For most of us, e-mail has quickly become a part of our daily interaction with the world. And yet, in the course of our normal routine, we rarely give thought to the security of these transactions. When we call someone or send a postal letter, we are secure in our expectations of privacy. Yet, most people do not stop to consider whether their electronic communications are afforded the same level of protection. Do we have an expectation of privacy in our electronic communications? If so, is that expectation unfounded?
The law protects us to an extent, making it a federal offense to intercept or disclose the contents of electronic communications, either in the course of transmission or while in storage on a remote computer system. However, a number of uncertainties in the federal statute, widely known as the Electronic Communications Privacy Act, have not yet been hammered out by the courts. Who will be deemed to be a electronic service provider? Under what conditions may a service provider tap into your electronic communications? Under what terms will you be considered to have consented to the interception of your email?
Technological protections, such as encryption technology, are available, but they are also restrained by the law. As encryption technology grows stronger, the government grows more concerned about their inability to "tap" such communications and the ability of organized crime rings, drug traffickers and terrorist organizations to communicate undetected over the borderless realm of cyberspace. To this end, the U.S. government has placed a number of export controls on strong encryption technologies. The SAFE Act, in its latest form, which recently passed the House of Representatives, has several major provisions which enhance consumer privacy and reduce export controls.
The SAFE Act seems to address some of the major issues in email tapping as well as encryption, by setting a minimum to the standard required by law enforcement in order to invade privacy, and limiting their technical ability to do so. However, the harm it would do to law enforcement is unclear. It would be extremely difficult to accurately determine empirically how often encryption interferes with law enforcement since law enforcement may not be aware of many of those occurrences.
What do you think US policy on exporting encryption programs should be? What about law enforcement and private access "keys" and encrypted emails? What standard of cause or suspicion should be necessary to infringe on privacy interests? Should we be more worried about a potential terrorist's communication going undetected in cyberspace or about the security of our own online transactions? If people shouldn't have a reasonable expectation of privacy in their email, should they be afforded this expectation when they employ encryption technology to safeguard their messages?
As you go through the readings, think about these questions and what your model policies would be notwithstanding the current law.
First, however, please read this week's hypothetical.