The National Security Agency (“NSA”) has been under fire since The Guardian and the Washington Post revealed that it has been gathering information on individual users from the central servers of nine leading U.S. internet companies. The revelation came after government whistleblower Edward Snowden leaked a 41-slide PowerPoint presentation, classified as top secret, which was apparently used in training on the program’s capabilities. While many details of the program are still unknown, the PowerPoint states that PRISM enables “collecting directly from the services” of Microsoft, Yahoo, Google, Facebook and other online companies. Such access is governed by Section 702 of the Foreign Intelligence Surveillance Act (FISA), enacted in 2008, which (according to this Statement from the Director of National Intelligence) is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States. The same statement points out that Section 702 was recently reauthorized by Congress after extensive hearings and debates.
According to this Washington Post article, Google, Yahoo, Facebook, and Microsoft have all released statements flatly denying any participation in the NSA’s data collection program. Whether or not the companies willfully provided information to the NSA, the current data sharing controversy – combined with recent increases in litigation regarding the sharing of private information by large technology-based companies – raises the question of how much privacy individuals can expect to have when communicating online.
The Electronic Communications Privacy Act of 1986 (ECPA) is intended to address such privacy concerns regarding email, telephone conversations and electronically stored data. However, the protections afforded to consumers under the ECPA are limited. For example, the ECPA’s prohibition on the interception, use, disclosure or procurement of any other person to “intercept or endeavor to intercept any wire, oral, or electronic communication” does not apply to any person authorized to conduct electronic surveillance under FISA. Given the vast changes in the use of the internet as a medium for communication and commerce most commentators (the ACLU, for example) agree significant revisions are necessary for the ECPA to provide any real protection to internet users.
While the NSA scandal has brought heightened attention to the government’s use of individual’s internet data, general concerns over internet privacy have long been a hot legal topic. In recent years, lawsuits involving data collection and privacy issues (often in the form of class actions) have been brought against almost every major corporation with a significant internet business. For example, a 2012 lawsuit alleged that Apple collected and reported iPhone users’ geographic locations- even after the geo-location feature of the devices had been turned off – without the users’ knowledge or consent. Similarly, Netflix recently faced allegations that it illegally retained and shared the viewing history and personal information of former customers after the individuals had canceled their Netflix subscriptions. Recently, a federal district court allowed a massive class action against internet traffic and web advertising measurement company comScore to proceed past the class certification stage.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.