It's a big week for reforming the Electronic Communications Privacy Act (ECPA), a little-known law which safeguards internet communications but hasn't been touched in nearly 30 years.
Yesterday the ACLU joined Americans for Tax Reform to push for an update to the law, and today Sen. Leahy (D-Vt.) and Sen. Mike Lee (R-Utah) introduced a bipartisan bill that would do just that. The bill would require police to get a warrant before accessing email and all other online communications, like Facebook posts or photos we store in the cloud with Google, Yahoo, or any other provider. In addition, the House Judiciary Committee began a series of hearings today on updating ECPA. (ACLU statement for the record is here).
All of this activity is in recognition of the simple fact that current law contains enormous loopholes. Americans keep a wealth of personal information online. A law enforcement investigation could reveal intimate data like emails, contacts, online calendars and journals as well as sensitive health or financial information… the list goes on. Items like these, if kept inside the home, would clearly be protected by the Fourth Amendment and require a warrant before law enforcement searched or seized them. However, our outdated electronic privacy laws leave such personal information vulnerable on the internet. Law enforcement is well aware of this gap in the law.
According to Google's Transparency report, the company received 6,321 requests for users' personal information from U.S. law enforcement between July and December of 2011 alone. In 2012, the number jumped to 7,969 during the first half of the year, and to 8,348 during the second half of the year. Since the first report was issued in 2009, requests are up a staggering 136 percent.
The problem is ECPA was written in 1986 when few Americans even knew what email was, much less conceive of services like Facebook, Twitter and Picasa. While Congress fully intended to put in place strong privacy protections, they could not have imagined how the internet would evolve and how much personal data would eventually be stored in the cloud.
The evolution of email is an excellent example of how much things have changed since ECPA was passed. Back then, when a message was opened it was immediately deleted from the provider and stored on the user's hard drive. ECPA—written with this in mind—currently requires law enforcement to get a warrant to access a message from an e-mail provider's storage, only if the message is less than 180 days old. In Congress's thinking, any message unopened in 6 months was probably junk mail and thus didn't require a warrant to access.
Today, however, e-mail is often both stored on and accessed from remote servers belonging to the e-mail provider, and many people "archive" their e-mail on their provider's server rather than deleting old messages. Under the outdated ECPA statute, these messages are not protected by warrant. Our email currently lacks warrant protection not because of the original intention of the law, but because the internet has evolved far faster than legislators could keep up with.
Law enforcement has pushed back on the update claiming it would interfere with investigations. Although having unrestricted access to Americans' online information is helpful in investigations, we must maintain Americans' privacy rights through strong checks and balances. Just as a warrant approved by a judge would be required to read someone's physical mail or go into their home, the same safeguards should protect our electronic lives.
We are pleased to see so much bipartisan attention paid to ECPA. Our hope is that the result will be an updated law that allows us to use cool new technologies without sacrificing our privacy.