In the US, a recent bill that included amendments to the Video Privacy Protection Act (VPPA) has caused considerable controversy among privacy advocates. While some are worried about what is in the bill, the bigger problem is what it leaves out.
Under the VPPA, disclosure of video rental history previously required “the informed, written consent of the consumer given at the time the disclosure is sought.” This provision, in effect, required written consent for each act of disclosure. Moreover, the statute did not specify that consent could be provided by electronic means. While non-video related services like Spotify were free to integrate their services with social media sites such as Facebook, the law puts companies such as Netflix at a disadvantage by making it impractical for users to share their viewing habits online. Amendments to the VPPA addressed this discrepancy by permitting users to give consent via electronic means at any time, as opposed to when disclosure is sought. In other words, one can sign a blanket form expressing consent for future disclosure.
Although some privacy advocates are cautious about these changes, they are extremely concerned with what the legislation leaves out. Originally, amendments to the VPPA were part of a larger reform package that also included amendments to the Electronic Communications Privacy Act (ECPA). As it currently stands, the ECPA permits law enforcement agencies to obtain remotely stored e-mails and location data that are over 180 days old without a search warrant. Instead of a warrant, which requires judicial authorization based on probable cause, law enforcement agencies can request production of private data on the basis of an administrative subpoena; subpoenas do not require judicial authorization and can be issued on the grounds that information is “relevant” to an investigation. Changes to the ECPA, approved by the Senate Judiciary Committee last year, would have abandoned this standard in favour of a general search warrant requirement. Alas, the reform package was signed into law, but the proposed ECPA reform was axed at the last minute due to opposition from law enforcement. Privacy advocates are especially concerned about the outcome because, as the Google Transparency Report shows, law enforcement agencies are increasingly relying on administrative subpoenas when requesting user data.
The entire reform package was subject to extensive judicial hearings and a number of parties have testified before the committee. The discussion surrounding the status of the ECPA shows privacy to be key rhetorical battleground for three broad classes of interests: individuals, industry, and law enforcement.
Groups concerned with privacy and civil liberties rely heavily on the notion of technological neutrality and argue that the right to due process and reasonable expectations of privacy exist regardless of the form of communication. Why should, goes the argument, an email, stored locally in digital or physical format, have different protections than one stored remotely? James Dempsey, the Vice President for Public Policy for Democracy & Technology, in his testimony to the Senate Judiciary Committee, drew a parallel with how courts, faced with new technology and social realities, have struggled with privacy issues. In Olmstead v. United States, 277 U.S. 438, the court held that telephone conversations were not protected by the Fourth Amendment. However, in dissent, Justice Brandeis invoked the principle of technological neutrality to argue that there are no essential differences between a private letter and a phone conversation that could support different privacy standards. Similarly, as we have grown accustomed to storing our private information online for indefinite periods of time, it makes little sense to base privacy standards on the length of time an email has been stored in our inbox. In other words, technological and social realities change our understanding of what constitutes a reasonable expectation of privacy.
Industry representatives have also been vocal in their support for ECPA reform. From their perspective, inconsistent privacy standards make it difficult for businesses to comply with the law and it discourages innovation because consumers are hesitant to adopt new technology at the expense of privacy.
Not surprisingly, ECPA reforms were met with significant resistance from the law enforcement community. In his testimony, James Baker, Associate Deputy Attorney General United States Department Of Justice, placed great emphasis on public safety and expediency, arguing that where time is of the essence, the ECPA is a valuable tool. In addition, it was argued that the ECPA is used extensively in combating privacy-related crimes, such as identity theft.
Evidently, in the digital age, privacy interests have become increasingly difficult to define and circumscribe. For one, rapid adoption of new technologies and the changing nature of how we interact with each other challenge our traditional understanding of what constitutes reasonable expectation of privacy and the role of privacy in commercial activity. Moreover, as technology provides more efficient methods of committing and investigating unlawful activity, arguments based on technological neutrality may seem less persuasive than arguments based on expediency and public safety. This state of affairs makes it exceedingly difficult for politicians to reach a compromise that would be sensible from political, legal, social and economic points of view. Whether such a compromise can be reached remains to be seen, but at least for now, US lawmakers seem content with preserving the status quo in favour of law enforcement.
Anatoly Zhitnik is a JD Candidate at Osgoode Hall Law School.