Data Privacy Day: A Reminder of the Need to Update ECPA
Written by Chris Calabrese
For years CDT has been leading the charge to update the Electronic Communications Privacy Act (ECPA), the law that governs how police and government can access to our personal communications like emails and photos. We’ve consistently argued that these types of private communications should only be accessible with a warrant based on probable cause – the same standard used to search your postal mail or your home.
Today, Data Privacy Day, is a good day to talk about why. After all, there is a very important appellate court ruling on our side, US v. Warshak, which says that email should only be accessed with a warrant. Many of the largest companies in the space have agreed to voluntarily follow that rule and currently require police to bring them a warrant before they will turn over the contents of inboxes.
This is not just email, but also texts and private social networking posts that would be accessible with only a subpoena…
Of course the problem with that is it’s only one appellate court decision. If another circuit were to decide differently, we could quickly be thrust back into much less protective world. This is not just email, but also texts and private social networking posts that would be accessible with only a subpoena – basically a letter from prosecutors with a low standard of proof that are never reviewed by a judge.
We believe that it’s crucial that such a thin reed not protect some of the most sensitive information we have. After all, privacy in communications is central to our democracy. Journalists need it to talk to their sources, advocates need it to organize protests, and normal folks need the freedom to complain about their government without fear of retribution.
And the problem isn’t just that another appellate court might decide differently; it’s that the march of technology makes further erosions almost inevitable. The decision in Warshak is largely based on an analogy to the physical world. This is not unusual in Fourth Amendment jurisprudence where judges are asked to consider where American’s have a reasonable expectation of privacy and extend that to new domains.
In Warshak the court’s thinking was pretty clear – email is like postal mail, postal mail is protected by the Fourth Amendment, therefore email should be protected by the Fourth Amendment. But what happens when there aren’t good analogies to the physical world? A shared cloud based document may contain very sensitive information and only be accessible to few people, but it’s not clear what its analogue is.
It is vital that the protections for those communications not be tied to outmoded physical modes of communication or the understanding of judges.
Nor are an individual’s personal expectations necessarily binding. In the 1970s most people almost certainly though of the information they shared with their bank as highly confidential. Yet in 1976 the Supreme Court decided US v. Miller, which held that because this information had been conveyed to a 3rd party (the bank) the plaintiff had forfeited his reasonable expectation of privacy.
All of this makes statutory protections so important. This is especially true in the current internet era as we constantly see new and rapidly evolving ways to communicate. It is vital that the protections for those communications not be tied to outmoded physical modes of communication or the understanding of judges.
The last Congress made great to update ECPA for the digital age, but reform did not come to fruition. Bipartisan bills were introduced in both chambers. A bill in the Senate passed committee but never reached the floor while a House version of the same bill attracted an astonishing 272 cosponsors. Incredible progress has been made, but Congress must act this year to help assure that our privacy keeps up with the digital age.