In the wake of mass surveillance revelations sparked by Edward Snowden and others, back in January President Obama ordered his Council of Advisors on Science and Technology to conduct a 90-day review of policies surrounding so-called “big data” and privacy. The council has been looking into everything from marketing analytics (those ads that seem to follow psychically you around the Internet), national security, and biometrics (face and speech recognition) to encryption, data mining, health care, education, automated sensors, and the “Internet of things.”
The council issued its report last week, and privacy advocates have lauded one of the recommendations: reform of the 1986 Electronic Communications Privacy Act (ECPA) to “ensure the standard of protection for online, digital content is consistent with that afforded in the physical world.”
Why is that important? Among other things, ECPA enables law enforcement agencies to access email if it’s left unread or kept online for more than six months with just a subpoena, which needs nothing more than a signature by a government agent. Conversely, search warrants require probable cause and approval by a judge. Subpoenas are a lot easier to get than warrants.
Take a moment to consider email you may have online in Gmail, iCloud, Hotmail, Facebook, your ISP, or any number of other places that’s more than six months old. Now consider that in the last six months of 2013, Google says it received more than 7,700 warrantless requests for user data covering more than 13,500 accounts. Facebook says it got about 5,400 such requests in the same period. Both companies turned over data in the vast majority of the cases.
Clearly, law enforcement agencies are making use of their ability to subpoena email and other communications without a warrant.
How We Got Here — Nearly three decades ago, ECPA’s six-month window on accessing email without a warrant wasn’t entirely unreasonable. Ronald Reagan was president, there was no public Internet, and there were no ISPs. Heck, in 1986, my entire online storage on ARPANET (what would eventually become today’s Internet) was limited to a mere 512 KB (yes, kilobytes!), and I was way ahead of the curve. Considering email messages “abandoned” after 180 days was a generous definition at the time. After all, email was the province of big business and academia, and most users quickly deleted, downloaded, or (ack!) printed messages because they didn’t have space to store them.
When Congress enacted ECPA, lawmakers envisioned that if the government wanted old email they would almost certainly need a search warrant for specific locations or devices — in 1986, “devices” meant “computers.” Few could imagine everyday Internet users would routinely accumulate gigabytes’ and years’ worth of email online.
The technology industry has been urging ECPA reform for years — a recent example is Digital Due Process, a coalition supported by everybody from Twitter and Apple to Intel and AOL (which, ironically, may hold some of the oldest consumer email on the planet). The essential thrust of the argument is that users’ digital content — whether on their personal devices or stored on Internet-based services — should be subject to the same legal protections as a person’s property. That means the government would need a search warrant before it could requires online data of any age.
Nonetheless, Congress has stalled ECPA reform for years. And, believe it or not, some are against reforming the statute. For instance, while criminal law enforcement agencies like the FBI might be able to obtain search warrants fairly easily, civil law enforcement agencies might have more trouble. The best example is the Securities and Exchange Commission (SEC) (which is primarily a law enforcement agency, in fact), but other examples could include the Federal Communications Commission (FCC) and even the Federal Aviation Administration (FAA). Reforming ECPA could hinder these agencies’ ability to go after wrongdoers.
What Happens Now? — The publication of the White House report on big data carries no legislative weight: it’s just a document, and Congress is under no obligation to act upon it or even read it. (There is some small irony that the presidential counsel who headed up the paper — John Podesta — co-authored ECPA back in the day.) However, by adding its voice to the chorus calling for ECPA reform, the White House is at a minimum making a populist move in favor of online privacy that consumers (and voters) can easily understand. As the ramifications of the NSA mass surveillance continue to unfold, that may be smart politics.
Unfortunately, the likelihood that Congress will enact ECPA reform in the near future are slim to none. The Senate and House are now deadlocked on party lines on most major issues, and Congress has just entered a holding pattern in anticipation of mid-term elections.
In theory, President Obama could issue an executive order mandating search warrants for disclosure of email and other electronic data. In some ways, it’s a safe bet: only two executive orders have ever been overturned in the history of the U.S. presidency. However, unlike laws, executive orders can be undone at any time by the president, and who knows how the next administration will feel about ECPA?
For now, email, text messages, and other communications older than six months can be requested from Internet companies by law enforcement agencies at any time — and that’s likely to remain the law of the land indefinitely.