There’s Something About ECPA

I write in “The Laws of Disruption” of the risk of unintended consequences that regulators run in legislating emerging technologies.  Because the pace of change for these technologies is so much faster than it is for law, the likelihood of defining a legal problem and crafting a solution that will address it is very slim.  I give several examples in the book of regulatory actions that quickly become not just obsolete but, worse, wind up having the opposite result to what regulators intended.

An unfortunate example of that problem in the news quite a bit lately is the Electronic Communications Privacy Act or ECPA.   (My first published legal scholarship, in 1994, was an article about a provision of ECPA that allowed law enforcement officers to use evidence they came across by accident in the course of an otherwise lawful wiretap, see “Electronic Communications and the Plain View Exception:  More ‘Bad Physics.’”)

Passed in 1986, ECPA at the time was a model of smart lawmaking in response to changing technologies.  It updated the federal wiretap statute, known as Title III, to take into account the rise of cellular technologies and electronic messages–which didn’t exist when the original law was passed in 1968.

In essence, ECPA brought these new forms of communications under the legal controls of the wiretap law, meaning for example that police could not intercept cell phone transmissions without a warrant, just as under Title III they needed a warrant to intercept wireline calls.  Private interception was also made illegal.

Lost in the Clouds

A lot has happened since 1986, and unfortunately for the most part ECPA hasn’t kept up.  Most significant has been the explosion of new data sources of all varieties, and in particular the now billions (trillions?) of messages sent and received each day by individuals communicating through the Internet.  The potential evidence those messages contain for a variety of investigations—criminal, civil, terror-related—has made them an irresistible target for law enforcement as well as civil litigants.

In addition to the sheer volume of new data sources, the other significant change undermining ECPA’s assumptions has been the movement to cloud-based services, particularly for email.  In the early days of email (say, 1995), ISPs kept messages on their servers only until the user, through a client email program such as Eudora, downloaded the message to his or her personal computer.  Once downloaded, the message was immediately or soon after deleted from the server, if for no other reason than to save storage space.

Storage, however, has gotten cheap, and the potential uses of stored data for a variety of purposes has made it attractive for ISPs and other services (e.g., Google’s Gmail) to retain copies of messages and other user data on a permanent basis.

The drafters of ECPA had great foresight, but they couldn’t have imagined these changes.

Here come the unintended consequences.  Under the law, law enforcement agents hoping to get access to your emails as part of an investigation are required to obtain a warrant, just as they would need a warrant to search your home and seize your computer.

But for data stored on a third party computer—an ISP or other cloud provider—the warrant requirement applies only for “unopened” messages and only for 180 days after receipt.  Once the message is opened and 180 have passed, any stored data can be obtained without a warrant based on the much lower standard of a subpoena.

In some sense, this means that as users move to cloud computing they are inadvertently and unknowingly waiving protections against law enforcement uses of their data. Keep your data only locally on equipment in your home or office, and the police need a warrant to look at or take it.  Leave it in the cloud somewhere, and they can get at it without much fuss at all.

This turn of events, the result not of any secret conspiracy so much as the random confluence of technological inventions since 1986, is almost certainly not what the drafters of ECPA had in mind.  It is more likely to be just the opposite.  For ECPA, like the wiretap law it amended, was intended to give greater protection to communications than what the Fourth Amendment to the U.S. Constitution would otherwise have provided.

A Very Brief History of the Fourth Amendment in Cyberspace

The Fourth Amendment, recall, protects citizens from “unreasonable searches and seizures” by the government.  (We are, it bears emphasizing, talking ONLY about government access here—employers, parents, friends and companies are not subject to the Fourth Amendment.)

Which is to say, the Fourth Amendment is the absolute floor of citizen protections from government.  Title III and ECPA were intended to raise that floor for telephone and later data communications to something that gave citizens more, not less, privacy.

At some point, indeed, technology may push the law below the standards of the Fourth Amendment, making it unconstitutional.  That’s been a concern all along, from the beginning of the wiretap statute itself in 1968.  The passage of Title III followed landmark Supreme Court decisions in the Katz and Berger cases, in which the Court reversed the 1928 Olmstead case, which allowed the police to intercept phone calls of a suspect without a warrant.

The Olmstead decision, Justice Harlan wrote in his concurrence to Katz, was “bad physics as well as bad law, for reasonable expectations of privacy may be defeated by electronic as well as physical invasion,” 398 U.S. at 362 (1967).

Harlan’s phrasing has proven prophetic.  In order to avoid the metaphysical problem of explaining how electronic interception could constitute a “search” or a “seizure” when no physical property of the subject is involved, the Court focused instead on the “reasonable” part of the Fourth Amendment.

Search and seizure, the Court has held over the last fifty years, is really about privacy, and a “reasonable” expectation of privacy for any information law enforcement agents want to gather requires a warrant.  What part of a wiretap is a search and what part a seizure are questions neatly elided (though perhaps too neatly as we’ll see) by the “reasonable expectation of privacy” standard.

The privacy standard has proven at least somewhat resilient to changing technologies.  But with mainstream adoption of revolutionary information technologies comes changing expectations of what is reasonably expected to be “private” information.  Indeed, Olmstead can be seen as a perfectly understandable decision in light of the fact that in 1928 nearly all telephones were connected through party lines, where no caller had any expectation of privacy.

But that also means there is no absolute baseline for Fourth Amendment challenges (usually by a criminal defendant) to evidence collected by the government.  Again, Title III and ECPA can and did set a higher bar than was required as a constitutional minimum, but even as those intentions have been reversed by technology it does not automatically follow that ECPA is now below what the Fourth Amendment requires.

Absent special protections citizens may have had from ECPA, the question under Fourth Amendment jurisprudence becomes:  Do users who keep email and other data archived with ISPs and other cloud providers have an expectation of privacy?  Is that expectation reasonable?

The Ugly Details

Not surprisingly, courts are increasingly asked to weigh in on those questions, and the results are also not surprisingly inconclusive.  (David Couillard at Ars Technica reviewed some of the case law in a recent article, “The Cloud and the Future of the Fourth Amendment.”)

Earlier this month, the Department of Justice abandoned an attempt to avoid a search warrant even for mail messages less than 180 days old in a case that involved Yahoo mail.  (See Declan McCullagh, “DOJ Abandons Warrantless Attempts to Read Yahoo E-mail.”)

Google, which came to Yahoo’s defense, has begun disclosing just how many requests for information about its users it receives from various government agencies.  (See Jessica Vascellaro, “Google Discloses Requests on Users.”)

It’s also worth noting that sometimes technology goes the other way—making it harder for law enforcement officials to collect evidence and conduct investigations.  Encryption is a good example here—stronger encryption protocols make it easier for criminals to hide activity from the police.

Indeed, law enforcement and privacy advocates are in some sense always engaged in a complicated dance.  As technology constantly changes the delicate balance between the sanctity of private activity and the need for effective law enforcement, lawmakers are regularly asked by one side or the other (or both) to change the law to bring it back into something that satisfies both groups.

The Digital Due Process Coalition

The cloud computing problem has inspired the creation of an interesting coalition aimed at returning ECPA where its drafters intended to set the scales.  The group, called Digital Due Process, was launched in March and is calling for specific reforms of ECPA to take into account the reality of digital life in 2010.  (For those who want the legal details, the site includes an excellent analysis by my one-time boss Becky Burr, see “The Electronic Communications Privacy Act of 1986: Principles for Reform.”)

The Digital Due Process group is a remarkable coalition of organizations and corporations who might not otherwise be thought to agree on too many issues of technology policy.  It includes advocacy groups normally thought to be on the right or the left, including the ACLU, the Center for Democracy and Technology, the Progress and Freedom Foundation, the Electronic Frontier Foundation and the American Library Association.  Corporate members include Google, AT&T, Microsoft, eBay, and Intel.

One might think that with such specific recommendations and such a wide coalition of support from across the ideological spectrum that ECPA reform would be a slam dunk.  But of course that would ignore one very powerful lobby not represented by Digital Due Process–the lobby of law enforcement agencies.

These agencies almost certainly recognize that the move to cloud computing has given them unintended and unprecedented access to information otherwise protected by the law, but naturally they are loathe to let go of any advantage in the fight against crime.

Though there have been some calls in Congress for enacting the reforms called for by the coalition, the success of Digital Due Process is far from certain.  And even if the group does succeed, there’s no telling how long it will be before the scales become unbalanced yet again, or in whose favor, by the next set of disruptive information technologies to become mainstream.

As Thomas Jefferson said, “The price of freedom is eternal vigilance.”