Legal experts and law enforcement agents say new and updated laws are required to protect user privacy while allowing law enforcement to catch cybercriminals.
A revamp to the 1986 Electronic Communications Privacy Act will help set policy around new technology that the creators of that law didn't imagine, panelists said during a cybercrime conference hosted by the University of Washington's School of Law on Friday.
The act was written long before current email systems were devised. "In 1986, no one thought email would be stored indefinitely, so the statute says that 180-day-old email is stale and therefore not in need of protection," explained Sharon Nelson, formerly the director of the Shidler Center for Law, Commerce and Technology at the University of Washington School of Law.
That means law enforcement doesn't need a warrant to access emails from 180 days ago, or emails and other data stored in the cloud, experts said.
Law enforcement and privacy advocates disagree on exactly how the law should be updated to accommodate data saved in the cloud.
Groups like the Center for Democracy and Technology want law enforcement to be required to get a warrant in order to access information stored in the cloud. Companies including Google and Microsoft are also backing this idea; they're part of a group called Digital Due Process working for changes in the ECPA.
The Department of Justice appears to think that the current laws around cloud data work. Today, prosecutors require a subpoena, which gives people the opportunity to challenge the request, in order to access data in the cloud, said Jason Weinstein, deputy assistant attorney general for the Department of Justice.
ECPA reform has been a sticky issue, which became clear during the panel discussion. "To listen to them, we're a bunch of jack-booted thugs who want to vacuum up as much information about Americans as we can," Weinstein said, referring to those pushing for tougher privacy rules.
"The danger is that in making changes to ECPA ... we could intentionally or unintentionally hinder law enforcement to protect public safety and national security," he said.
He complained that people focus too much on trying to limit government access to data while ignoring the way that companies or criminals abuse personal information.
In fact, the largest aggregator of personal information is the private sector, not the government, said Jenny Durkin, U.S. attorney in the Western District of Washington.
Indeed, there are two sets of regulations that would provide clarity in order to allow business to flourish, said Brad Smith, general counsel at Microsoft.
When Smith is in Brussels, he said, people commonly point out that the EU has data privacy laws while the U.S. doesn't. That's only partly true, he said. The EU has laws that govern practices companies must follow regarding consumer data, but there is no European-level legislation governing data retention between the government and citizens. The U.S. doesn't have legislation around how companies must handle consumer data but it does have laws, like ECPA, about how the government can access data.
Microsoft thinks it's very important to have clear and balanced laws in both areas. "We are supportive of this because we see it as essential in the long term for building a healthy marketplace," Smith said.