How Did Private Companies Become The Guardians Of Our Online Privacy?

U.S. government surveillance of email, search and other online activities is on the rise, while laws protecting people's privacy remain murky. As a result, private Internet and communications service providers - and even apps makers - have become the gatekeepers of our personal data and our first line of defense against government prying.

By The Numbers

The unwanted role forced onto private companies was highlighted this week in Google's latest report on the number of requests for user information it receives from government entities in the U.S. and other countries. The U.S. led the world in asking Google to hand over user data, with 7,969 requests in the first half of this year.

That number has been rising steadily since the last half of 2009, which is the period covered in Google's first Transparency Report. Back then, U.S. law enforcement and other government officials made fewer than half as many requests.

The rest of the world is following close behind. Worldwide, Google received 20,938 inquiries from government entities, compared to 12,539 in 2009. “This is the sixth time we've released this data, and one trend has become clear: Government surveillance is on the rise,” said Dorothy Chou, Google's senior policy analyst, in the company's blog.

Eroding Privacy Protections

While U.S. government's thirst for online information about its citizens is increasing, privacy protections are weakening as a result of Congress’ failure to update the Electronic Communications Privacy Act (ECPA), created more than 25 years ago to set standards for law enforcement access to electronic communications and associated data.

The digital world is vastly different than it was when the ECPA was passed, so the act has become a “patchwork of confusing standards that have been interpreted inconsistently by the courts,” according to Digital Due Process, a coalition of privacy advocates, think tanks and major companies lobbying for major changes in the ECPA. Member companies include Apple, Amazon, AT&T, Facebook, Google and Microsoft.

Without clear legal standards, companies like Google and others must rely on their own lawyers to decide whether law enforcement is acting within its authority or in violation of people’s privacy rights.

Placing private companies in the role of privacy protector is unfair to the companies involved - which typically want nothing to do with the issue - and to the individuals involved, who find themselves at the whim of how a particular company interprets its legal and practical responsibilites to balance privacy protection with government cooperation.

Privacy protection rightly belongs to Congress. “The burden shouldn’t really be on the companies,” said Jim Dempsey, vice president of public policy for the Center For Democracy and Technology, which is also a member of Digital Due Process.

Murky Laws = Inconsistent Protections

One area where federal law is particularly fuzzy is in government access to the content of people’s calendars, email and other content stored online - in the news in the wake of the General Petraeus scandal. Federal prosecutors take the position that need only issue a subpoena for law enforcement to access most online content. Google and other large companies routinely fight such attempts, unless prosecutors obtain a court warrant.

“To its credit, Google demands a warrant for access to content,” Dempsey noted. “If the government tries to get it without a warrant, Google fights back, and a lot of the other big providers fight back. Where the smaller guys stand, it varies all over the board.”

Without explicit checks and balances from lawmakers, online privacy rights in the U.S. start with the resources and the will of the company that happens to hold the online data in question. For law enforcement, it’s an ongoing battle during investigations into what may be serious crimes, such as terrorism, fraud and child pornography.

It's Even Worse Overseas

The U.S. is hardly alone in aggressively seeking customer data from service providers. Five of the top 10 countries requesting data from Google are in Europe, including France, Germany, Italy, Spain and the United Kingdom. "The laws in other countries are equally as weak as the laws in the United States, if not weaker," Dempsey warned.

In countries such as China, meanwhile, the New York Times reported Tuesday that authorities are putting increasing pressure on "private" Internet companies not just to share customer data, but to censor Web content as well.

What other countries choose to do is hardly an excuse for U.S. lawmakers to stick with the clearly unacceptable status quo. It’s time for Congress to take the lead in protecting the online privacy of American citizens.