"The Next Generation Communications Privacy Act"

Orin Kerr envisions what the ECPA should look like today:

Abstract: In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to regulate government access to Internet communications and records. ECPA is widely seen as outdated, and ECPA reform is now on the Congressional agenda. At the same time, existing reform proposals retain the structure of the 1986 Act and merely tinker with a few small aspects of the statute. This Article offers a thought experiment about what might happen if Congress repealed ECPA and enacted a new privacy statute to replace it.

The new statute would look quite different from ECPA because overlooked changes in Internet technology have dramatically altered the assumptions on which the 1986 Act was based. ECPA was designed for a network world with high storage costs and only local network access. Its design reflects the privacy threats of such a network, including high privacy protection for real-time wiretapping, little protection for non-content records, and no attention to particularity or jurisdiction. Today's Internet reverses all of these assumptions. Storage costs have plummeted, leading to a reality of almost total storage. Even United States-based services now serve a predominantly foreign customer base. A new statute would need to account for these changes.

The Article contends that a next generation privacy act should contain four features. First, it should impose the same requirement on access to all contents. Second, it should impose particularity requirements on the scope of disclosed metadata. Third, it should impose minimization rules on all accessed content. And fourth, it should impose a two-part territoriality regime with a mandatory rule structure for United States-based users and a permissive regime for users located abroad.

Posted on August 26, 2013 at 7:02 AM • 14 Comments

Comments

kashmarekAugust 26, 2013 7:18 AM

Call it what you want, but if such a thing as an NGCPA is put into law, it would likely fully authorize what the NSA is doing today, and perhaps even require everyone be online all the time (well, the computer at least) and allow invasive code to run on your computer and your computer resources to be used by others. Oh, and you pay for everything.

Clive RobinsonAugust 26, 2013 7:33 AM

The USG should be carefull what they do.

First off they would be advised to think "internationaly" before they think about their home market interests of big corp and LEOs and Intel organisations.

Because if they don't the little debacle at the ITU will look like polite pre-dinner chat compared to what will happen.

The rest of the world is very unhappy with the US and resent the 90-99% control they have on the Internet, and thus are looking for significant change.

More of the same "US Protectionism" will not go down well and that much vanted "Presidential Kill Switch" might just be found to actually be used the other way as European and other continents decide isolating the US to their own back yard would be more benificial not just politicaly but economicaly as well...

dbCooperAugust 26, 2013 11:07 AM

@ Clive:

By a number of measures the "big corp" you mention is in fact the USG, at least the executive and legislative branches.

Recent actions by a majority of members of the US Congress, defending the excesses of US TLA agencies, gives one pause in thinking the legislative branch will correct the issues you touched on.

Being an American citizen I hate to say it, but isolating us to our own back yard may yield the best results, as money and greed seem to be paramount in Washington DC these days.

kashmarekAugust 26, 2013 1:03 PM

@Snarki...

Duh, why didn't I think of that? I have used that reference many times and it was soooo obvious...

Ba HumbugAugust 26, 2013 2:00 PM

The biggest flaw in Kerr's paper is that it refused to propose any specific limitations on content retention. If the government, business, ISP, etc. can keep data forever then all the other restrictions are a paper tiger. We have statute of limitations for everything else and yet not statue of limitations for data retention.

Kerr is a smart man and knows this. The paper is not well-intentioned, IMO, and I'm disappointed that Bruce linked to it.

pointless_hackAugust 26, 2013 3:01 PM

Effective legislation will limit fishing expeditions. Snoopers and Spooks need accountability.

Too abstemious a policy hinders legitimate investigation; convenience will occasion license and abuse.

Legislatively, a speeding ticket has little deterrent effect on drivers en mass. However, individually, they have a cumulative effect. I have never been happy to get one, and I have never found the fine to be trivial. Nonetheless, Policemen have to be disciplined to write speeding tickets. It's unpopular.

At DHS, the prospect of writing a comparable instrument holds the specter of supermax.

How do human beings enforce that fairly?

EvilKiruAugust 26, 2013 3:20 PM

@Ba Humbug: Bruce links to things that are interesting to read. A link is not an endorsement. It's just a link. If the paper is not well-intentioned, then Bruce's link is likely to do more to expose that than anything else.

MarkAugust 26, 2013 5:23 PM

One obvious issue with the US vs rest of the world distinction is that not everyone in the US is a US citizen and not all US citizens are always in the US.
Someone who is actually in the US using a cellular data connection may be falsely identified as being "outside". Whereas someone who is outside but using a VPN or corporate network may be falsely identified as "inside".
There's even the issue of ships, planes and embassies (at least the latter don't tend to move.)
Would a Chinese passenger on a Canadian plane in US airspace be "inside" or "outside" the US? (What about a US plane in Canadian airspace...)

Dirk PraetAugust 26, 2013 7:01 PM

Maybe they could rename it to the "Protect Our Organisations From TERrorists" Act ?

And fourth, it should impose a two-part territoriality regime with a mandatory rule structure for United States-based users and a permissive regime for users located abroad.

No, it shouldn't. Any nation that enacts law allowing for blanket spying on foreign countries and nationals is not a friend but a peeping Tom that can't be trusted in any way. I see no reason whatsoever to make a distinction between spying on Americans and spying on other people.

Eric SheltonAugust 26, 2013 9:23 PM

@Dirk

The international perspective is significant, as the NSA's vacuuming of international traffic with relish demonstrates disastrously bad international citizenship, and will engender mistrust of the US.

However, even for US citizens, we have already been shown that the territoriality approach becomes even worse when using the NSA "minimization procedures" approach. Under these procedures, everyone is by default non-US absent clear evidence, which does not appear to be particularly sought out. As a result, most US users are then subjected to the permissive regime.

HiTechHiTouchAugust 26, 2013 10:02 PM

"...hold top-secret or higher security clearances. That's far too many."

The clearances Confidential, Secret, Top Secret, etc. are only a measure of the screening done on the individual holder. Holding a "Top Secret" clearance doesn't give you access to anything -- it only enables you to be granted access to specific materials.

In other words, a holder has been validated against certain general criteria, such as drug use, relatives (potential hostages) in foreign countries, financially responsibility, etc.

You want people to have these "clearances" -- it means that they are not openly exposed to manipulation. Employers want and need these sort of qualified people.


To say there are far too many cleared employees is to say there are too many good employees.


Now if you want to discuss the number of people allowed to see specific materials, then you may argue that an access list is too long. But having a Secret clearance doesn't put you on any access list for any specific sensitive materials, so you can't count Secret clearances to see how long the access list is.

FigureitoutAugust 27, 2013 12:28 AM

You want people to have these "clearances" -- it means that they are not openly exposed to manipulation. Employers want and need these sort of qualified people.
HiTechHiTouch
--Have you ever considered that maybe these persons are buying into the current plutocracy and thus they are in fact way more exposed and falling victim to "manipulation". Ok, they can live on their own finances, what happens when the entire currency becomes worthless?

Basing the worth of an employee on these areas alone may not take into consideration the employee's capability to engage in higher level thinking and having a truly innovative mindset. They go along w/ the flow and they will be an average employee and thus give average results and returns on your investments.

name.withheld.for.obvious.reasonsAugust 27, 2013 3:31 AM

@ Dirk Praet

Great name for a communications system...something you can really get behind!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..