Saturday, July 30, 2011

Summary of HR 1981, Data Retention Mandate Bill, 7/12/2011.

Source: Tech Law Journal

Background on ECPA and SCA: The Electronic Communications Privacy Act (ECPA), which was enacted in 1986, includes the Stored Communications Act (SCA). The Congress has amended various parts of the ECPA since 1986, but the ECPA has not kept pace with technological changes. The terms used in the ECPA were included in 1986 based upon the drafters' understanding of technologies that existed in 1986. Law enforcement agents and prosecutors now rely on these 1986 terms when dealing with new technologies not foreseen when the ECPA was drafted.

The data retention provisions of HR 1981 contain amendments to the SCA. This bill does nothing to address underlying obsolescence of the ECPA. It adds to the foundation of the ECPA, without clarifying what that foundation means in the context of new technologies developed since 1986, or in the context of the new mandates that would be imposed by this bill.

In March of 2010 a coalition named Digital Due Process (DDP) announced a set of four principles which the DPP members argue should be incorporated into the federal statutes that regulate government searches and seizures of stored communications and data. These DPP principles state, for example, that the "government should obtain a search warrant based on probable cause before it can compel a service provider to disclose a user's private communications or documents stored online" and it "should obtain a search warrant based on probable cause before it can track, prospectively or retrospectively, the location of a cell phone or other mobile communications device".

HR 1981 would provide that "No cause of action shall lie in any court against any provider of wire or electronic communication service, its officers, employees, agents, or other specified persons for retaining records or providing information, facilities, or assistance in accordance with the terms of a court order, warrant, subpoena, statutory authorization, or certification under this chapter."

Similarly, HR 1981 would also provide that "A good faith reliance on (1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization (including a request of a governmental entity under section 2703(f) or the requirement to retain records under section 2703(h) of this title) ... is a complete defense to any civil or criminal action brought under this chapter or any other law."

These are inducements to service providers to diligently retain data, and to follow instructions from the DOJ. They are also an inducement to support this bill, because they could immunize service providers from a broad range of claims. For example, if this bill were enacted, a service provider retained data, and a hacker accessed that data, and injured subscribers sued the service provider, the service provider would assert this immunity provision as a defense. Just as this bill builds onto the ECPA without addressing the obsolescence of the ECPA, it imposes broad data retention mandates without addressing data security or privacy.

This is a Suspicious News Brief. Read more at the Tech Law Journal.
Published with Blogger-droid v1.7.4

No comments:

Post a Comment

Comment Guidelines: Please be respectful of others at all times. Thanks for reading and thanks for your comments!