Are Cloud-based HIEs Subject to Twitter-Google-Facebook-like Subpoenas?

Are Cloud-based HIEs Subject to Twitter-Google-Facebook-like Subpoenas?

In a recent New York Times article, Google, Twitter and other internet companies raise concerns regarding the wave of requests they receive for customer data from law enforcement agencies. Last year, Google counted more than 4,200 such requests in the first half of 2010.  Other internet and telecommunications companies, like Twitter and Facebook, are also feeling inundated with such requests for information. The NYT articles reports that Verizon told Congress in 2007 that it received some 90,000 such requests each year, and Facebook told Newsweek in 2009 that subpoenas and other orders were arriving at the company at a rate of 10 to 20 a day. 

These companies and others are saying that the main law governing communication privacy — the Electronic Communications Privacy Act of 1986 (ECPA) — is outdated, and affords more protection to letters in a file cabinet than personal information maintained on a server. The current ECPA does not explicitly afford protections for the vast majority of private content stored on the Internet, allowing law enforcement agencies to obtain a person’s online data with a simple subpoena from a prosecutor. This weak level of protection has created tension between privacy advocates and law enforcement agencies that consider internet data to be a valuable source of crucial information.  In fact, Google, along with other Internet companies such as Verizon, Facebook, and Twitter, have increasingly been targeted by law enfo­rcement for personal data information.

Unlike Twitter, whose policy is to notify users before releasing personal information, most Internet companies are not required to provide users with any notice, and law enforcement officials can even demand that requests be sealed from targets of investigation. Since there are no straightforward standards in the ECPA governing Internet information, courts in different jurisdictions have interpreted them differently and created a piecemeal collection of rules. Under the ECPA, emails can be accessed by the government without a warrant under certain storage conditions or after a certain amount of time has passed.

According to the Center for Democracy and Technology’s (CDT) Digital Due Process coalition, the current rules are inadequate and do not meet the Fourth Amendment’s due process clause. In December 2010, two federal appeals court decisions supported CDT’s stance, ruling that the ECPA standards for government surveillance have not kept up with technological progress and do not meet Constitutional standards. Over the past year, the CDT, along with privacy advocates, legal scholars, and major telecommunications service providers, have developed a set of standards under which they believe the ECPA should be updated. The ACLU has also created proposals designed to simplify, clarify, and strengthen the ECPA:

1. Robustly Protect All Personal Electronic Information. Current loopholes in our privacy laws need to be closed to protect electronic information without regard to its age, whether it is “content” or “transactional” in nature, or whether an online service provider has access to it to deliver services.
2. Safeguard Location Information. The law should require government officials to obtain a warrant based on probable cause before allowing access to location information transmitted through cell phones, which 82% of Americans own.
3. Institute Appropriate Oversight and Reporting Requirements. To ensure adequate oversight by Congress and adequate transparency to the public, existing reporting requirements for wiretap orders must be extended to all types of law enforcement surveillance requests.
4. Require a Suppression Remedy. If a law enforcement official obtains non-electronic information illegally, that information usually can’t be used in a court of law. The same rule, however, doesn’t apply to illegally-obtained electronic information. Such a rule only encourages government overreaching and must be changed to require a judge to bar the use of such unlawfully obtained information in court proceedings.
5. Craft Reasonable Exceptions. Currently ECPA sometimes allows access to the content of communications without a true emergency, without informed consent and without prompt notice to the subject. ECPA must be amended on each of these fronts if electronic records are to receive the protections Americans need.

For now, it is up to Congress to decide whether to not to adopt these proposed updates and negotiate the critical balance between the protection of personal expectation of privacy and the government’s need to protect the public.  However, for RHIOs, HIOs, and software vendors offering PHR and HIE solutions via the internet, the impact of the ECPA should be evaluated as well, particularly with respect to whether data maintained in internet-based HIE repositories may be subject to disclosure pursuant to this federal law.

Prepared with assistance from Melody Hsiou, MPH Columbia University, J.D. expected from Seton Hall Unversity 2013.