By Daniel J. Solove
Next year, there will be a milestone birthday for the Electronic Communications Privacy Act (ECPA) – the primary federal law that regulates how the government and private parties can monitor people’s Internet use, wiretap their communications, peruse their email, gain access to their files, and much more.
This is no ordinary birthday for ECPA. In 2016, ECPA turns 30. Little did anyone think that in 1986, when ECPA was passed, that it would still remain largely unchanged for 30 years. In 1986, the Cloud was just something in the sky. The Web was what a spider made.
Congress has failed to keep ECPA up to date. The result is that ECPA contains inadequate protections for electronic data. The statute was written in a way that was too tightly linked to the technology at the time, creating massive complexity and confusion when ECPA is applied to the technologies of today.
Law enforcement has exploited the weaknesses, ambiguities, and gaps that emerge when ECPA encounters modern technologies. The result is that people have lost confidence that their electronic data is sufficiently protected. Other countries have lost confidence in the adequacy of U.S. law in protecting such data. This has disastrous consequences, inhibiting people from using effective new technologies and hurting our technology industry.
ECPA reform is desperately needed.
Major Problems with ECPA
ECPA consists of three acts – the Wiretap Act, the Stored Communications Act, and the Pen Register Act. Collectively, these three acts provide the rules that govern electronic surveillance. There are other laws too, plus state electronic surveillance laws, but ECPA is the centerpiece.
ECPA provides the baseline of protection for the electronic surveillance of many types of communication as well as many types of digital data. ECPA serves as an essential supplement to the Fourth Amendment to the U.S. Constitution, which safeguards freedom from government overreaching in searching, monitoring, and information gathering.
There are several problems with ECPA that must be fixed. Here are just a few:
1. ECPA fails to adequately protect electronic data.
Electronic data under ECPA often is treated as a second-class citizen. ECPA has the strongest protection against when information is “intercepted” while in transmission. This occurs when phone calls are wiretapped. But data is different because it can readily be accessed when stored in a computer somewhere rather than when in transmission. The result is that a phone call is protected much more than an email.
To make matters worse, ECPA was drafted long before most people used Cloud computing and Web mail. The focus was on email that people downloaded to their computers from their Internet Service Providers, like AOL.
So people would dial in through a modem and download their messages onto their own computers. Most people stored their documents only on their computers – on floppy disks. In 1986, the 3.5 inch floppy disk was just introduced, boasting a whopping 1.44 MB of storage.
ECPA doesn’t make sense for the way people use email and store documents today. These days, people use Web mail. Emails are stored remotely and are retained there long after they are read. ECPA doesn’t say much about how email is protected after it is read. Under an interpretation of ECPA that the DOJ has advanced for years, after being read, an email in webmail is just a file stored by a third party, obtainable by a mere subpoena and given hardly any protection.
There should be more consistent protection for our communications and data. It shouldn’t matter whether we speak on the phone or send an email. It shouldn’t matter whether we keep our data stored on our home computer or on third party’s computer.
As Brad Smith (President & Chief Legal Officer of Microsoft) notes: “A survey of U.S. voters we conducted last summer found that 86 percent believe in the same protections for digital information as information on paper.”
2. ECPA fails to sufficiently protect third party storage of data.
ECPA emerged after a few cases by the U.S. Supreme Court in the 1970s that held that data stored with third parties doesn’t receive Fourth Amendment protection. These cases demonstrate an unfortunate lack of foresight, because today so much data is stored by third parties. I wonder how some of the Justices would have decided these cases if they knew about the world today.
ECPA is built around these cases, providing a small degree of protection when data is stored by third parties, but not providing enough. It shouldn’t matter whether a person keeps data on a home computer or in the Cloud. The protection should be strong for both.
3. ECPA makes a faulty distinction between content and envelope information.
ECPA tracks a distinction made by the U.S. Supreme Court in Smith v. Maryland, 442 U.S. 735 (1979), between “envelope” and “content” information Envelope information consists of what people commonly put on the envelope – such as the mailing and return addresses. Envelope information is routing information. Content information consists of the contents of the communication – the letter inside the envelope.
ECPA protects envelope information minimally through the Pen Register Act — and content information more strictly through the Wiretap Act and Stored Communications Act.
There are two problems with doing this. First, envelope information can be just as sensitive and important as content information. People might care more about protecting the information about whom they are communicating with than about protecting what they are saying.
Second, the line between content and envelope is increasingly blurred by the way the Internet works. For example, is an IP address content or envelope information? An IP address is a unique number that is assigned to each computer connected to the Internet. It at first appears to be a form of routing information. But a listing of IP addresses can show all the websites a person visits. URLs – the link to a particular webpage – can be even more revealing about how people surf the Internet. Such information can be very revealing of a person’s interests and beliefs.
The content/envelope distinction didn’t make much sense for an analog world, and it certainly doesn’t make sense for a digital world.
4. ECPA’s antiquated structure leads to needless complexity and confusion.
ECPA was written in too specific a manner, tracking the technology too closely. The result is that when the technology changes, all sorts of questions arise about how to retrofit the law to new technologies.
According to Orin Kerr, the “law of electronic surveillance is famously complex, if not entirely impenetrable.” So many of the complexities emerge from trying to figure out how a law built around 1986 technology should apply to technology nearly 30 years later.
A recent example of this problem is in the Microsoft v. United States case, currently being heard by the U.S. Court of Appeals for the Second Circuit. The U.S. Department of Justice (DOJ) is trying to use ECPA to require Microsoft to turn over data stored in Ireland. But if U.S. law enforcement can obtain data stored in other countries and use the legal standards of ECPA and ignore the legal standards of these countries, then what if other countries did likewise for data stored in the U.S.? The U.S. has Mutual Legal Assistance Treaties (MLATs) with countries for law enforcement cooperation, and these are much more tailored to each country. The implications of sidestepping MLATs and using a statute drafted in 1986 are significant. The relationship between the U.S. and other countries can be affected – such a use of ECPA can interfere with diplomacy between nations.
ECPA has so many cracks and crevices, so many areas where it is unclear how it applies to the world of today. We are left with a lot of head scratching, headaches, and inconsistent levels of protection.
Instead of building a law so tightly around technology that can change so rapidly, a wiser approach would be to craft a broader more principles-based law. Start with a strong level of protection for all forms of data. Instead of focusing on the form or location of the data, or how the data is obtained, the law should focus instead on the data we want to protect and our values. Although principles-based, the law need not be absolutist; it can and should still address practical considerations.
Far too often, law enforcement attempts to use ECPA like a game of gotcha. Whether something makes sense to do doesn’t matter. If the law might be interpreted to allow it, then law enforcement goes for it. If the level of protection isn’t appropriate, it doesn’t matter to law enforcement, which exploits the weakness to get the data. Thus, the prevailing approach of law enforcement is that if something falls through a crack in ECPA, then gotcha! The larger consequences are ignored.
In contrast, a sensible law should be attuned to the consequences. It should not invite a game of trying to get a winning result even if it is foolish or bad policy.
The more tethered a law is to specific technology, the more dependent it will be upon Congress to keep it up to date. Congress is like a defective engine that throws off mostly heat and hardly any motion. We can’t depend upon Congress, so the next law should be built to be able to remain relevant for another 30 years. The challenge: We need Congress to pass such a law. As problems and dissatisfaction with ECPA continue to grow, maybe the pain and shame of it all will spur Congress to finally take some action.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.