ECPA reform: The 1986 email privacy law might finally get updated.

An Ancient Email Privacy Law Might Finally Be Updated. Congress Needs to Get It Right.

An Ancient Email Privacy Law Might Finally Be Updated. Congress Needs to Get It Right.

The citizen’s guide to the future.
Sept. 14 2015 2:50 PM
FROM SLATE, NEW AMERICA, AND ASU

Our Inboxes, Ourselves

An ancient email privacy law might finally be updated. Congress needs to get it right.

Justice Louis Brandeis circa 1916.
Justice Louis Brandeis, pictured circa 1916, would leave you and your email alone.

Photo courtesy National Archives

A federal law protects some of your email from government snooping without a warrant. But it doesn’t protect your email if it’s been left on a server for too long, and, worse, it doesn’t protect your metadata—information that can get you arrested and prosecuted, that can reveal intimate secrets about you, and that would expose the entire network of people you talk to. On Wednesday the Senate Judiciary Committee is set to address the first problem, but reform efforts in both houses of Congress have largely passed over the second issue. In dodging the problem of metadata, legislators have missed the forest for the twigs.

The lawmakers who want to update the Electronic Communications Privacy Act of 1986 mean well, and it’s significant that they recognize how that in 2015, email stored long-term on a server is just as deserving of Fourth Amendment protections as letters locked away for years in a drawer. But the scope of what government will still be able to glean from our mail without a warrant is far broader nowadays than it ever was in the pre-Internet era.

Advertisement

That’s why, if federal legislators truly want to bring the ECPA up to date, they shouldn’t stop with updating a statute that was flawed even at its passage in 1986. Instead, they should revisit the ECPA’s constitutional roots in a 1967 Supreme Court case. In that case the court, in a moment of prescience, truly grasped how invasive and sweeping government intrusion on American citizens could be. That’s true even though the case involved, somewhat quaintly by today’s standards, a public phone booth.

The Supreme Court decided in Katz v. United States that an eavesdropping device planted by the FBI in a phone booth, without any authorization by a judge, violated a defendant's Fourth Amendment rights. The 7–1 decision overturned a nearly 40-year-old precedent in 1928’s Olmstead v. United States, which held that a telephone wiretap was not a “search or seizure” under the Fourth Amendment. As the majority wrote in Olmstead:

There was no searching. There was no seizure. The evidence was secured by the use of the sense of hearing and that only. There was no entry of the houses or offices of the defendants.

Olmstead is remembered today mostly for Justice Louis Brandeis’ memorable dissent, in which he described the founders as having

conferred, as against the government, the right to be let alone—the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment.
Advertisement

By 1967 most of the court had come to agree with Brandeis. Writing the majority opinion in Katz, Justice Potter Stewart invoked Brandeis’ 1890 article “The Right to Privacy,” in a footnote and further elaborated on Brandeis’ principle with this passage:

For the Fourth Amendment protects people, not places. What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. ... But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.

That was a broad statement of Fourth Amendment theory in 1967, but it resonates even more strongly today, despite efforts by later courts to narrow Fourth Amendment protection to whether an individual has a “reasonable expectation of privacy” to things like phone call records. (These days we call such information metadata.) Internet service providers and others typically capture much more information about you than simply what phone number you’ve dialed.

The majority opinion in Katz led Congress the next year to pass Title III of the Omnibus Safe Streets and Crime Control Act. Better known as the federal Wiretap Statute, the law limits interceptions of telephone conversations in one’s home or office, but also prohibits recording private conversations one might have elsewhere, even when one is not on the phone. (Many pre-Katz cases involved bugging hotel rooms and other places we still consider private in 2015; unsurprisingly, relatively few wiretap cases center on phone booths these days.)

Advertisement

There have been efforts over time to narrow the power of the Katz majority opinion (“people, not places”). In a 5–3 decision in 1979, the court’s majority determined a “reasonable expectation of privacy” is the right standard to apply when government sets out to capture information about our electronic communications. Under this standard, phone numbers and other call-record information that service providers capture and keep are not regarded as the sorts of things about which one would have a “reasonable expectation of privacy.” The only real protection you arguably do have under the law is to the content of your communications.

Even with regard to content, there are wrinkles in the law. The original version of the ECPA expanded and amended the wiretap statute and sits right next to the wiretap laws in the U.S. Code. It tried to shade distinctions among “electronic communications” based on the kind of privacy you might reasonably expect if, for example, you left your email on a company’s servers for longer than 180 days. Congress in 1986 was thinking more about MCI Mail than about Gmail, and legislators hadn’t yet given any attention to the cloud services that companies like Yahoo, Google, Facebook, and Amazon would later offer. (A lot of us keep a lot of our email around on these services for much longer than 180 days.)

The U.S. government consistently has taken the position that metadata deserves less protection than content itself does. The problem, as any privacy expert can tell you, is that metadata may in fact reveal just as much about you as the content of your calls, emails, or Web postings. Internet security expert Susan Landau argues that, in fact, metadata is generally more revealing. As Landau told the New Yorker in 2013, when the government can easily capture and track “who you call, and who they call … you know exactly what is happening—you don’t need the content.”

Landau uses the example of when a call to a gynecologist is followed by a call to an oncologist and then calls to family members. The entity with the metadata may actually have more information about what you’re thinking and feeling than any of your family members may have. This kind of information is also useful for identifying political associations among individuals that many post–surveillance-state governments have severely restricted or banned from routine collection.

Advertisement

The government, including prominent supporters of the National Security Agency, agrees with Landau. Former NSA General Counsel Stewart Baker says that “metadata absolutely tells you everything about somebody's life. If you have enough metadata, you don't really need content.” Gen. Michael Hayden, former director of both the NSA and the CIA, puts it more bluntly: “We kill people based on metadata.”

The fact is, real public dialogue about the degree to which our communications deserve protection from government snooping hasn’t yet happened. The best ECPA reform proposal currently before Congress—S. 356, the Lee-Leahy ECPA Amendments Actwould require warrants for content disclosure and would rationalize and simplify the ECPA’s various provisions for how this is done. But despite its virtues, the bill is not aimed at metadata at all.

Another ECPA reform bill—Sen. Orrin Hatch’s Law Enforcement Access to Data Stored Abroad Act, or LEADS Act—is more problematic than the Lee-Leahy bill.* The LEADS Act sets conditions under which companies have to disclose user information, including content, but those conditions raise difficult questions. Notably, the act bases its compliance obligations on whether the user is a U.S. citizen and whether, by producing information that resides on a foreign server, a company might be violating a foreign country’s privacy laws.

The author and sponsors of the LEADS Act mean well—the law would address a particular legal problem with which Microsoft has been wrangling—but Internet companies like Google, Yahoo, and Facebook argue that the LEADS Act creates incentives both to track users’ citizenship and to track the geographic location of user information at all times.

Advertisement

Is there a better way to protect electronic communications? The recent passage of CalECPA, a state bill that includes both improved content protection and improved metadata protection, is a positive sign. The California bill was passed by both houses of the state Legislature, with bipartisan support and no opposition from the state law enforcement lobby. CalECPA now awaits Gov. Jerry Brown’s signature.

Regardless how the governor decides to handle the bill, CalECPA offers a stronger, better, more consistent, and more complete model for federal ECPA reform than any of the bills in Congress. With the Senate moving forward in discussing the ECPA, we need to tell our legislators that better content protections, while necessary, are not sufficient. We need to remind Congress to renew its support for a Fourth Amendment that protects people, not places, and that embraces Brandeis’ right to be let alone.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.

*Correction, Sept. 14, 2015: This article originally misspelled Sen. Orrin Hatch’s first name. (Return.)