Time to reform ECPA
Recently, I wrote about the LEADS Act proposed by U.S. Senators Orrin Hatch (R-UT), Dean Heller (R-NV), and Christopher Coons (D-DE), which offers a thoughtful approach to a knotty problem—whether and how governments should be empowered to demand the production of data across sovereign national borders. Their bill suggests that with rare exceptions, governments should not have that authority. Instead, their legislation encourages the development and use of mechanisms for intergovernmental law enforcement cooperation. Their goal is to ensure that law enforcement can access information necessary to protect public safety without creating conflicts between national legal systems. Their bill also addresses another vitally important issue—reform of the Electronic Communications Privacy Act (ECPA).
Now that the midterm elections are behind us, Congress should quickly act to pass common sense ECPA reform legislation. Bills pending before the House and the Senate enjoy strong bipartisan support—and have also been widely endorsed across the entire community of technology providers, privacy scholars, and civil society. ECPA, which predates the advent of the public Internet, is now 25 years old. We should not let another year pass without upgrading the law to require a probable cause warrant whenever the government demands access to the contents of data and communications stored in the cloud.
When ECPA was passed by Congress and signed by President Reagan a quarter century ago, it represented a very forward-looking effort to ensure that electronic messages receive 4th Amendment protections. Some updates have been made over the years. However, the law is still built around core assumptions concerning online data storage that were more relevant in the era of the digital watch than of the smartphone. Changes are necessary to reaffirm the central principle upon which the original law was premised. We should protect documents stored online against unwarranted intrusions by the government, just as we protect documents that exist in the physical world.
In 1986, cheap ubiquitous cloud-based storage for data and a world full of always on, always connected devices would have been in the realm of science fiction. Now it is our reality. The law should, therefore, also address the fact that data collected in the cloud creates a temptation for the government to demand access from a third party provider rather than directly from the owner.
The current text of the law assumes that data stored online for more than 6 months have essentially been abandoned and deserve fewer protections against governmental demands. Thankfully, most major cloud providers rely upon the reasoning from a U.S. Circuit Court of Appeals decision, which held that we do have a reasonable expectation of privacy in email we store online. It further held that the law as written is unconstitutional to the extent it enables searches without a probable cause warrant. We need to codify these rulings and make them the law of the land.
A legislative proposal to update ECPA penned by its original author, the Chairman of the Senate Judiciary Committee, Senator Pat Leahy (D-VT), would do just that. The bill, which is also co-sponsored by Senator Mike Lee (R-UT), would make three important changes to the current law. First, it would require warrants for content stored in the cloud. Second, it would require that the government notify account holders about warrants used to seize data stored in the cloud. Third, it would impose time limits on orders barring cloud service providers from notifying their customers that a warrant has been executed. A companion bill has won widespread bipartisan support in the House of Representatives under the leadership of Representatives Kevin Yoder (R-KS), Tom Graves (R-GA), and Jared Polis (D-CO). Their bill now has 270 co-sponsors, more than half the representation of the House of Representatives.
Twenty-five years ago, Congress was forward-looking in passing legislation to protect electronic communications before public email even existed. Now, we need to make sure that legal protections keep up with the times so that we strike the right balance between privacy and security while also enabling innovative new technologies to grow.