Eureka! More State “Laboratories of Democracy” Catalyze ECPA Reform
Written by Jadzia Butler
Let’s Hope Congress Follows Suit.
A lot has changed in the past 30 years. In 1986, hardly anyone carried a cell phone, as Motorola had only come out with the first truly “portable cellular phone” three years before (the Motorola DynaTAC 8000X, aka the “Brick”). There was no such thing as the “World Wide Web,” and email was only common among academics, government workers, and military personnel with access to the early Internet (even for them, it was only useful if they actually knew someone else with an email address). Despite the countless technological innovations that have spanned the past few decades, one thing has remained constant: the Electronic Communications Privacy Act of 1986 – the law that was meant to protect electronic communications from overreaching, invasive government surveillance – has not been substantially updated since it was passed.
Unlike our federal-level Congress, several states have taken it upon themselves to fix the ridiculously outdated law rather than wait around to celebrate its 30th birthday. Last year, Governor Jerry Brown signed into law the most sweeping reforms to date – CalECPA (SB.178). As a result, California (whose state motto is literally “Eureka!”) now has the most stringent privacy protections in the country, if not the world, for its police and local government. Today, CDT is proud to join with state lawmakers, the ACLU and other civil liberties organizations in celebrating the latest states with ECPA reform proposals that follow in California’s footsteps.
Here is a snapshot of some of the problems that currently exist with regards to law enforcement access to electronic communications and location data, and how these states may solve them:
StateECPA Laws: ECPA has not been updated to reflect advancements of technology, such as the widespread use of third parties to hold email or other documents in “the cloud.” As a result, many types of important, sensitive information do not have privacy protections comparable to the protections afforded to physical mail or phone calls – protections that users expect for all of their sensitive information, regardless of form. CalECPA updates the law by requiring state law enforcement officials to obtain a warrant based on probable cause before seizing the contents or metadata of any communication – regardless of age of the data (ECPA currently allows emails over 180 days old to be searched with a mere subpoena). The same requirement applies when requesting location records from cell phone providers. Moreover, in California the government now has the burden to notify targets when they request their data (with some exceptions). Now, states like Massachusetts, Minnesota, New Hampshire, New Mexico, New York, and Virginia may follow suit by enacting similar requirements.
State Location Privacy Laws: One of the unintended byproducts of the adoption of mobile phones is that most Americans now carry a portable tracking device in their pockets. Cell phones reveal user location through a variety of techniques, such as sending signals to the nearest cell tower. This tracking reveals a variety of sensitive information, such as where an individual spends the night, when they visit the doctor or whether they participate in a government protest. Of course, law enforcement agencies have frequently taken advantage of the wealth of information that location data provides. By using cell site simulators (aka “stingrays”), for example, law enforcement officials can mimic legitimate cell phone towers and trick cell phones within a certain radius to route mobile traffic directly into the hands of investigators. This allows investigators to collect the unique identifying numbers and location data of nearby phones in real time. Thanks to CalECPA, a warrant is now required before a state law enforcement official can conduct surveillance via a stingray. Illinois, Michigan, and Nebraska may soon follow suit.
Congress, It’s Your Turn. With the plethora of states that have proposed and, in many cases, adopted viable ECPA reforms, it’s time for Congress to step up and implement reforms at the federal level. Reforming ECPA to reflect the realities of our 21st century, digital world makes sense to everyone across the political spectrum. In fact, many agencies already have to obtain a warrant to seize electronic communications content because, following a federal appellate court decision, US. v. Warshak, several service providers (such as Google) generally refuse to relinquish that data without one. Moreover, the FBI and DOJ recently acknowledged the grave threat to privacy posed by stingrays, and updated their official policies to require a warrant before using that technology. With more than 300 co-sponsors of the House’s Email Privacy Act and 25 co-sponsors of the Senate’s ECPA Amendments Act, it shouldn’t be hard for Congress to officially engrain these practices in law–requiring a warrant to obtain our sensitive data once and for all.
Additional CDT ECPA Resources: