difficult not to commiserate with Justice Douglas’ lament in Osborn v. United States – “We are rapidly entering the age of no privacy, where everyone is open to surveillance at all times; where there are no secrets from government.” Justice Douglas wearily expressed this sentiment in 1966; we have successfully held off this predicted dystopia to some degree for the last half-century. It is time to amend ECPA to reflect the realities of today – and it is time for companies that provide cloud services to inform their customers as to the surveillance risks that they face.
Vivek Mohan is Fellow, Information and Communications Technology and Public Policy, at the Belfer Center for Science and International Affairs, Harvard Kennedy School