Three Shades of Privacy

The New York Times report on European regulators concerns over the E.U.-U.S. “Privacy Shield” Agreement came off quite critical. Mark Scott seemed to suggest that Europe cannot seem to decide what it wants – as if Europe, any more than the United States, is composed of a singular, unified block. Policy makers are not the same entity or thinking as regulators just as in the United States necessary distinctions exist between trade group associations and the Federal Trade Commission. But the more glaring misstep emerged internally from his own analysis. Based on the first couple of paragraphs I anticipated his critique to go off on how much more restrictive the E.U. is on consumer data privacy than is the U.S.  Not. The E.U. regulators focused on enduring concerns about U.S. government surveillance. 

And pray tell me, why not? What has changed since the disclosures of Edward Snowden?  Legislatively, not much. Last July, Congress passed the Freedom Act.  Its most remarkable feature was the modest restrictions that it placed on the bulk collection of data, a clear response to the collection of telephone metadata, a NSA practice revealed by Snowden and decried by the public. But what one hand of the Freedom Act gave, the other took away. Congress reinstated lapsing sunset provisions of the USA-Patriot Act – which if anyone were truly serious about reform, should have been allowed to lapse – and bolstered other controversial provisions such as roving wiretaps on “lone wolf” suspected terrorists. 

Let’s zoom out for a minute: that means that the Electronic Communications Privacy Act is still as fundamentally problematic at managing Fourth Amendment jurisprudence in electronic medium as it was before the Freedom Act. And nothing in this legislation touched the travesty that is the Foreign Intelligence Surveillance Act, the law that allows for the “secret courts.” The day after the implementation of the Freedom Act’s restriction on bulk collection in November of 2015 could have been the very day the FISA Court approved an order for a new round of collection. Who knows? That is the point of the travesty.  In a democratic republic, we should know.  And if the American public can’t put the feet of our Congress to the fire over these gross breaches of government surveillance, then I am glad that at least our brethren in Europe do. Mark Scott, get a grip.

A grip is what at least Microsoft is trying to do once again to confront the United States government over ECPA in its recent case filed in the Western District of Washington. From the New York Times article about it, here is an extended quote:

In its complaint, Microsoft says over the past 18 months it has received 5,624 legal orders under the ECPA, of which 2,576 prevented Microsoft from disclosing that the government is seeking customer data through warrants, subpoenas and other requests. Most of the ECPA requests apply to individuals, not companies, and provide no fixed end date to the secrecy provision, Microsoft said.

Microsoft and other companies won the right two years ago to disclose the number of government demands for data they receive. This case goes farther, requesting that it be allowed to notify individual businesses and people that the government is seeking information about them.

More than any of the other Big Five (Google, Facebook, Amazon, Apple and Microsoft), Microsoft has seriously challenged the government in the courts on electronic surveillance. This proactive case in the Washington federal court is a companion to the one in the Second Circuit that questions the Department of Justice overreach to demand consumer email in servers held outside of the United States without the benefit of clear law on that point. As I have argued previously, I support Microsoft in these efforts even as I did not Apple in the iPhone case. The difference lies between unsettled and settled law, respectively, and in a thoughtful, sound approach taken by Microsoft in contrast to the shooting from the hip, technology-centric tact taken by Apple. Whatever your views, these are very worthy topics for us to debate.

On that note, how about coming to the conference that Dan Solove and I run on matters of privacy this May 10 at George Washington University? The Higher Education Privacy Conference this year, admittedly more about information privacy than government surveillance, features a concentration on business intelligence, analytics, research data and cloud computing. 

But it may interest readers to know that Dan and I disagree about the iPhone case. A month or so ago, in a call supposed to be about planning for the conference, we had a fascinating conversation in which neither of us gave an inch!  So come learn about a wide range of information privacy issues, eminently useful in your jobs as privacy and security officers, faculty and institutional research. Meet with old colleagues and make new friends who face similar challenges. And in between the sessions, let’s continue to discuss various shades of privacy and how this issue shapes virtually every minutes of our lives both on and off the clock.