Our Vanishing Rights: Time To Update Outdated Email Privacy Law

Recent revelations have given us a peek at how the NSA can access our digital communications and brought privacy issues to the forefront of public discussion and debate. But what about other government entities? What determines whether or not agents at places like the Department of Justice (DOJ), law enforcement groups, and other agencies can access our email, our photos, our documents, and everything else we’ve stored in the “cloud”?

The answer goes back to 1986, when Congress passed the Electronic Communications Privacy Act (ECPA), which specifies why, when, and how government entities can access stored electronic and digital communications (including email and cell phone information). Under ECPA, government entities can demand access to stored communications and location data without a warrant. As far as cloud computing goes, ECPA allows government entities to contact the provider directly without notifying the owner of the stored data.

As the Center for Democracy and Technology points out, there have been enormous technological changes since ECPA was passed. For example, more and more data is stored in the cloud rather than on personal computing devices. Users may not draw distinctions between storing something on our laptops or using Google Docs, but ECPA does: the former are protected by warrant requirements, whereas data stored on remote servers is not. ECPA’s distinctions may have made sense in 1986, but these rules hinge on factors that are no longer relevant in 2013. As a case in point, email that has been opened is treated differently from unopened email, and email stored on a server for less than 180 days is treated differently from email stored for more than 180 days. The DOJ considers the latter to be "abandoned" by users, allowing it to be accessed without a search warrant. Companies that offer cloud storage services (Google, Dropbox, Tumblr, etc.) are often frustrated by the gaps and ambiguities embedded in ECPA: not only does it affect how these companies handle customer data, but it also affects how proprietary and internal corporate information can or should be stored.

OTI has joined the Digital Due Process coalition in advocating for ECPA reform that clarifies the law and strengthens privacy protections for users. OTI supports the coalition’s main recommendations for reform, which include requiring a warrant based on probable cause in order for government entities to access all stored communications, mobile communications, and phone/email metadata. Furthermore, the Digital Due Process coalition recommends that all mass requests for information must go through the judicial approval process. OTI is also excited to be part of a newly-updated resource, VanishingRights.com, which offers information on ECPA reform and allows constituents to contact their Congressional representatives directly.

As more and more aspects of our lives move online, we must make sure that Fourth Amendment protections don’t become a thing of the past. Creating a clear set of rules that reflect the current technological landscape helps a range of stakeholders. It enables law enforcement to do its job while respecting the Fourth Amendment, helps service providers respond to government requests for data while protecting users, and allows users to engage online without fear that their information will be accessed without adequate legal justification and due process.