The U.S. Department of Justice is looking at updating the 1986 Electronic Communications Privacy Act (ECPA) law, which is woefully behind the times when it comes to securing data sent or stored over the cloud. But, like most legislation passed to regulate technology, it’ll probably be out of step with the real world.
According to an article posted over at CIO magazine (Privacy Protection for Documents Stored in the Cloud Gets DoJ Nod), the Obama Administration and the DoJ want to update the Act “to provide stronger privacy protections for Webmail, documents stored online and other cloud services.”
Arguments are being heard by House subcommittees and cloud heavyweights Google, Microsoft and Facebook have weighed in on just how out of date the ECPA is. An best cited in the story demonstrate the Act’s archaic nature: “emails and other communications that have been stored with a third-party provider for more than six months on the strength of a subpoena, rather than a warrant issued by a judge.”
Why 180 days? Perhaps it was because when the law was written it was so prohibitively expensive to store data that few people bothered to keep email more than six months?
It’s clearly time to update ECPA, and legislators should be encourage do so. But the pace of legislation, and Congress, can’t keep up with the technological change. We have communication acts that were written when cell phones didn’t exist, and every time the legislature tries to get specific about technology they get it wrong.
Just look at the CAN-SPAM Act of 2003, which has done nothing to inhibit the flow of junk email to your inbox. The Internet and the cloud in particular, has no notion of national borders. So what good are government privacy regulations that are only enforceable in the United States?
It’s about time to update these regulations, but don’t expect the government to solve all these privacy and data access problems by applying regulations to technology. Laws that try to legislate how technology works… like CAN-SPAM trying to put up legal barriers to regulate something that has no legal barriers, is meaningless.
Instead, laws that have forced transparency seem to have the biggest positive impact. Regulators should specify you should protect your information so it can’t be breached, but not specify how to do that. That’s a moving target. It’s up to vendors to keep moving the bar.