Ask CDT: Answers on ECPA
This week, CDT Vice President Jim Dempsey (pictured left) testified before the Senate Judiciary Committee on the need to update the Electronic Communications Privacy Act (ECPA). He also took readers' questions on the important and complex law. Below are his answers.
Question: Under the current ECPA, is there any action one can take to keep Google from handing over the contents of one's entire Google account (gmail, messaging, calendar, Android phone use, etc.) upon request? Given Google's total control of many people's electronic lives, and the company's oft-questioned history of compliance, are there steps Google users can take to ensure their privacy?
If this question is too specific, please give us your opinion on measures that users with email accounts with any providers might be able to take to protect themselves, or if there are some providers who are more likely to not turn over their users' information than others
Jim Dempsey: Under the current ECPA, Google is already prohibited from handing over your data (gmail, calendar, photos, etc) "upon request." In the case of disclosure to the government, there has to be some process compelling disclosure. Our concern is that the current ECPA allows the government to demand disclosure with a mere subpoena, issued by a prosecutor without a judge's approval and without any suspicion that you are engaged in criminal conduct. In terms of disclosure to non-governmental entities, ECPA also prohibits Google from disclosing the contents of your email and documents without your consent. Of course, you have to be careful what you consent to. Google does not disclose to anyone the content of your communications. In terms of how it uses your data internally for advertising and related purposes, Google has increased the clarity of its privacy policies and has been increasing the control it gives to consumers to understand and choose what is disclosed in the commercial context.
Q: If the email on my laptop is protected from government search (without a warrant), isn't that SAME piece of email also then protected if it lives in "the cloud"?
JD: It should be, but unfortunately the law isn't clear, which is why CDT is arguing that Congress needs to act. The Constitution provides the baseline of privacy protection against the government. We believe that, under the Constitution, email stored in the cloud should be protected, just as the things you put into a storage locker are protected. However, the courts have not yet resolved the issue, and it may take years for them to do so. Just this past summer, for example, the Supreme Court had in front of it a case involving stored text messages; the Court said it didn't understand the technology well enough and would not rule on the Constitutional status of those messages. Instead, it decided the case on other grounds. In the absence of a constitutional ruling, statutes define our privacy rights and, under ECPA, data stored in the cloud is available to the government with a prosecutor's subpoena, issued without court approval. Congress could amend the law to require a warrant issued by a judge, and that is what we are advocating.
Q: If ECPA protects my email when it's sitting on my computer at home, why is it not protected from search when I carry it on a laptop when re-entering the U.S. from overseas?
JD: Traditionally, the government has had broader powers to search at the border. However, that power has been abused in recent years. The "hit rate" on border searches is abysmally low. Legislation was introduced a couple of years ago to rein in the practice, but it did not pass.
Q: I'm in the middle of a pretty nasty divorce; my husband has threatened me several times. Can his lawyer legally "track" me by obtaining my cell phone location records from my wireless phone company? I've heard that almost anyone can walk in and ask (demand?) to see anyone's cell phone records and get them. Is this really true?
JD: The lawyer may be able to subpoena your records, but it is not really true that anyone can walk in and ask or demand to see anyone else's phone records. (I assume your husband is not the subscriber on your cell phone.) In the past, phone companies were susceptible to "pretexting," in which someone would call the phone company, pretending to be you, and sweet-talk the phone company representative into disclosing your records. As a result of some new rules adopted by the Federal Communications Commission in 2007, the phone companies have had to tighten their procedures. Abuses, of course, probably still occur. You might want to ask your cell phone company if they have disclosed your records to anyone recently.
Q: Wouldn't beefing up the protections in ECPA hurt law enforcement's efforts to keep crime under control? Isn't this reform really painting law enforcement into a tighter corner?
JD: We are being very careful to preserve all of the building blocks of criminal (and national security) investigations. We definitely do not want to paint the government into a tighter corner. We are focusing on new techniques and categories of information that were never available to the government before, and for those, we are seeking to establish traditional limits, not new limits. True, the traditional rules do constrain the government, but that is the American way. Back in 1967, when the Supreme Court said for the first time that a warrant was required for wiretapping, it noted, "This is no formality that we require today, but a fundamental rule that has long been recognized as basic to the privacy of every home in America."