For the first time since the creation of the World Wide Web, Congress has made it clear that all private communications online require a search warrant based on probable cause. That's the word from ACLU legislative counsel Christopher Calabrese in Washington following a vote Thursday by the Senate Judiciary Committee to send the Electronic Communications Privacy Act of 2013 to the Senate floor. The prime mover on the bill has been Vermont Sen. Patrick Leahy, who was in the Senate when the first ECPA law was passed -- in 1986. How long ago was that? Mark Zuckerberg was in day care.
No one doubts ECPA needs a serious upgrade. Citizens don’t know which electronic communications might be private when. Service providers often don’t know how to respond to requests from law enforcement to turn over e-mails or other records of customers. And law enforcement operates without clear guidelines and rules for accessing information needed for legitimate investigations.
When Leahy started pushing for an upgrade of the law two years ago at a Senate Judiciary Committee hearing, he said that under the current 1986 law, “the content of a single e-mail could be subject to as many as four different levels of privacy protections under EPCA, depending on where it is stored, and when it is sent.” Leahy chairs the committee.
Missing was what Senate Judiciary Committee members warned about in 1986, when the first EPCA law was passed: Privacy protections “must advance with technology” or privacy will “gradually erode as technology advances.”
For the last 27 years the latter has happened – privacy has eroded as technology has advanced. For example, the 1986 EPCA law requires police to get a warrant for e-mail only if the e-mail is fewer than 180 days old. The reason for that cut-off is that in 1986, e-mails weren’t retained on a provider’s server once you opened them. They were “transferred” to your computer. It was assumed that any of your e-mails still on your provider’s server after 180 days were there because you didn’t want them – they were junk. So the law said no warrant is required for an e-mail older than 180 days.
E-mails on your personal computer have always required a warrant, no matter how old they are. But increasingly, our e-mails and other digital content aren’t stored on our computers, mobile phones, tablets, or other digital devices. Instead, they are stored on our provider’s servers, in “the cloud.” We access the data via our devices – but it remains in the cloud. Who has access to that data and under what conditions has become a huge question.
The 2013 EPCA bill has so far enjoyed bipartisan support. It’s also been backed by coalitions that span the gamut of privacy, commercial, and political interests. For example, the Digital Due Process coalition includes the American Library Association, Google, HP, Oracle, ALEC, the U.S. Chamber of Commerce, reddit, T Mobile, the Newspaper Association of America, and the ACLU.
“ECPA has been outpaced,” the Digital Due Process coalition notes. “The statute has not undergone a significant revision since it was enacted in 1986 – centuries ago in Internet time.”
- Background to ECPA upgrade: ACLU Joins AT&T, Google And Privacy Groups To Urge Updates To Privacy Law
- Digital Due Process coalition
- U.S. Senate Judiciary Committee hearing held April 6, 20011 on “The Electronic Communications Privacy Act: Government Perspectives on Protecting Privacy in the Digital Age
- Press release and Sen. Patrick Leahy statement on Thursday’s consideration of EPCA upgrade