Posted Apr 01, 2013 10:10 am CDT
In the hyperpartisan world of contemporary Washington politics, it would seem unlikely that Republican anti-tax warrior Grover Norquist and liberal civil liberties groups like the ACLU would be fighting together on any issue. But one law has brought together Norquist and the ACLU, as well as tech giants like Google and other Internet providers.
That law is the Electronic Communications Privacy Act of 1986. A broad and diverse coalition is demanding that Congress update the law to protect emerging Internet technologies. They believe that the law, passed in the pre-Internet era, fails to protect Americans’ digital communications from government eavesdropping and surveillance. But the Department of Justice and several other federal agencies are resisting some of the proposed changes.
An opinion article by Norquist and Laura Murphy, director of the American Civil Liberties Union’s Washington, D.C., legislative office, published on The Hill’s Congress Blog states the issue succinctly:
“Today, if the police want to come into your house and take your personal letters, they need a warrant. If they want to read those same letters saved on Google or Yahoo, they don’t. The Fourth Amendment has eroded online.”
“The problem with the law is so big that this is not about right versus left,” says Jim Dempsey, vice president for public policy at the Center for Democracy & Technology. “What we want is a policy that protects users and their privacy. We need a privacy framework against warrantless wiretapping.”
Email, instant messaging, cloud computing, cellular phones, the Global Positioning System and geolocation tracking are just some of the technologies that have become available since the authors of the original ECPA finished their work.
The ECPA’s framers were forward-looking in that the statute limits law enforcement access to electronic communications and associated data, including then-emerging wireless and Internet technologies. But legislative aides who wrote the law using typewriters and fax machines couldn’t possibly have anticipated all the new technology of the Internet age.
In particular, the rise of cloud computing and advances in location-tracking technologies have changed the way data is stored and dramatically increased the amount of detailed information available about an individual. Thanks to the rise of social networking and free, hosted online services (often referred to as cloud computing), more data is saved on commercially owned servers and not on an individual’s computer hard drive. And as many as half of American wireless subscribers use smartphones of some kind, which actively track their movement and online activity.
The Electronic Communications Privacy Act of 1986 is actually three laws wrapped in one. The act amended the existing 1968 federal wiretap statute to cover electronic communications and created a new chapter of the criminal code commonly known as the Stored Communications Act. The last piece of the ECPA, known as the Pen Registers and Trap and Trace Devices statute, regulates devices used to capture phone numbers and similar information.
The USA Patriot Act is one of the few laws that directly amended the ECPA in that it expanded the amount of information law enforcement could access, especially in a national security context. That information includes data related to temporary Internet addresses and credit card and other digital payment records.
Proponents of an ECPA update say any attempt to standardize the law will also have to revise the language to conform to modern technology. One notorious problem under current ECPA rules is that any email left on a server more than 180 days is considered abandoned and can be accessed by law enforcement without a warrant. But storage has become so inexpensive that Internet providers commonly leave email and other communications on cloud-based servers indefinitely.
“That’s one of those things that’s very difficult to defend today,” says Richard Salgado, Google’s director for information security and law enforcement matters. “Why on day 181 does email change from protected to accessible? The legislative history makes it clear the law wasn’t meant to be read that way, but that’s how it’s been interpreted and enforced.”
Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., offered a bill late in the 2012 session of Congress as part of legislation designed to modernize both the ECPA and the Video Privacy Protection Act. An amended version of the VPPA was signed into law in January, but it did not include provisions addressing ECPA reform. Leahy expects, however, to see action in the current congressional session. He has said getting ECPA reform through the new Congress will be one of his top priorities. In addition, if Congress fails to act, the White House may tighten regulations through executive order. Advocates of the effort to modernize the ECPA say the Leahy bill goes a long way toward addressing the hole in the current law.
Internet activists received an unexpected boost thanks to the shocking downfall of CIA Director David Petraeus last year. Petraeus’ emails were swept up in an FBI investigation into a relatively innocuous harassment case, which led to exposure of an extramarital affair between the retired general and his biographer. The revelation of those emails ended his long career in the military and government, but the fact that the FBI could acquire these emails without a warrant highlighted for many the broad and unchecked authority law enforcement has to intercept electronic communications.
Iowa Sen. Charles Grassley, the ranking Republican on the Judiciary Committee, had introduced an amendment to retain the current warrant standard for investigations involving kidnapping, child pornography and violent crimes against women. However, the amendment was voted down in committee after members expressed concern over the Petraeus incident.
“Until the Petraeus fiasco, I think many lawmakers didn’t really understand why we were so insistent that the FBI should not be able to access stored data without a warrant,” says Lee Tien, senior staff attorney with the Electronic Frontier Foundation. “The affair shocked a lot of people in the capital and really helped prevent [Leahy’s] bill from getting watered down.”
But this is not the first attempt to update the law, nor will it likely be the last. Efforts to update these related laws have been made since at least the Clinton administration. However, the political will and momentum was lost after the Sept. 11 terror attacks, which inspired a significant expansion of surveillance law. And because of that change in political will, the scope of these efforts has narrowed.
In particular, the proposed updates do not address national-security-related measures in the Patriot Act or the Foreign Intelligence Surveillance Act. “In our proposal, we do not touch FISA or intelligence gathering or national security issues,” says Dempsey. “That’s still radioactive and politically untenable.”
Since March 2010, a diverse coalition called Digital Due Process has brought new energy to the update effort. The organization has put together a set of specific principles it hopes an update to the ECPA will encompass. Fundamentally, the group is pushing for a clear, single standard for access to digital information in criminal investigations.
“What we want is an end to the confusing and multifarious rules and standards for getting access to communications,” says Tien. “There are seven standards for accessing email that I know of, which is not good for privacy.”
It was never a secret that the ECPA had become outdated, but activists say there was little to suggest a serious problem existed until August 2005. That was when U.S. Magistrate Judge James Orenstein in the Eastern District of New York denied a government request to intercept cellphone communications without probable cause. In that ruling, Orenstein wrote that the Department of Justice was relying on a vague and confusing law, and noted that, based on anecdotal information, “magistrate judges in other jurisdictions are being confronted with the same issue but have not yet achieved consensus on how to resolve it.”
Before Orenstein’s opinion, there was little indication of how the ECPA was being used in federal investigations. These requests were usually put before a judge with no opposing counsel to argue against them. Because the law does not specifically protect privacy rights in contemporary contexts, law enforcement often took sweeping positions about the amount of data that could be collected without a warrant.
“Until this one judge happened to publish this opinion rejecting the government’s request,” Tien says, “we really didn’t know the extent to which law enforcement was relying on some very suspect arguments to obtain information.”
The Justice Department declined to comment on any efforts to collect information under the ECPA or pending legislation. However, it pointed to published testimony (PDF) before Congress by James A. Baker, associate deputy attorney general, in April 2011. Baker accepted that some level of ECPA reform is necessary, but he advanced a very narrow, limited list of reforms the department would support. Baker identified eight areas in which changes to the ECPA should be investigated, primarily addressing areas of confusion regarding law enforcement’s ability to obtain information, such as the legal standard for obtaining cell tower information associated with cellphone calls. In this and other areas, there is no uniform procedure in different jurisdictions.
However, the department resisted Digital Due Process members’ primary goal: new requirements obligating a search warrant for access to email or other stored communications. It argued such a requirement could actively impair investigations. “Congress should recognize the collateral consequences to criminal law enforcement and the national security of the United States if ECPA were to provide only one means—a probable cause warrant—for compelling disclosure of all stored content,” Baker said.
The ECPA update effort must confront a number of separate but related issues. The most pressing concern is resolving a series of conflicting court rulings on accessing electronic communications in criminal investigations. The Electronic Frontier Foundation has pointed to at least 30 federal opinions reaching a variety of conclusions related just to government access to cellphone location information. Proponents of an update argue that because different jurisdictions have different standards, law enforcement can access data in some jurisdictions that would be ruled inaccessible in others.
Over the past decade, different appellate court rulings have slowly undermined the legal framework for online law enforcement. In 2002, the San Francisco-based 9th U.S. Circuit Court of Appeals noted that Internet surveillance was “a confusing and uncertain area of the law.”
And in a 2010 ruling, U.S. v. Warshak, the Cincinnati-based 6th Circuit directly challenged the validity of portions of the law, saying “to the extent that the [Stored Communications Act] purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional.”
The result is irregular interpretations of law enforcement’s ability to capture data and communications. For example, digital giant Google says it will not respond to requests for data without a warrant because it is headquartered in the 9th Circuit, where the court has narrowed law enforcement’s access to digital records. “The DOJ dances around ECPA,” says Dempsey. “Provisions of ECPA were ruled unconstitutional in the 9th and the 6th, so you will not see them attempt to obtain information without a warrant in those venues. However, in jurisdictions where there is no such ruling, you still see broad requests for data.”
Cases involving ECPA requests are rarely reported, so it is difficult to know exactly which jurisdictions are more or less likely to require a warrant. But a ruling from the Philadelphia-based 3rd Circuit held that judges may choose not to sign an application even if it provides the statutory showing. However, in the ongoing WikiLeaks investigation, a federal magistrate judge in the Eastern District of Virginia gave the DOJ broad access to data, writing, “at an early stage, the requirement of a higher probable cause standard for noncontent information voluntarily released to a third party would needlessly hamper an investigation.”
As more and more jurisdictions have ruled against a broad ECPA interpretation, there is some hope the law could be fixed through the courts. However, even rulings against the ECPA have sometimes relied on very different legal reasoning, and Digital Due Process members agree that a legislative solution would be the best way to resolve these differences. The “ECPA could be resolved as a matter of law as unconstitutional,” says Google’s Salgado. “But we want a framework we can work with that is in compliance with the Constitution.”
Sen. Leahy’s proposed ECPA update does not appropriate the Digital Due Process language, but members say it captures the spirit of its principles. Leahy’s office says it is aware of those principles and has actively solicited input from the coalition. Under the proposed bill, if the government wants to track cellphones, seize email or access social network messages, investigators would first have to get a judge to issue a search warrant based on probable cause.
But the EFF’s Tien says the bill doesn’t go as far as Digital Due Process would like. In particular, it expands the government’s authority to use “national security letters” to obtain data about an individual’s communications online without probable cause or court oversight.
For coalition members that provide Internet services, the bill’s most important feature is that it clearly defines and limits their role in handling law enforcement requests. Companies like Dropbox and Facebook may be high-tech darlings, but in the proposed law they would be treated like the owner of a storage locker.
“Investigators want access to information, but like to pretend that the digital world is not protected as in the offline world,” says Dempsey. “We say, get a warrant just like you do for an investigation offline.”
The bill would establish new privacy protections for geolocation information collected, stored or used by mobile applications and mobile devices such as smartphones and tablets. It would also prohibit an Internet provider, cloud-computing service or geolocation information service provider from voluntarily disclosing the contents of its customer’s email or other electronic communications to the government. National security exceptions are made allowing for a delay in providing notice to the subject of a warrant.
Digital Due Process believes the Leahy bill is an important step toward fixing a hole in federal law. However, closing that gap is just one piece of the privacy puzzle that new technologies have engendered. For example, several commercial entities, including members of the Digital Due Process coalition, have been found actively mining customer data and even tracking customer movements and behaviors without consent.
Google’s Salgado says questions about commercial data mining are well outside the scope of the coalition’s efforts and have no bearing on the ECPA effort. However, civil libertarians say there is a need to consider privacy concerns from commercial entities as well.
How those two sides of Digital Due Process will address those concerns is difficult to imagine.
“We all agree that the law needs to clarify law enforcement’s ability to intercept data,” says Tien. “It’s going to be a harder and different discussion about broader trends in communications and privacy issues.”
Jason Krause is a freelance writer based in Madison, Wis.
Jason Krause is a freelance writer based in Madison, Wis.
The Mobile Lawyer