Debate heats up over police access to data in the cloud

Law enforcement officials told Congress on Thursday that restricting data in the cloud from surveillance would jeopardize public safety.

Authorities "must have reasonably expeditious access to stored information that may constitute evidence of a crime committed, or about to be committed, regardless of the technology platform on which it resides or is transferred," said Kurt F. Schmid, executive director of the Chicago High-Intensity Drug Trafficking Area, which is part of the Office of National Drug Control Policy. "Without these constitutionally tested authorities, the safety of the public is put at significant risk." Schmid testified at a hearing of the House Constitution, Civil Rights and Civil Liberties Subcommittee.

His warning comes at a time when the House and Senate are considering updating the 1986 Electronic Communications Privacy Act, which extends wiretapping restrictions to electronic communications such as e-mails. The current law protects communications from interception by law enforcement only when they are stored on computers, not when they are stored on the Internet.

Lawmakers argue the rise of Web mail and other cloud computing services -- applications third-parties provide to users online and on-demand -- has created uncertainty and confusion among law enforcement, the business community and U.S. consumers about the privacy of Web-based transactions. Justice Department officials contend that before the advent of the cloud, the law helped authorities find drug traffickers, child predators, terrorists and other criminals. Privacy advocates say it now fails to adequately protect huge amounts of personal information.

At the hearing, Schmid said as more people migrate from desktops to smart phones for computing and communications, traditional data retention guidelines under the 24-year-old law do not apply. "This data retention gap has manifested itself as the end of a trail of electronic evidence in major criminal investigations," he said.

Thomas Hurbanek, senior investigator for the New York State Police computer crime unit, raised similar concerns about the legislation. "The combination of cloud computing technologies described here could create an environment where entire segments of business activity could be conducted outside of the reach of law enforcement," he said.

Hurbanek cited a recent case in which law enforcement officials were investigating a business' offices and discovered there were no financial records stored on-site. All records were maintained and processed on offshore servers, and accountants for the business accessed a small number of records from a different location to prepare tax returns, he explained.

"We are rapidly moving to an environment where software applications run on virtual computers and servers that can instantly be deleted and restarted ... removing traces of data," Hurbanek said. "Data will also be stored outside of this country and not only in jurisdictions that have a friendly relationship with the United States."

Cloud computing providers stressed that law enforcement should be required to go through the process of obtaining a search warrant to access content stored on their systems. Paul Misener, vice president for global public policy at Amazon.com, which operates the official stimulus-tracking website Recovery.gov, said, "just as obtaining content out of a person's desk drawer would" require a warrant, any amendments to the law should mandate that authorities need a search warrant for accessing the cloud.

Likewise, David Schellhase, general counsel for Salesforce.com, a longtime government customer, said, "In order to build public confidence in cloud computing, the rules for government access to data held in the cloud should be the same as for data held on premise."

One reason is foreign customers want assurances that the U.S. government will not seize their data without deliberate due process, he said. "At Salesforce.com, we face this issue on a regular basis, principally from customers who have often expressed their belief that the current regulatory framework permits the U.S. government overly broad access to data stored in the cloud," Schellhase noted. "We need to have clear laws that prove this belief incorrect."

Some experts on the law said Congress should think about the impact of changes to the ECPA on technological innovation. "If user data stored in the cloud is not subject to appropriate protections from unauthorized access, trust in cloud computing could be undermined," said Kevin Werbach, legal studies professor at the University of Pennsylvania's Wharton School. "In considering ECPA reform, this committee should consider not only the appropriate balance between the needs of law enforcement and protection of civil liberties, but also the effects of its decisions on the health of the Internet ecosystem."

On Wednesday, the full Senate Judiciary Committee held a similar hearing on how to update the law so that it keeps pace with changing technologies.