Why ECPA Should Make You Think Twice about the Cloud

Unless Congress updates ECPA privacy rules, you might not want your data in the cloud.

By Tony Bradley, PC World |  Software, privacy issues

The Digital Due Process coalition is pushing Congress to modernize privacy laws in the United States. The coalition--comprised of technology companies and special interest groups, including Microsoft, Google, EFF (Electronic Frontier Foundation), ACLU (American Civil Liberties Union), eBay, and others--feels that existing privacy regulations do not adequately protect data in the digital era, and could stop businesses from embracing cloud computing.

It seems like vendors can't develop a new product or offer a new service these days without tacking the word "cloud" onto it. There are major players--like Microsoft, Amazon, and Google--backing the move to cloud-based services, and businesses are rushing to capitalize on the operational and financial benefits offered by cloud computing. However, businesses need to consider whether existing privacy law adequately protects data in the cloud.

Privacy of electronic data is essentially governed by the Electronic Communications Privacy Act (ECPA)--which was enacted in 1986. While it may have been a cutting edge statute at the time, things have changed. The Digital Due Process site says "Technology has advanced dramatically since 1986, and ECPA has been outpaced. The statute has not undergone a significant revision since it was enacted in 1986--light years ago in Internet time."

The site goes on to explain "As a result, ECPA is a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for both service providers and law enforcement agencies. ECPA can no longer be applied in a clear and consistent way, and, consequently, the vast amount of personal information generated by today's digital communication services may no longer be adequately protected."

One example of how the ECPA hasn't kept up is with e-mail. Under ECPA rules, any e-mail left on a server over 180 days is considered abandoned and can be accessed by law enforcement without a warrant or probable cause. That may have made sense in 1986 when e-mail was almost always downloaded and didn't sit idly on servers, but with Gmail, Yahoo Mail, and other Web-based e-mail services providing gigabytes of storage space, users now leave e-mail on cloud-based servers indefinitely.

The Digital Due Process coalition is united in pursuing the following principles:


Originally published on PC World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness