Legislators tilt at the digital privacy windmill (again).

In the effort to preserve individual privacy in the digital age, hope springs eternal.

The latest endeavor to protect individuals’ privacy in the digital era is legislation introduced this week in the U.S. Senate that would require law enforcement and government authorities to obtain a warrant before accessing the digital communications of U.S. citizens.

Known as the ECPA Modernization Act of 2017, it is bipartisan legislation introduced by two senators known for being polar opposites on the political spectrum: Sen. Patrick Leahy (D-VT) on the left and Sen. Mike Lee (R-UT) on the right.

At present, only a subpoena is required for the government to gain full access to Americans’ e-mails that a over 180 days old. The new ECPA legislation would mean that access couldn’t be granted without showing probable cause, along with obtaining a judge’s signature.

The ECPA Modernization Act would also require a warrant for accessing geo-location data, while setting new limits on metadata collection. If the government did access cloud content without a warrant, the new legislation would make that data inadmissible in a court of law.

There’s no question that the original ECPA (Electronic Communications Privacy Act) legislation, enacted in 1986, is woefully out of date. After all, it stems from a time before the modern Internet.

It’s almost quaint to realize that the old ECPA legislation defines any e-mail older than 180 days as “abandoned” — and thereby accessible to government officials.  After all, we now live in an age when many residents keep the same e-mail address far longer than their home address.

The fact is, many individuals have come to rely on technology companies to store their e-mails, social media posts, blog posts, text messages, photos and other documents — and to do it for an indefinite period of time. It’s perceived as “safer” than keeping the information on a personal computer that might someday malfunction for any number of reasons.

Several important privacy advocacy groups are hailing the proposed legislation and urging its passage – among them the Center for Democracy & Technology and the Electronic Frontier Foundation.

Sophia Cope, an attorney at EFF, notes that the type of information individuals have entrusted to technology companies isn’t very secure at all. “Many users do not realize that an e-mail stored on a Google or Microsoft service has less protection than a letter sitting in a desk drawer at home,” Cope maintains.

“Users often can’t control how and when their whereabouts are being tracked by technology,” she adds.

The Senate legislation is also supported by the likes of Google, Amazon, Facebook and Twitter.

All of which makes it surprising that this type of legislation – different versions of which have been introduced in the U.S. Senate every year since 2013 – has had such trouble gaining traction.

The reasons for prior-year failure are many and varied – and quite revealing in terms of illuminating how crafting legislation is akin to sausage-making.  Which is to say, not very pretty.  But this year, the odds look more favorable than ever before.

Two questions remain on the table: First, will the legislation pass?  And second, will it really make a difference in terms of protecting the privacy of Americans?

Any readers with particular opinions are encouraged to weigh in.

Memo to web users with “Do Not Track” enabled: You’re being tracked anyway.

do not trackFor anyone who thinks he or she is circumventing web tracking via enabling Do Not Track (DNT) functionality … think again.

A recently released study from researchers at KU Leuven-iMinds, a Dutch-based university think tank, shows that nearly 150 of the world’s leading websites have ditched tracking cookies in favor of “device fingerprinting” (or “browser fingerprinting” as it’s sometimes called).

What’s that?  It’s the practice of evaluating selected properties of desktop computers, tablets and smartphone to build a unique user identifier.  These properties include seemingly innocuous details found on each device, such as:

  • Versions of installed software and plugins
  • Screen size
  • A listing of installed fonts

An analysis by the Electronic Frontier Foundation (EFF) has shown that for the majority of browsers, the combination of these properties creates a unique ID – thereby allowing a user to be tracked without the perpetrator needing to rely on cookies — or having to deal with pesky legal restrictions pertaining to the restriction of cookies’ use.

Overwhelmingly, browser fingerprinting targets popular and commonly used JavaScript or Flash functions, so that nearly every person who accesses the web is a target – without their knowledge or consent.

According to the Leuven-iMinds analysis, the use of JavaScript-based fingerprinting allows websites to track non-Flash mobile phones and devices.  So it’s cold comfort thinking that the iPad platform will offer protection against this form of “non-cookie tracking.”

Is there anything good about device fingerprinting?  Perhaps … in that it can be used for some justifiable security-related activities such as protection against account hijacking, fraud detection, plus anti-bot and anti-scraping services.

But the accompanying bad news is this:  It can also be used for analytics and marketing purposes via the fingerprinting scripts hidden behind banner advertising.

How to fight back, if one is so-inclined?  The Leuven-iMinds researchers have developed a free tool that analyzes websites for suspicious scripts.  Known as FPDetective, it’s being made available to other researchers to conduct their own investigations.

So you’re able to identify the offenders.  But then what — short of never visiting their websites again?