Updating the Privacy Protection Act for the Digital Era

Law protecting journalists from searches didn’t anticipate cloud computing

Cloud computing is all the rage.

Traditionally, people had to store, manage and process data on a personal computer or local server. Cloud computing moves those functions to a remote server accessible from multiple locations. In turn, the cloud provider assumes the job of maintaining and backing up the data, and often it spreads the workload across a number of remote servers to maximize efficiency.

Even if you aren’t familiar with the term, if you’re using any one of dozens of popular online services to store your data, then you’re in the cloud. Among others, I’ve used Google Docs to exchange story drafts, Dropbox to store interview transcripts, Flickr to store photos, and Google Calendar to manage my schedule.

The benefits are significant. By storing things in the cloud, I can access them anywhere on any device. I don’t need to copy data from one laptop to the other, and I don’t need to conduct any sort of sync operation. That helps me work efficiently while on the move, because all I need is an Internet connection and one device.

I’m careful, though, not to keep anything sensitive in the cloud that might compromise a source. And that’s not only because of the technical risk that someone might access my data without my knowledge, but also because the legal protections for journalists using the cloud is, well, cloudy. Congress should clear the air by updating the Privacy Protection Act of 1980 (PPA), which protects journalists generally from government searches and seizures.

Some journalists have been early adopters of cloud technology. Take just two examples involving Amazon’s Elastic Compute Cloud (EC2) service. It makes web-scale computing easier for developers.

In 2008, during the Democratic primary race, an engineer at The Washington Post used the EC2 to process Hillary Clinton’s official schedule as first lady. Released by the National Archives as a non-searchable PDF, it covered eight years and totaled 17,481 pages. The newspaper used the service to convert the PDF to a usable, searchable text, all within the same news cycle, for less than $150.

In 2009, New York Times reporter Charles Duhigg began using the EC2 to store the 200 million data records he used in his “Toxic Waters” series. The investigation explored the failures of the Clean Water Act and the Safe Drinking Water Act, and the cloud allowed the newspaper to build a computerized database to guide Duhigg’s prize-winning reporting.

For more than thirty years, the PPA has empowered journalists to protect documents and work product related to their reporting. But what would happen if the government went after the records Duhigg used in the “Toxic Waters” series? To what extent would the law protect those cloud-based records from compelled disclosure?

Quite simply, it’s unclear whether the things journalists store in the cloud enjoy the same legal protection as the things they store on personal computers, on local servers, and in desk drawers.

Digital Due Process, a coalition of privacy groups, companies, and think tanks, has been lobbying Congress to amend online privacy laws. By expanding the protections of the Electronic Communications Privacy Act, which sets general standards for law-enforcement access to online data, the reforms would benefit journalists incidentally.

But they wouldn’t afford journalists the kind of safeguards they’ve come to expect from the PPA, which explicitly protects journalists from newsroom, computer, and other searches. It applies to all kinds of law-enforcement officers, and it prohibits the use of a search warrant to obtain materials from people engaged in First Amendment activities. Instead, the PPA requires the government to get a subpoena, giving the journalist a chance to challenge it in court.

The PPA states that with a few exceptions, “it shall be unlawful for a government officer or employee, in connection with the investigation or prosecution of a criminal offense, to search for or seize … any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication,” or any “documentary materials possessed by a person in connection with” such a purpose.

So the PPA divides materials into two categories: “work product” and “documentary.” The former includes materials “prepared, produced, authored, or created” for dissemination to the public, like story drafts and outtakes. The latter includes “materials upon which information is recorded,” like photographs and videotapes.

The PPA was passed in 1980, when the Internet consisted of a few thousand computers—14 years before Amazon was founded, 18 years before Google was founded. It was last amended in 1996, and it has not entered the cloud-computing era. In fact, it’s not even clear the PPA has entered the Internet era.

The statute has generated little case law, and it doesn’t explicitly cover journalists publishing at online-only outlets. Many commentators have argued that it does, citing the clause “other similar form of public communication.” But the only case to present that issue to a court failed to resolve it: Steve Jackson Games, Inc. v. United States Secret Service, decided in 1994 by the U.S. Court of Appeals for the Fifth Circuit.

In that case, the Secret Service searched the offices of a computer bulletin board operator and seized computers, disks, and other materials. While the court held that the agents violated the PPA, it based its holding on the fact that the company also published books and magazines, which are explicitly covered by the PPA. The statute should be amended to cover—explicitly—people who use the Internet to communicate with the public.

The cloud raises other PPA questions, too. The act’s protection is countenanced in terms of possession, rather than, say, location. So who “possesses” the stuff in the cloud? There’s no case law directly on point, but it seems logical that if a journalist stored a document in the cloud, then the document would be hers. The cloud would act as a digital desk drawer, and the presence of the cloud provider—a mere intermediary, without control of the document’s content—would not destroy the journalist’s possession.

Plus, making a general claim that people don’t possess things in the cloud could put the government in a strange position. Consider this hypothetical: in one case, prosecutors want to argue that a journalist doesn’t possess a story draft in the cloud, and in a different case prosecutors want to nail someone for possessing child pornography in the cloud.

For these reasons, the PPA should be amended to protect—in terms of possession—the data that journalists and other public communicators store online. But if Congress decides that users don’t “possess” their cloud-based data, in turn allowing the government to request the data from the provider, then the PPA should be amended to require the government to give notice to journalists before doing so. That would give them a chance to challenge the subpoena—and to sue for damages if the government failed to give notice. Also, to address any concerns the government might have about a provider destroying or withholding evidence after receiving a subpoena, the statute could make it absolutely clear that the provider would be required to preserve the data pending the outcome of the challenge.

The cloud might never be the best place for journalists to store sensitive information, because of technical security risks. But for non-sensitive information, at least, it’s going to play an increasingly important role at news organizations. It wouldn’t make sense for the PPA to protect journalists who use local computer servers but not journalists who use the cloud. In short, the PPA needs to keep up by acknowledging changes in technology and the reality that today many people, including journalists, create and store things online. We no longer live in the 1980-world where the PPA was passed. It needs to enter the digital era.

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Jonathan Peters is CJR's press freedom correspondent. An attorney, he is an assistant professor of journalism at the University of Kansas, where he teaches and researches media law and policy, with an affiliate research position exploring big data and Internet governance in the KU Information & Telecommunication Technology Center. Peters has blogged on free expression for the Harvard Law & Policy Review, and he has written for Esquire, The Atlantic, Sports Illustrated, Slate, The Nation, Wired, and PBS. Follow him on Twitter @jonathanwpeters. Tags: ,