Electronic Privacy Law Needs a Facelift

When you consider e-mail communication, mobile phone use, and online activities, how much of your life did you live digitally in the 1980s? And how much today? As daily activities become more digital, from communicating with clients and friends online to using GPS-enabled phones, obsolete electronic privacy law increasingly exposes personal information.

The Electronic Communications Privacy Act (ECPA) is the federal law that is supposed to protect the privacy of electronic communications and personal information from inappropriate government or third party demands. But ECPA was enacted in 1986 and has never been revised to be compatible with the digital world we live in today. As a result, legal protection for Internet search history, e-mail, documents stored online, digital book purchase records, and mobile phone GPS location data, is based on laws that were written before most of those technologies even existed.

Inadequate legal standards create difficulties for Internet users and businesses alike. Unclear laws and consumer concern over privacy of personal data can threaten business innovation. A coalition of privacy advocates and businesses - from the American Civil Liberties Union to Google and AT&T - has formed to urge Congress to update electronic privacy law to provide clear rules and better protection for electronic data. In late March, U.S. Senator Patrick Leahy agreed that "our federal electronic privacy laws are woefully outdated" and members of Congress pledged to review current law.

ECPA contains distinctions that make little sense today, resulting in confusing rules and minimal privacy protection. For example, ECPA distinguishes between "electronic communication service" providers and "remote computing service" providers, and different legal protection applies to data handled by each.

E-mail exemplifies how online services no longer easily fit into the provider categories that made sense in 1986. It used to be the case that e-mail sent through an e-mail service provider was generally downloaded locally upon receipt and immediately deleted from the e-mail provider's storage. Today, however, e-mail is often both stored on and accessed from remote servers belonging to the e-mail provider, and many people never bother to delete many emails, documents, messages or photos stored in digital form. Under the current ECPA standards, when an e-mail sits unopened, a warrant is required to access it for 180 days. Once the e-mail is opened or after 180 days, only a subpoena may be required. Basing legal protection on how long an e-mail has been stored or whether it has been opened is incongruous with current e-mail use.

In addition, ECPA provides more legal protection to the "content" of communication-the body of an e-mail or contents of a letter or phone conversation-and less to "transactional" information. Transactional information has historically been customer record information, like phone records or the outside envelope of a letter.

The digital world, however, blurs the line between content and transactional data. Internet search terms, browser history, e-mail subject lines and location information do not fit neatly into either category and can reveal sensitive data like political and religious affiliations. Most people consider such information to be private. The law should match these expectations and require a warrant for disclosure.

Not only are some of ECPA's distinctions outdated, but the law also did not anticipate today's technology. Consequently legal protections are ambiguous for some of the technologies most commonly used today, such as location information gleaned from mobile phones.

GPS receivers became ubiquitous in mobile phones to allow emergency services to determine the physical location of 911 callers. An unintended consequence is that our phones have become tracking devices that we carry with us everywhere we go. Mobile providers can access our physical locations in real time, and often maintain historical location records. The legal standards for access to these records are currently being litigated. In the meantime, these sensitive records are demanded regularly in government investigations and civil litigation. A Sprint employee recently admitted that Sprint received a staggering eight million requests for mobile phone location information from law enforcement in just over a year. Access to this highly personal location data should require a probable cause warrant.

Revising ECPA is not only necessary to preserve individual privacy, but also to maintain a positive climate for innovation. Microsoft recently announced that its future lies in online cloud computing services. But its own poll found that more than 90 percent of the general population is "concerned about the security, access, and privacy of personal data" stored online. In January, Microsoft explicitly asked Congress for better online privacy protection to be able to fully realize the business potential of cloud computing.

Responding to government and third-party litigant demands for private information is also expensive for companies, and confusing laws mean that businesses are under threat of litigation if they hand over information improperly. In a 2009 workers' compensation case, Facebook refused to provide user data pursuant to a subpoena, arguing that federal law prohibited it from doing so. The request was withdrawn, but Facebook's General Counsel has stated publicly that he wants clearer rules to clarify the company's legal responsibilities.

So how do we modernize the ECPA?

All electronic data should be strongly protected from unnecessary government intrusion by requiring a warrant. Personal documents and information are increasingly stored online, and if the government can demand them with a mere subpoena, it has easy access to our most personal beliefs and habits in a way it did not a few decades ago. It is a cornerstone of American law that if the government is to intrude on the lives of citizens in this way, it must show probable cause subject to judicial review, a check that protects American freedoms while still giving law enforcement tools to protect citizens.

Legal protection for current and historical location information should be written into the law. Mobile phones shouldn't be used as personal tracking devices without a warrant or even the owner's knowledge.

A suppression remedy must be added to ECPA, just as evidence obtained by an illegal search or seizure can be suppressed. If illegally obtained evidence can be used at trial, overzealous law enforcement is incentivized to ignore the law.

An ECPA update should include a reporting requirement to make public how often personal information is requested and handed over, and at what cost to taxpayers, similar to the Wiretap Report that already publicizes wiretap requests and orders. Neither law enforcement nor most Internet companies - like Google and Yahoo! - make this data public. Policymakers and technology users cannot make fully-informed decisions without this information.

Outdated electronic privacy law impacts everyone who uses e-mail, mobile phones, or the Internet. Without a clearer law with stronger protections, greater transparency, and safeguards to suppress illegally acquired information, we are all at much greater risk of government and third party intrusion into our private lives than was the case in 1986. We must revise federal electronic privacy law so that we do not have to choose between new technologies and privacy.

Tamar Gubins is a Technology and Civil Liberties Policy Associate at the ACLU of Northern California working on the Demand Your dotRights campaign, and a Goodwin Procter "Make a Difference" Fellow. Visit www.dotrights.org for more information.