News

Microsoft Backs Digital Due Process Initiative

Microsoft this week joined a coalition to encourage Congress to update the Electronic Communications Privacy Act.

The Digital Due Process (DDP) coalition -- an organization consisting of technology companies, civil rights organizations and academics -- maintains that the 24-year-old law has failed to keep up with changes in technology. In particular, the group wants to ensure that data associated with cloud computing services receive the same level of privacy protections as data stored on PCs in homes.

The DDP coalition includes Microsoft, Google, Intel and other industry leaders -- as well as privacy and civil rights groups, such as the American Civil Liberties Union (ACLU) and the Center for Democracy and Technology.

Mike Hintze, Microsoft associate general counsel, stressed the need for legal continuity as cloud computing comes to the fore.

"Citizens need government action to ensure that as more information moves from the desktop to the cloud, the country retains the traditional balance of privacy vis-à-vis the state," Hintze wrote in a blog post. "Many Americans take for granted the protections of the Bill of Rights that prevent the government from coming into people's homes without a valid search warrant. The rise of cloud computing should not diminish these privacy safeguards."

A Microsoft spokesperson said in an email interview, on behalf of Hintze, that the DDP initiative is urging Congress to restore clarity and balance to the law.

"When law enforcement officials seek data or files stored in the Internet 'cloud,' such as Web-based e-mail applications or online word processing services, the privacy standard that is applied is often lower than the standard that applies when law enforcement officials seeks the same data when stored on an individual's hard drive in his or her home or office," according to the spokesperson.

There have been few updates to the law, said Michelle Richardson, ACLU legislative counsel. "It's been stuck in 1986," she said in a phone interview. "It hasn't been kept up with the advances in technology -- it was written before the Internet, before cell phones, definitely before people could be tracked by cell phones."

The DDP was initiated by Center for Democracy and Technology. Many of the participating groups issued announcements expressing their support. In short, the Coalition supports the following principles:

  • Information, such as private communications, should receive the same level of protection regardless of the technology, platform or business model used to create, communicate or store it.
  • The "building blocks" of criminal investigations would be maintained, including subpoenas, court orders, pen register orders, trap and trace orders, and warrants.
  • Information should be afforded the same level of protection whether it is in transit or in storage.
  • The content of communications should be protected by a court order based on probable cause, regardless of how old the communication is and whether it has been "opened" or not.
  • There should be clear and simple rules for all stakeholders, including service providers, users and government investigators.
  • Exceptions will be left in place if already written into the Electronic Communications Privacy Act, such as provisions allowing disclosures to the government without court orders in emergency cases.

There were some issues that were not addressed in the DDP's announcement, Richardson said, calling it a starting point for discussion. In particular, it does not address the lack of clarity about how the government obtains social networking data and other sensitive information.

"We need to have that discussion, about putting special protection in," she said. "It tells so much about your personal life, what Web sites you visit, who you associate with, videos that you watch -- there needs to be discussion about these sensitive records." She added that "we went with what organizations could sign off on. It's unusual to get this strange bedfellow situation. It speaks to the value of this proposal."

Microsoft has sought federal laws on privacy "that would set a common baseline standard for private sector activities," according to the spokesperson. "With the DDP announcement today, Microsoft is on record as also supporting strong and consistent rules around government access to data as well."

It's a business issue -- and not just for Microsoft. In the blog posting, Hintze cited a Microsoft-commissioned survey that found 90 percent of the general population and senior business leaders were concerned about the privacy and security of their personal data in the cloud.

It's also an international issue when considering where a company is based versus where its data are stored. Microsoft and other cloud computing service provider could face major business expenses should European and other companies pass laws mandating local data storage.

"Many of the benefits of cloud computing, such as efficiency and reliability, can be best achieved through a number of regional data centers and the ability for data to cross borders," according to the Microsoft spokesperson. "The proliferation of local-storage mandates could significantly increase the cost of providing cloud services, and many of the benefits may be diminished."

European privacy laws describe a common standard applicable to all entities that collect and process personal data. However, Microsoft isn't following that approach with regard to the DDP initiative.

"While [Microsoft] favors a comprehensive approach, we believe it's important that a U.S. privacy law reflect U.S. legal tradition and be responsive to the needs and expectation of U.S. consumers."

The chairmen of both the U.S. House and Senate Judiciary Committees issued statements that they will support considerations to update digital privacy law.

Sen. Patrick Leahy, D-Vt., issued a statement that he plans to hold hearings on "much-needed updates" in coming months. "While the question of how best to balance privacy and security in the 21st century has no simple answer, what is clear is that our federal electronic privacy laws are woefully outdated," according to the statement.

"As technology moves forward, it is clearly necessary for industry, as well as all Americans, to adjust and clarify the law," Rep. John Conyers, D-Mich., said in a news release, cited in the Washington Post.

Despite congressional support, there may be some resistance. "It will make it more difficult for [law enforcement] to get more sensitive information, so, we'll expect some pushback," Richardson said.

Was the 1986 law shortsighted? Richardson doesn't think so. "I can't imagine how they would foresee the creation of the Internet in 1986," she said. "There was no way for Congress to foresee that."

To address new technologies going forward, the proposal is tech neutral. "It doesn't change the standard based on the medium," she said. "It changes the standard based on the nature."

Featured