By: Tiffany Sommadossi
Unsurprisingly, 57% of adults in a recent survey conducted by the Pew Research Center feel insecure sending private information by e-mail. Most Americans may trace their insecurities about data protection to the Snowden disclosures, but since then many have failed to pay attention to the impact outdated statutes, like the Electronic Communications Privacy Act (ECPA), can have on how their information is accessed by the government. Resisting ECPA reform is not to anyone’s advantage – it contributes to confusing jurisprudence and most of all, it leaves us with an illogical patchwork of protection for our electronic communications.
Among other things, ECPA, a 28-year old law, governs how law enforcement accesses mobile-phone data, e-mail, and other electronic communications. Documents stored on the cloud, e-mails older than 180 days, mobile-phone location data, and arguably all opened e-mails are not protected by the warrant requirement laid out in the Store Communications Act (SCA) of ECPA. For instance, law enforcement has to get a warrant to get stored e-mails from someone’s computer, but ECPA allows law enforcement to access, without a warrant, the exact same e-mails when they’re stored with service providers.
There has been call for ECPA reform since as early as 1998. One of the strongest proponents for reform, Senator Patrick Leahy, has stated that ECPA is “outdated from both a national security point of view and from a privacy point of view.” Some hope that Congress will use the lame-duck session to make ECPA reform a reality. Two ECPA bills, the Electronic Communications Privacy Act Amendments Act, S. 607, and the Email Privacy Act, H.R. 1852, both received broad bipartisan support. The House bill has over 270 cosponsors. Both bills suggest almost identical amendments to how electronic communications can be disclosed to law enforcement. The ECPA Amendments Act focuses on heralding in a uniform warrant requirement for all content, regardless of how old the requested e-mails are or whether they’ve been opened. The bill arguable takes the Sixth Circuit’s position in United States v. Warshak, that the Fourth Amendment protects all e-mail, whether it’s five days or five years old.
Part of the problem with ECPA is that it does not accurately take into account how we use data services like e-mail and cloud computing today. Therefore it can’t begin to provide us with the protections we may want. Many criticize ECPA and other technology-affected statutes as being outdated because they don’t incorporate new technologies. However, the problem seems more to be that they don’t reflect how people use technology. Although e-mail has existed since the early 90’s, the way in which we use e-mail to communicate has drastically changed. Using e-mail today is more akin to relying on first-class mail to securely transport all private communications pre-internet.
Also, now we distinguish between the non-content and the content of our communications. In both ECPA reform bills, an administrative subpoena can compel the disclosure of names, addresses, telephone records, and source of payment for the provider’s service (including credit card or bank account number). E-mail subject lines and location data are also non-content. The bills do little to provide the same protections to both the non-content and the content of our communications. Again, this highlights how policymakers are not focusing on how we use technology. Since inboxes are inundated with e-mails on a daily basis, many put revealing details in subject lines or send quick notes in subject lines (rather than put the message in the body of the e-mail). Even as we adopt new ways to use the same technology we risk making laws outdated.
Courts have also found ECPA to be problematic. For instance, the statute has left courts unsure about when to let law enforcement have access to stored location data. The majority of courts have decided that a search warrant is needed, as is the case for real-time cell phone tracking, but this ambiguity in the law unintentionally leaves some Americans with more data protection than others. Even more, the Sixth Circuit—Warshak—is the only federal appellate court thus far to hold that the Constitution protects stored e-mails; most other courts have afforded varying levels of protection depending on whether the e-mail is in transit or in storage.
ECPA further shows its age with respect to extraterritoriality. In the current age where data is stored all over the world, law enforcement should have clear guidelines in how far it can reach to access data. For the first time ever, an American court is deciding whether the U.S. government can assert a right to electronic data stored by a U.S. provider thousands of miles away in a foreign country. The government tried to make Microsoft comply with a request to hand over copies of e-mails stored in its data center in Ireland, but the company refused, arguing that e-mails stored abroad are beyond the reach of the U.S. government under the SCA. Litigation ensued. The government insists that a subpoena can be used to compel the disclosure of opened e-mails, regardless of how old they are. In other words, the government is arguing that it can obtain non-content and content communications without a warrant depending on the age of the e-mail. The SCA does require the government to get some level of authorization before the government can obtain the content of stored communications more than 180 days old—older e-mails can be sought using a subpoena, a court order issued under 18 U.S.C. § 2703(d), or a warrant.
One of the criticisms of allowing a subpoena, with no probable cause requirement, to compel the disclosure of content is that it’d contradict Warshak. Some contend that the court in Warshak held that a warrant is needed to get the content of all e-mails. But do telecommunication companies remove themselves from the protection of Warshak by storing data in overseas data centers? The government does not think there’s much of an extraterritorial question here because when e-mails stored abroad are handed over by a U.S. provider to U.S. government officials in the U.S., then no search or seizure has occurred abroad, and thus no statute has been applied extraterritorially. Also, the government has argued that an ECPA warrant is a hybrid between a subpoena and a warrant, so the location of a warrant recipient is all that matters—as with a subpoena—for purposes of section 2703(a).
Civil liberty groups have applauded ECPA reform as a leap forward in strengthening privacy protections. Yet, the fact remains that in embracing easier and more efficient forms of communications we have relinquished a great deal of control over “our” information and information about us. Our current digital age is driven by the mobility of information, but our laws make us vulnerable when we embrace that mobility. However, the problem is less that that our laws can’t keep up with our ability to constantly invent new technologies, and more that the law will not keep up with our morphing technological behaviors. It would probably take a miracle for an ECPA reform bill to get enacted during the lame-duck session, considering the surprising recent defeat of another privacy bill, the USA Freedom Act. But legislative reforms are needed to guide a national rethinking of what constitutes an invasion of privacy in the digital age.