Wired recently reported on a search warrant the FBI served on Google last year to retrieve documents stored on the Google Docs "cloud" word-processing service, in an investigation of a company named Pulse Marketing. The company allegedly sent millions of spam emails promoting and offering to sell acai berry, and had established a system to create multiple Yahoo and Gmail email addresses to send the spam. The search warrant came to light when the FBI applied for a search warrant to examine the Yahoo email accounts.
The investigation focuses on whether the company violated 18 U.S.C. § 1037, which prohibits using false information to create multiple fake domains or email addresses, and using those domains and addresses to send out multiple commercial email messages. Another provision, the federal CAN-SPAM Act, 15 U.S.C. § 7701, et seq., places restrictions and requirements on sending commercial emails.
Service of subpoenas and search warrants on email providers are now routine, but the Google Docs warrant appears to be the first in which the information sought resided in documents stored in "the cloud," a short-hand term for creating, editing and storing files online, rather than on an individual users' computers.
The current federal statute on the issue, the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510, et seq., basically extended the rules regarding government access to older technologies like the telephone (e.g., wiretapping) to electronic communications. The USA Patriot Act, passed after the Sept. 11, 2001 attacks, modified these old rules a bit. But the basic, underlying statute was passed in 1986, before the advent and widespread use of email, text messaging, social networking websites, and the myriad other means of modern communications.
As others have explained at length, ECPA creates an exceedingly dense and confusing statutory framework, and relies on a series of archaic distinctions, such as whether a communication is "stored" or "in transit." This complexity creates uncertainty about what showing law enforcement has to make in order to access user materials stored in the cloud. Is a search warrant, a subpoena, or an informal request required? Under what circumstances can service providers voluntarily cooperate with law enforcement?
The FBI bypassed some of the more prickly procedural questions in gaining access to Pulse Marketing's Google Docs because it obtained a search warrant, which requires approval by a court upon a showing of probable cause.
In response to some of the concerns outlined above, in March 2010 a coalition of privacy groups, think tanks, technology companies, and academics launched the "Digital Due Process" campaign to update ECPA. The group explains its goals as follows:
ECPA is a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for both service providers and law enforcement agencies. ECPA can no longer be applied in a clear and consistent way, and, consequently, the vast amount of personal information generated by today's digital communication services may no longer be adequately protected. . . . The time for an update to the ECPA is now.
Towards this end, the group has created a list of principles for revision of the law:
- Technology and Platform Neutrality;
- Assurance of Law Enforcement Access;
- Equality Between Transit and Storage;
- Simplicity and Clarity; and
- Recognition of All Existing Exceptions.
CMLP applauds the Digital Due Process coalition's effort to "balance the law enforcement interests of the government, the privacy interests of users, and the interests of communications service providers in certainty, efficiency and public confidence."