Posted by Mike Hintze
Associate General Counsel
Last week, Microsoft General Counsel Brad Smith and I testified in Congressional hearings on the need to reform the Electronic Communication Privacy Act (ECPA).
In our testimony, we explained how the statute has failed to keep up with advances in technology. When it was enacted in 1986, ECPA established the standards under which law enforcement can compel service providers to disclose customer content and account information, and in doing so, struck a balance between the legitimate needs of law enforcement and the public’s reasonable expectations of privacy. But with the rapid growth in cloud computing, the balance Congress struck in 1986 has fallen out of alignment. With dramatically more data now being stored in cloud-based services for longer periods of time, more and more user data is being put within the reach of law enforcement tools that require a lower burden of proof.
In both hearings, there was general agreement among the panelists that ECPA has failed to keep up with current technologies and that Congressional action can bring needed clarity and other improvements. Representatives of law enforcement understandably raised concerns that reforms could go too far and hamper the ability of the government to fight high tech crime and protect the nation’s critical infrastructure from cyber attacks. Industry representatives stressed the many economic and societal benefits of cloud computing and pointed out that unless user privacy is adequately protected, these benefits may not be fully realized. All the panelists agreed that there needs to be a balance, and that Congress should play a role in determining what that balance should look like today, just as it did in 1986.
As a leading provider of cloud-based services for consumers and enterprises, Microsoft is acutely aware of the importance our customers place on ensuring that the privacy and security of their confidential data is protected. Many of our customers are concerned that moving their data from their desktop PCs and on-premise servers to the cloud could result in a reduction of their privacy protections. We share that concern; that is why we are a member of the Digital Due Process coalition, and support the coalition principles that would update ECPA to restore the balance Congress struck nearly a quarter century ago. We urge Congress to revisit ECPA and ensure that users do not suffer a decrease in their privacy protections when they move their data to the cloud.
Of course, users of cloud services are not just concerned about the privacy and security of their data vis-à-vis the government, but also with respect to service providers and other third parties. Further, the importance of protecting privacy and security also extends beyond the United States and can be impacted by the laws of other governments. To address these concerns, Microsoft has also proposed that Congress consider comprehensive legislation that advances privacy and security in the context of cloud computing and, in turn, helps to further promote confidence in the cloud.
We are encouraged that both the Senate and House have held hearings on ECPA reform for the era of cloud computing, and these hearing have included testimony from a broad range of stakeholders. Clearly, these hearings are the beginning stages of a discussion among all stakeholders about how best to protect privacy and security in the cloud, and we look forward to working with Congress, law enforcement, consumer groups and others on these important topics.
Posted by Mike Hintze