Washington Court Should Find ECPA Unconstitutional
Written by Lisa A. Hayes
The Electronic Communications Privacy Act (ECPA) allows the government to prevent service providers from notifying their customers that the government has accessed a customer’s private electronic data stored in the cloud. This egregious conduct not only violates the First and Fourth Amendment, it compromises public trust in cloud computing. Individuals rely on the cloud to store their emails and texts, the books they read, and almost every piece of personal, private electronic information. At the same time, businesses want to rely on the cloud to replace costlier, in house, business services, but can only do so if the cloud enjoys comparable legal protections.
That’s why CDT, along with lawyers from Mayer Brown and the Chamber of Commerce, spearheaded an amicus brief to make sure the court understood the full range of issues presented to the court. Earlier today, we jointly filed a brief in support of Microsoft in federal court in Seattle, asking the court to declare Section 2705(b) of ECPA unconstitutional.
Historically, if the government wanted access to an individual’s private information, the government was required to obtain and serve a warrant. The individual targeted would then receive a copy of the warrant in conjunction with the information being physically seized, irrespective of whether the information was stored in paper form or on a local hard drive.
If moving data from a local platform to the cloud means that there are fewer privacy rights in the data, individuals will be more reluctant to use this beneficial technology.
However, in the last decade many Americans have moved away from storing information locally and have instead started hosting it on the cloud. Thanks to the ease of access to these services, millions of Americans now trust their most private information – medical records, photographs, calendars, legal documents, and correspondence – to the cloud.
The government’s view of ECPA is that technological advances allow the government to obtain the information without the customer’s knowledge and without any opportunity for the customer to challenge the government’s action. Cloud computing has already provided significant societal benefits, and promises even greater rewards. However, individuals are increasingly concerned about maintaining the confidentiality of their electronically-stored data. If moving data from a local platform to the cloud means that there are fewer privacy rights in the data, individuals will be more reluctant to use this beneficial technology.
The notice requirements of the Fourth Amendment are critical protections against government overreach. While formal service of a warrant may seem like a technicality – skimming a warrant while the government wheels your filing cabinets out your front door is scant immediate comfort – notice is the only way an individual can contest a warrant’s legality and demand the return of wrongly-seized information. By failing to provide individuals with notice that it is seizing their information from third parties, the government’s actions violate the Fourth Amendment.
Beyond the Fourth Amendment concerns, ECPA’s gag order provisions also violate the First Amendment. By prohibiting companies from speaking about an issue of public concern—government surveillance of their customers—the gag orders constitute content-based restrictions on speech and prior restraints. Cloud storage providers promise their clients that they will keep their data secure and private. By uniformly preventing companies from notifying customers when their data is accessed by a third party without permission, the companies First Amendment rights are compromised.
Individuals generally have a right to know when the government accesses their data. Yet ECPA precludes knowing whether and how frequently the government is searching your information. This directly limits the ability of the public to have an informed discussion about the reasonableness of the government’s actions since they don’t know what those actions are. Do I think I have committed any crimes that would justify the government accessing my cloud-based data? No. But the lack of notice required under ECPA means that I cannot know whether the government has ever done so. This lack of transparency should be deeply troubling to all Americans. The court should grant Microsoft’s motion to declare Section 2705(b) of ECPA unconstitutional.