The Electronic Communications Privacy Act (ECPA) is part of the U.S. code that was enacted in 1986 with the stated goal of striking a balance between privacy rights associated with new forms of electronic communication and the need for law enforcement to have the tools necessary to do their jobs effectively. Though it may have been avant garde for its time, this law is now out of date and hopelessly out of touch with the realities of computing in the internet age.
Digital Due Process (DDP) is a coalition of major online entities, privacy advocates, educational institutions, etc., that have a common objective:
To simplify, clarify, and unify the ECPA standards, providing stronger privacy protections for communications and associated data in response to changes in technology and new services and usage patterns, while preserving the legal tools necessary for government agencies to enforce the laws, respond to emergency circumstances, and protect the public.
Prominent members include Amazon, AOL, Google, HP, IBM, Intel, and Microsoft. The Electronic Frontier Foundation (EFF) is also on board with this initiative, as are a score of law schools across the United States. DDP seeks to modify and balance privacy laws to make sure they are compatible with today’s technological reality.
Though DDP’s individual members may have slightly varying stances on the right direction for the ECPA, they all agree on the following four principles:
1) Law enforcement should have to obtain a warrant based on probable cause before it can demand that a service provider turn over a customer’s private data.
Currently, the law allows police and other law enforcement to demand access – without a warrant – to people’s emails that have been in storage for more than 180 days. A simple court-ordered subpoena is sufficient to order a service provider like Hotmail or Gmail to hand over your private emails, provided that they’ve been in your inbox (or sent messages, for that matter) for six months or more. The DDP sees this as too low a standard considering people’s privacy is at stake.
Law enforcement has never before had access to technologies that would enable such tracking of individuals. Does the simple fact that the technology and application now exist justify the use of those technologies? Contrary to the views of the Justice Department, DDP does not believe so.
When it comes to compelling a service provider to hand over private information, a major victory in favour of mandatory warrants came in the case of United States vs. Warshak: The U.S. Court of Appeals for the Sixth Circuit held that forcing an internet service provider to hand over private data without a warrant is unconstitutional on the grounds that it breaches the Fourth Amendment. The court ruled that people are entitled to the reasonable expectation of privacy relating to their emails, even though they are stored on a third-party’s server.
2) Law enforcement should have to obtain a warrant before engaging in any location tracking through cellphones or other wireless devices.
The reality of today’s telecommunications means that service providers can potentially track their subscribers’ locations in real time. This powerful ability has not been lost on law enforcement. Though there is intense debate, at least one court views this type of tracking without a warrant as unconstitutional: Just last year, the U.S. Court of Appeals for the District of Columbia rendered a decision in United States vs. Maynard where it disallowed evidence obtained by an FBI GPS transmitter that had been installed on a suspect’s vehicle without a warrant. The court found that:
It is one thing for a passerby to observe or even to follow someone during a single journey as he goes to the market or returns home from work. It is another thing entirely for that stranger to pick up the scent again the next day and the day after that, week in and week out, dogging his prey until he has identified all the places, people, amusements, and chores that make up that person's hitherto private routine.
This case has been appealed to the U.S. Supreme Court and will be heard this year. Needless to say, DDP will be watching intently to see how the top court rules on this issue. It wouldn’t be surprising to see DDP members file amicus curiae briefs with the court in favour of the respondent.
3) The government should have to show that access to transactional data is relevant to a criminal investigation before a judge grants it permission to access that information.
Transactional data refers to the logging of who we call and when. The same way law enforcement may track the transactional data associated with people’s telephone calls, they may also track information relayed through other forms of communication, such as email, instant messaging, text messaging, etc.
DDP believes that, before being granted permission to track such information, the entity requesting the right to proceed should have to show reasonable grounds for why the information to be collected is relevant and pertinent to a criminal investigation. Failure to do so should be met with the rejection of the request.
Again, just because the technology is there doesn’t mean that law enforcement should be given a carte blanche to track and record transactional data – regardless of the format or medium.
4) Police and other law enforcement should not be allowed to obtain a single subpoena granting access to the transactional data of several people.
This principle seeks to eliminate the practice of accessing groups or entire directories of transactional data in the hopes of it leading to a suspect. DDP argues that law enforcement should have to obtain a separate subpoena for each and every individual’s personal transactional data. If not, the entity requesting access to such data should have to show that access to the bulk information is, in itself, relevant and pertinent to the investigation.
Though many are in favour of modifying the existing law, some warn against the pitfall of over-specialization. Simply put, the ECPA shouldn’t turn into a law on cloud computing. Doing so would defeat the purpose of modernizing the law, since it would be rendered obsolete with the rise of the next technology. Rather, we should strive for the modernization of the existing act while still maintaining its broad scope.
Privacy has always been an important issue for the average citizen. In this era of computing, most people use the internet every day. The prevalence and continued growth of cloud-based offerings requires the modernization of the ECPA in a manner that will allow for growth and innovation.
I firmly believe that the ECPA, or any law whose primary subject matter is technology, should always have a mandatory five-year review. Much can happen in the world of tech in five years, let alone in the 25 years it’s been since the enactment of the ECPA. A mandatory review is exactly what legislation like this needs to avoid the unsustainable legal delay that stifles innovation.
There are no comments yet