Why Can’t Web Services Compete To Protect My Data From The Feds?
The most depressing tech-policy news I’ve seen in a while arrived at a conference Tuesday; the best news I’ve heard in a while came in a news item Wednesday.
The bad tidings came in a panel discussion with the aggressively-alliterated title “Post-Petraeus: Privacy, Passion, Probable Cause?” at the State of the Net Conference. I expected this chat to focus on the odds of (overdue) reform of the Electronic Communications Privacy Act, but instead it turned to how this law plays out in practice.
Google’s Richard Salgado, who directs law enforcement and information security, noted that the company often works with law enforcement to narrow its requests for information. That invited a couple of follow-ups: Do other Web services without Google’s clout do the same thing? And just how broad are these requests?
Answers to those came soon enough. Kevin Bankston, senior counsel for Center for Democracy & Technology, said the most common type of e-mail request amounts to “Give us everything you can.”
Julian Sanchez, a Cato Institute research fellow, talked about the “overproduction” of information by companies served with National Security Letters from the government.
And Salgado noted the sloppiness of some law-enforcement data requests: “I can’t tell you how many subpoenas we get for Facebook.”
(You can listen to the audio of the panel here.)
This shouldn’t be news, but the laws are never enforced or obeyed only by people who actually know what they mean.
What can we do about that? Companies with more experience and better legal resources could set a better example. But they need to remember to brag appropriately too.
That’s where this week’s good news came in: the report, in a story Wednesday by Ars Technica’s Cyrus Farivar, that Google requires a search warrant before disclosing any Gmail content to law enforcement.
That’s great news, except it’s not actually news: In an e-mail Wednesday, Google spokesman Chris Gaither said the company has insisted on warrants for e-mail searches since 2010, when the United States Court of Appeals for the Sixth Circuit held that the Fourth Amendment’s right against self-incrimination outweighed ECPA’s text.
(Earlier that year, Google joined other tech firms in founding the Digital Due Process Coalition to push for ECPA reform.)
Somehow, Google had not thought to make this a selling point until Monday, when it updated its annual Transparency Report with a new “Legal Process” page that details what it requires before turning over data about a Gmail, YouTube, Google Voice or Blogger account. But that company is not alone in leaving this sales pitch on the table.
I e-mailed Yahoo to see if it had adopted or had considered adopting a similar policy. Spokeswoman Sara Gorman wrote back affirmatively: “In the case of email and IM communications, we require a search warrant based on the requirements of the Fourth Amendment to the Constitution.”
Microsoft, too, says it requires a warrant. The one exception, as relayed by spokeswoman Tara Smith: “unless there is a risk to life or serious physical injury, in which case the company may disclose content necessary to thwart the emergency.”
I realize that many Internet users don’t ever think they’ll do anything to interest the law enforcement community. (Ever notice how many tech columnists never thought to mention this issue until the Petraeus scandal broke?) But many of the curious, tinkering types who will try out a new Web service do care, and some of them might offer advice to their friends.
So would any of these companies asking me to trade my personal information for free services online like to compete by talking about how they won’t hand that data over when somebody with a badge asks nicely? Or do we have to get a warrant to discover their answers?