Four years ago, the U.S. House of Representatives passed a resolution declaring Jan. 28 “Data Privacy Day.” The resolution encouraged “state and local governments to observe the day with appropriate activities that promote awareness of data privacy.”
“Many individuals,” declared the resolution, “are unaware of data protection and privacy laws generally and of specific steps that can be taken to help protect the privacy of personal information online.”
A noble sentiment. But thanks for awareness-raising on this particular Data Privacy Day should probably be directed to the private sector, not the government. Namely, Google’s Transparency Report, which details exactly how many requests for user information are generated every six months by law enforcement agencies around the world. Between June and December 2012, the United States made 8,438 requests for information about 14,791 Google users. Overall, the amount of data requested by the government has been rising quickly — by more than 70 percent, reports Google, since 2009, when the House of Representatives went to such pains to tell us how “the Internet and the capabilities of modern technology cause data privacy issues to figure prominently in the lives of many people in the United States at work, in their interaction with government and public authorities, in the health field, in e-commerce transactions, and online generally.”
Google gets better marks from privacy activists than many of its peers for informing the general public about the sheer number of data requests generated by law enforcement, and more important, for taking a harder line against the government than one might expect in terms of what the company feels like it is legally required to divulge. For example, law enforcement agencies believe that, according to the Electronic Communications Privacy Act, they don’t need warrants to access the content of emails that are over six months old. Google’s lawyers, however, adhered to a higher standard, arguing that the Fourth Amendment’s protections against unreasonable search and seizure require a warrant. The conflict has yet to be tested in court.
Nevertheless, Google’s own records show that at least “some data” were produced in response to 88 percent of the U.S. government’s requests for information in the last six months of 2012. So law enforcement agencies are asking for more information and getting a lot of it. Happy Data Privacy Day.
Privacy activists are taking advantage of the holiday to call for a comprehensive updating of our nation’s privacy laws. Back when the Electronic Communications Privacy Act was passed, in 1986, there was no “cloud” storing our data and facilitating easy access to scads of personal information. Technology has moved on, but the laws haven’t.
ALCU privacy expert Christopher Soghoian noted earlier in January that outmoded laws mean that different modes of information transmission are treated differently. For example: There are different protections for information that is communicated via the Internet or by phone. The government must get a court order to find out whom you have been emailing, but not whom you have been phoning.
But texting is considered a phone service. So the government can find out whom and when you’ve been texting without a court order. That fact should be a wake-up call for a generation that has all but abandoned (or never even adopted) email in favor of texts as their primary mode of interpersonal electronic communication.
As our connected world evolves, it can get harder and harder to figure out what is protected and what isn’t. The law is miles behind the app economy.
What about a Facebook instant message sent from an app on a smartphone? Well, if the message is transmitted over the internet, from the user’s iPhone to Facebook’s servers, surely it should receive the higher protections for communications metadata, even if the iPhone and the internet connection used by the device are provided by a telephone company.
What if the SMS service on a smartphone isn’t provided by the wireless carrier, but rather, through a third party app? What if the SMS messages are transmitted over the internet to a third party’s servers (perhaps even the same third party that provides email and IM services) rather than servers provided by the wireless carrier? In such a scenario, are the text messages more like a telephone service, or an electronic communications service like email? Who knows?
Who knows, indeed? On Monday morning, Soghoian tweeted that his reading of Google’s Transparency Report confirmed his earlier analysis: “Google is turning over Google Voice call/SMS metadata with a mere subpoena.” No warrant required.
I suppose we should be thankful that we can learn at least that much from Google; such disclosures certainly adhere to the spirit of Data Privacy Day. But the more we know, the more we realize what we don’t know — and as we increasingly communicate with each other via mobile devices that store vast amounts of data about us in the cloud — where we are, whom we’re communicating with, what we’re shopping for, what kinds of interests we have — there’s really only one conclusion to make: the same government that has told us to celebrate Data Privacy Day for four years now is doing a piss-poor job of helping us protect that privacy.