jointtestimony&of:& william&ashworth&–&yahoo& daniel ......h:\joint...
TRANSCRIPT
H:\Joint testimony - PA SB 518 and PEAC.docx
Joint Testimony of:
William Ashworth – Yahoo
Daniel Sachs – Facebook
Steve DelBianco – NetChoice
June 16, 2015
Senate Judiciary Committee
Regarding SB 518, An Act to Amend Title 20 -‐ Fiduciary Access To Digital Assets
Good morning, Chairman Greenleaf, Chairman Leach and members of the committee:
We want to thank you for allowing us the opportunity to appear before you today to outline our concerns with SB 518, dealing with fiduciary access to digital assets. Similar bills, such as this, have failed to pass in any of the 30 states where it was introduced this year. We respectfully ask that if you decide to move forward with SB 518, please replace the bill with alternative language that will work better for Pennsylvania residents and the businesses serving them. Let us explain why.
While well intentioned, SB 518 could cause more harm than good by seeking to make a decedent’s private communications public, by default.
In general our concerns about SB 518 are the following – and further outlined below:
• Conflicts with the existing federal privacy law. • Fails to account for the unique nature of digital stored content.
• Creates acute privacy concerns for decedents and for third parties with whom the decedent communicated.
• By use of the term “access,” it suggests that a personal representative can log in to an account belonging to a deceased person.
• Creates potential for serious confusion by using the term “digital asset.” • Raises legal and privacy concerns by forcing providers to treat a personal representative
the same way as the deceased account holder. • Seeks to fundamentally reshape relationships between businesses and consumers by
striking terms of service and choice of law provisions that govern those relationships. • Increases the risks of cyber security malfeasance by forcing exposure of more
information than necessary. • Gives personal representatives “control” of “digital assets” that were never under the
“control” of the deceased user in the same way.
• Does not require a court to find that the request for information is narrowly tailored and actually needed for the settlement of the estate.
• Does not require a court to verify that the deceased person was actually the holder of an account requested by a personal representative.
• Failing to provide custodians with a means to challenge or quash orders on the grounds that compliance is unduly burdensome.
• Disregards user choices about treatment of their accounts when they die.
H:\Joint testimony - PA SB 518 and PEAC.docx 2
For all these reasons, the approach in SB 518 is opposed by our companies and by privacy advocates such as the ACLU, Center for Democracy and Technology, and Electronic Frontier Foundation.
SB 518 creates confusion and potential liability for violating privacy protections granted by federal law The federal Electronic Communications Privacy Act (ECPA) (18 U.S.C. 2702) creates a strict bar against disclosure of the contents of communications without the express consent of one of the parties to the communication. In addition to its criminal provisions, ECPA contains a private right of action through which any person aggrieved by an unlawful disclosure can bring suit against a provider.
While the federal law creates a default rule of “private unless permission is granted for disclosure,” SB 518 creates an almost entirely opposite rule. Under SB 518, electronic communications content must be disclosed regardless of whether a court has determined a party’s consent was obtained. As such, providers will be forced to reject requests from estates under this law – unless a party has consented to the disclosure. This is well established from many perspectives:
• The California Court of Appeals recently reviewed three decades of caselaw and explained that “the lawful consent exception to the prohibitions of the Act . . . is not satisfied by consent that is merely constructive, implied in law, or otherwise imputed to the user by a court.” See Negro v. Superior Court of Santa Clara County, 230 Cal. App. 4th 879 (2014).
• The United States Department of Justice Prosecuting Cyber Crimes manual explains to DOJ attorneys that consent to disclosure of communications under ECPA must be actual and not constructive.
• Even the American College of Trust and Estate Counsel has written to Congress saying “the privacy protections of the ECPA are an obstacle for fiduciaries needing access to the contents of a person’s electronic communications stored in online accounts. The potential civil damages have created a significant chilling effect on providers when dealing with fiduciaries requesting the contents of a person’s electronic communications.”
By neglecting the consent requirements of federal law, SB 518 will create needless confusion and expense for estates, providers, and the Pennsylvania courts.
In addition, the bill fails to take into consideration the privacy of third parties whose personal information may have been included in communications with the decedent. For example, consider the situation of a public official who routinely communicates through email with his or her sponsor in Alcoholics Anonymous or any other support group. Under SB 518, when the sponsor passes away, the highly personal contents of those emails would be disclosed to the fiduciary, compromising the personal details of the public official.
Obtaining a court order could help address federal privacy law requirements. However, SB 518 fails to create a pathway for providers to obtain a court order based on a finding that a party has indeed consented and disclosure is permitted under ECPA. The federal law grants providers immunity for disclosures in good faith compliance with court orders, so ensuring providers can rely on such orders to the extent they disclose contents is necessary to comply with federal law.
SB 518 also invalidates default privacy agreements between consumers and service providers. However, some consumers sign up for particular social media accounts or email services because of policies that delete all content upon death or a specified period of inactivity. Given the wide variety of choices available to consumers, including new tools to provide users with granular “afterlife” choices for their social media accounts, legislation should not disregard these choices and preferences.
H:\Joint testimony - PA SB 518 and PEAC.docx 3
Because of these legal and privacy issues, not one of the 30 states that considered the approach of SB 518 has passed the legislation this year.
SB 518 should be amended to match the PEAC Act -‐ an alternative that has the support of Privacy Groups and Industry. Instead of heading down this path, we advocate replacing SB 518 with the Privacy Expectation Afterlife and Choices Act (PEAC) Act (attached and available at NetChoice.org/PEAC).
The PEAC Act would achieve the goals of SB 518 without overriding the deceased’s privacy choices and expectations.
Privacy advocates like the ACLU, EFF, and CDT and industry created the PEAC Act. Moreover, the PEAC Act is now law in Virginia and is moving through the California legislature.
Under the PEAC Act:
• Privacy expectations, statements in a will, and settings chosen by users would remain after the user dies. Unauthorized fiduciaries may not read private communications, since privacy choices in life continue after death.
• Fiduciaries can see the banks, investment managers, and accountants with whom the deceased corresponded. This lets fiduciaries identify important interactions and contact those institutions as part of settling the estate.
• Fiduciaries can see the contents of communications only when the deceased expressly allowed it in their will, or when there is some other evidence of user consent. If the deceased allowed disclosure of these communications, then service providers must comply, subject to verification.
It’s not just our view that the PEAC Act is the correct approach, but it’s also what Pennsylvanians believe. The national polling firm Zogby Analytics surveyed adults across age, demographics, and political spectrums on this issue. Zogby’s poll found: (available at NetChoice.org/Afterlife)
By nearly 5-‐to-‐1, Americans oppose disclosure by default. Over 70% of Americans say their private online communications and photos should remain private after they die, unless they gave prior consent for others to access.
Just 15% said an estate attorney should make the decision about sharing their private communications and photos.
For these reasons, we oppose SB 518 as drafted. We remain hopeful that we can work with all stakeholders on an approach that helps citizens choose their afterlife privacy while allowing the fiduciary to wrap-‐up the estate and comply with federal law.
H:\Joint testimony - PA SB 518 and PEAC.docx
Additional Concerns with SB 518 • We have concerns about language regarding “access” as it creates confusion as to whether a
personal representative can log in to an account belonging to a deceased person. Moreover, for privacy and safety purposes, such access should never be required by law. Instead, we propose a model based on disclosure of, rather than access to, account information. However, we do not intend to preclude providers from offering such access should they so choose.
• We have concerns about the potential for serious confusion caused by the term “digital asset.” Many pieces of information that are stored by providers are not the “assets” of an account holder. However, recognizing that even if electronic communications contents and records are not “assets,” they may still be helpful in settling estates, we offer a pathway for disclosure of such information whether or not it is an “asset” of the decedent.
• We have concerns that the bill would require providers to treat a personal representative the same way as the deceased account holder. This may be contrary to service agreements and providers may not be able to do so without unlawfully disclosing the contents of electronic communications. The law should also preserve the right of providers to decide who can access their systems and services.
• The bill seeks to fundamentally reshape relationships between businesses and consumers by striking terms of service and choice of law provisions that govern those relationships. Altering terms of service is not necessary to compel disclosure of information to fiduciaries. Instead of drastically reshaping these relationships, we propose a different approach that would respect existing business relationships but would not permit service agreements, by themselves, to bar the disclosure of information needed to settle estates.
• We have concerns that the bill is overbroad in its efforts to compel access to tangible personal property of companies or persons other than the deceased user. This could create very serious privacy and cybersecurity risks.
• We have concerns about provisions giving personal representatives “control” of “digital assets” that were never under the “control” of the deceased user in the same way.
• We have concerns that the bill does not require a court to find that the request for information is narrowly tailored and actually needed for the settlement of the estate. This is a tremendously important part of our proposal that will serve to limit unreasonable and burdensome requests on providers and limit privacy-‐intrusive requests for information about online dating sites, domestic violence forums, and other sensitive personal communications unrelated to estate settlement.
• We have concerns that the bill does not require a court to verify that the deceased person was actually the account holder. This is a needed privacy protection as many accounts are opened anonymously or under pseudonyms and the provider may have to way to verify the account holder’s identity.
• We have concerns that the bill would impose unwarranted burdens on providers by failing to provide providers with a means to challenge or quash orders on the grounds that compliance is unduly burdensome. Our proposal mitigates these serious due process concerns.
• Many companies have offered users choices about treatment of their accounts when they die. This bill would disregard those choices. Our approach would honor them.
H:\Joint testimony - PA SB 518 and PEAC.docx
Privacy Expectation Afterlife and Choices Act (PEAC) Act Section 1:
As used in this Act, the following definitions shall apply:
(a) “Asset” means anything of financial value that is part of the estate of the decedent.
(b) “Authorized user” or “user” means a person or entity who has lawfully obtained credentials to access an account with an electronic communication service in a manner consistent with the terms of service that apply to that account.
(c) “Contents” means information concerning the substance, purport, or meaning of communications and includes the subject line of the communication.
(d) “Electronic communication” means a transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature that is transmitted, in whole or in part, by a wire, radio, electromagnetic, or photooptical system that affects interstate or foreign commerce. “Electronic communication” does not include any of the following:
(1) Wire or oral communication.
(2) Communication made through a tone-‐only paging device.
(3) Communication from a tracking device.
(4) Electronic funds transfer information stored by a financial institution in a communication system used for the electronic storage and transfer of funds.
(e) “Electronic communication service” means a service that provides to users the ability to send or receive wire or electronic communication.
(f) “Electronic communications system” means a wire, radio, electromagnetic, photooptical, or photoelectronic facility for the transmission of wire or electronic communications and any computer facilities or related electronic equipment for the electronic storage of those communications.
(g) “Provider” means an electronic communication service or remote computing service.
(h) “Record” means a record regarding a communication sent or received by a subscriber or user of an electronic communication service or remote computing service, including, but not limited to, account logs that record account usage, cell-‐site data for mobile telecommunications calls, and online addresses of other individuals with whom the account holder has communicated.
(i) “Remote computing service” means providing computer storage or processing services to the public by means of an electronic communications system.
Section 2:
(a) A probate court that has jurisdiction of the estate of the deceased user may order a provider to disclose to the executor or administrator of the estate a record or other information pertaining to the account of the deceased user that is in electronic storage with the provider, but not the contents of communications or stored contents, if the court makes all of the following findings of facts based upon a sworn declaration of the personal representative or other admissible evidence:
(1) The user is deceased.
(2) The deceased user was the subscriber to or customer of the provider.
(3) The account belonging to the deceased user has been identified with specificity, including a unique identifier assigned by the provider.
H:\Joint testimony - PA SB 518 and PEAC.docx 6
(4) There are no other owners of, or persons or entities who have registered with the provider with respect to, the deceased user’s account.
(5) Disclosure is not in violation of another applicable federal or state law.
(6) The request for disclosure is narrowly tailored to the purpose of administering the estate.
(7) The executor or administrator demonstrates a good faith belief that the information requested is relevant to resolve issues regarding assets or liabilities of the estate.
(8) The request seeks information spanning no more than 18 months prior to the date of death, or the requester has made a request for information that specifically requests data older than 18 months prior to the date of death.
(9) The request is not in conflict with the deceased user’s will or other written, electronic, or oral expression of the deceased user’s intent regarding access to or disposition of information contained in or regarding the user’s account.
(b) A probate court that has jurisdiction of the estate of the deceased user may order a provider to disclose to the executor or administrator of the estate the contents of communications or stored contents, if the court makes all of the following findings of facts based upon a sworn declaration of the personal representative or other admissible evidence:
(1) The will of the decedent, or a choice made by the deceased user within the product or service or otherwise regarding how the user’s contents can be treated after a set period of inactivity after the user’s death, or other event evidences the decedent’s express consent to the disclosure of the requested contents.
(2) The findings required by paragraphs (1) to (8), inclusive, of subdivision (a).
(c) Except as provided in subdivision (d), a provider shall disclose to the executor or administrator of the estate the contents of the deceased user’s account, to the extent reasonably available, only if the executor or administrator gives the provider all of the following:
(1) A written request for the contents of the deceased user’s account.
(2) A copy of the death certificate of the deceased user.
(3) An order of the probate court with jurisdiction over the estate of the deceased that includes all of the findings required in subdivision (b).
(4) An order that the estate shall first indemnify the provider from any and all liability in complying with the order.
(d) A provider served with an order compelling disclosure of subscriber deceased user records or contents pursuant to this section may make a motion to quash or modify the order within a reasonable time after receiving the order. The court shall do any of the following:
(1) Modify the order to the extent that the court finds that compliance with the order would cause an undue burden on the provider, or quash the order if the court finds that the order cannot be modified so as to avoid the undue burden. However, a cost that the requester offers to pay pursuant to subdivision (e) shall not be considered when a court is making a determination whether the request constitutes an undue burden.
(2) Quash the order if any of the applicable requirements of subdivision (a) or (b) are not met.
(3) Quash the order if the court finds, based upon the preponderance of the evidence submitted by the provider or any other person, that any of the circumstances set forth in Section 3 apply.
H:\Joint testimony - PA SB 518 and PEAC.docx 7
(e) A provider may require the requester to pay the direct costs of producing a copy of the record or other information pertaining to the account of the deceased, when those records are not already available for production during the ordinary course of business.
Section 3:
A provider shall not be compelled to disclose a record or the contents of communications if any of the following apply:
(a) The deceased user expressed an intent to disallow disclosure through either deletion of the records or contents during the user’s lifetime, or an affirmative indication, through a setting within the product or service, of how the user’s records or the content of communications can be treated after a set period of inactivity or other event.
(b) The provider is aware of any indication of lawful access to the account after the date of the deceased user’s death or that the account is not that of the deceased user.
(c) Disclosure would violate other applicable law, including, but not limited to, electronic communications privacy provisions or copyright law.
Section 4:
(a) Disclosure of the contents of the deceased user’s account to the executor or administrator of the estate shall be subject to the same license, restrictions, terms of service, and legal obligations, including copyright law, that applied to the deceased user.
(b) Nothing in this Act shall be construed to require a requesting party to assume control of a deceased user’s account.
Section 5:
A provider shall not be held liable for compliance in good faith with a court order issued pursuant to this Act.