E-mail, the World Wide Web, social media, and the cloud have led to outdated privacy laws that have left federal officials perplexed about how to collect and use information about citizens, even those suspected of crimes.
The Government Accountability Office’s latest of several reports on the issue recommends Congress act to update federal law to align with modern technologies.
“The Privacy Act of 1974 identified protections for personally identifiable information,” said Gregory C. Wilshushen, director of information security issues at GAO and author of the report. “However, it refers to systems in which information is retrieved by personal identifiers [like names or Social Security numbers]. There are systems where information isn’t retrieved that way, so agencies consider that they are not covered by this limitation. There is a gap in the law.”
When Congress passed the Electronic Communications Privacy Act in 1986, “the big innovation was leaving a message on an answering machine,” said Rebecca Green, an expert in privacy and a professor in practice at the law school of the College of William & Mary in Williamsburg, Va. “The difference from then is striking.”
The ECPA focused on intercepting electronic communications. “The Fourth Amendment was traditionally tied to a person’s house,” Green said. “So courts had a difficult time accommodating new technologies for which physical space is largely irrelevant.”
Courts face difficulties in applying both the ECPA and the Fourth Amendment to cases involving technology. Where social media are concerned, “there is a question of what is ‘communication,’” Green said. “Cases are all over the place about what a communication is. Text messages are a communication, but ECPA has all these obsolete terms, so [in one recent case, the parties] had to put [all the technology terms] in boxes set up in 1986.”
“The Privacy Act requires agencies to specify their purposes [in collecting data],” Wilshusen said. In some cases, agencies may identify a purpose and then add “and other purposes,” which Wilshusen said is “overly broad.”
The E-Government Act of 2002 (which includes FISMA), though mainly focused on threats and cybersecurity, “requires a privacy impact assessment (PIA),” Wilshusen said. “Agencies should assess privacy risks and identify and set up controls before they develop a system to collect data. They don’t always do that.
Part of privacy law is establishing an effective mechanism for informing the public about the information being collected and how it’s being used. “Now, notices are made in the Federal Register,” Wilshusen said. “There are concerns about the public not being effectively informed by this method.”
Despite the relevant laws’ limitations, “agencies should continue to implement the provisions of the Privacy Act,” Wilshusen said. “That includes privacy impact assessments and systems of records notice-the information to be collected, how it will be used and for what purposes. All of it should be made known to the public.”
Not everyone agrees with the GAO recommendation. “The Electronic Communications Privacy Act seemed like a good idea in 1986,” Green said, “but it soon became obvious that it’s ridiculous for Congress to try to pass laws in this area because technology changes so fast. However, if we’re stuck with the 1986 law, then law enforcement has to guess how the courts will rule. Is it better to have the courts or the legislatures make the rules as technology evolves? Since 1986, the courts have been making the call.”
Some in Congress do think new laws are the answer. On August 12, Congressman Jerrold Nadler (D-NY), the ranking member of the House Judiciary Subcommittee on the Constitution, and Congressman John Conyers, ranking member of the House Judiciary Committee, introduced the Electronic Communications Privacy Act Modernization Act of 2012.
In a written statement prepared for Breaking Gov, Nadler, the lead sponsor of the bill, said, “There is no question that we must update our electronic privacy laws for the new age we live in. Our legislation would remove any legal disarray or confusion on the matter and create a single due process standard for government access to materials stored by covered entities in the cloud, on laptops, and on other devices, requiring search warrants based on probable cause. Making these clarifications will both protect consumers from unwarranted invasion of privacy and ensure that industry stakeholders are able to adequately apply the law.”
Until this bill becomes law or other remedies emerge, Wilshusen says agencies that need help with clarifying and implementing privacy laws can turn to OMB and the National Institute of Standards and Technology. For agency executives, the Privacy Committee of the Federal Chief Information Officers Council may also be a resource.