There has been an ongoing discussion about how privacy rights can be eroded because laws do not anticipate changing technology. The most prominent example is the Electronic Communications Privacy Act, which was passed in 1986 and remains mired in the technology of that time, which did not include cloud computing, location tracking via always-on mobile devices and other current technology that can reveal our most personal information. (The World Wide Web was invented three years later, in 1989.)
While ECPA includes protection for email and voicemail communications, the 180-day rule is archaic as applied to how the technology is used today. (The rule is: If the email or voicemail message is unopened and has been in storage for 180 days or less, the government must obtain a search warrant. If the message is opened or has been stored unopened for more than 180 days, the government can access your message via a special court order or subpoena.) Thirty-two years ago, people had to download their email to their computers; the download would trigger an automatic deletion of the content from the provider’s servers. The government could not subpoena an Internet Service Provider (ISP) for your email because it did not have them in 1986. Now, copies of your private email remain stored in the cloud for years by third-party service providers (Google, Facebook, Dropbox, etc.)
Privacy and civil liberty advocates have been trying for years to update ECPA. Last year, the U.S. House passed the Email Privacy Act, which would codify the rule set out in 2008’s Sixth Circuit case Warshak v. United States: The government must obtain a warrant before they could seek to compel an ISP or other service providers to hand over a person’s private messages. This year, the Email Privacy Act is part of the House version of the National Defense Authorization Act, a must-pass bill. But the Senate has its own version of the NDAA and it’s unknown whether the privacy legislation will be part of it.
ECPA shows how rapid changes to technology and their uses can hinder individual privacy rights. It is just one example of why privacy and civil liberty advocates seek strong protections for the content of personal data, no matter the form of its use.
But tech companies can also be nimble in their responses to tech-based privacy intrusions. For example, Apple this week announced two privacy-protective changes. First, it expanded a restriction (enabled by default) on USB access to iPhones and iPads in its upcoming iOS 12 software. In iOS 12, the device will disable USB access if it has been more than an hour since the iPhone or iPad was last unlocked. Why is this important? Because of USB devices such as the GrayKey box, which attempts to brute-force attack the iPhone’s passcode and unlock the phone. The passcode “gives the GrayKey operator full access to the device’s file system (messages, photos, call logs, browsing history, keychain and user passwords — everything),” reports ZDNet. GrayKey is marketed to law enforcement personnel but it could be used by others. The USB-access restriction would make it much harder to use a device such as the GrayKey box to break Apple’s security. (A version of USB-access restriction was first included in iOS 11.4.)
Second, in its upcoming macOS 10.14 release, Apple has improved its “Intelligent Tracking Prevention” privacy protections in its Safari web browser. (ITP was introduced last year and caused the ad industry to criticize the company.) Even when people use private-browsing or incognito modes, companies (online advertisers, service providers, others) still attempt to track individuals through browser fingerprinting for targeted behavioral advertising. Gizmodo explains: “Certain details about your computer and browser and plugins you use are transmitted automatically whenever you load a web page; a minuscule amount of data that, viewed in aggregate, forms a substantially unique ‘fingerprint.’ These fingerprints are one way that data companies can track you, even as you navigate across the web. And they can do it without the help of tracking cookies and without knowing your IP address.”
Gizmodo continues, “The trick, therefore, is to blend in. Your computer should appear no more unique than millions of other users, which is why Apple is promising to cough up only the most basic information to each website you visit websites using Safari—only general system settings and only built-in fonts, for starters.”
Companies such as Apple are fighting the ever-changing tech intrusions into privacy with their own vigorous security updates. It’s an important service that should be applauded while we continue to fight for legal protections for our personal data that are not vulnerable to technological shifts.