Any discussion of U.S. government laws relating to the Internet and programs like PRISM inevitably begin all the way back in 1986 with the passage of the Electronic Communications Privacy Act. Written before the birth of the modern Internet, ECPA is a key law that enables law enforcement to have access to data while protecting the privacy rights of citizens. ECPA is not a scary law that steals people’s Internet freedom. ECPA is simply an outdated attempt to preserve freedom in the digital arena.
What it is:
At its heart, ECPA is an attempt to try to define the scope of the Fourth Amendment (the part of the Bill of Rights which guards against unreasonable search and seizure, along with requiring any warrant to be judicially sanctioned and supported by probable cause) when it comes to digital communication. Over time, both legislation and judicial precedent have told us what is and isn’t unreasonable search and seizure when it comes to law enforcement action at our home, place of business or on a public street, but in 1986, when Congress took up the task of creating ECPA, they were attempting to outline rules for search and seizure of remotely stored digital data.
ECPA outlines the relationship between data storage providers, their customers, and law enforcement. It acknowledges that providers act as custodians and not owners of information in their possession on behalf of their customers and subscribers. It actually serves to limit the ability of providers to voluntarily disclose customer information to the government.
What should concern you:
ECPA has a series of exceptions written into it which allow law enforcement to gain access to digital information without a warrant. The most notorious exception within ECPA is the “180 day” rule for email, actually written into a chapter of ECPA entitled the Stored Communications Act (SCA).
Written in an era where storage was expensive and it was assumed no one would leave email sitting on a server indefinitely, ECPA says that if an e-mail has been sitting unopened for more than 180 days, it is considered abandoned and no longer requires a warrant to access.
How we got here:
For the most part, ECPA is an attempt to protect users from unreasonable search and seizure of digital communication. Like most laws that define required levels of adherence to constitutional protections, it ends up both protecting and compromising civil rights – and in particular the 4th amendment. How is that? Because as is generally the case with laws like this, it starts by enforcing a warrant requirement for digital communications – and then it starts adding exceptions to that requirement.
One major exception is for “basic subscriber information.”
ECPA deals with two kinds of information, “basic subscriber information” and various types of “content.” “Basic subscriber information” is the first exception to the warrant requirement. In short, it’s not possible to go to an Internet provider and issue a warrant for content without knowing which providers service the suspect and host the content. To solve this problem there is an exception to the warrant requirement for “basic subscriber information,” whereby law enforcement can find out who an Internet provider’s customer is by simply issuing a subpoena for such information.
Some exceptions to the 4th Amendment protections granted by ECPA, like the “basic subscriber information” exception, make sense. Others, like the “180 day” rule for unread email communications, do not reflect the changes in the way we access and store digital communication in the last 25 years. ECPA lacks privacy protections that reflect the use and structure of the modern Internet.
ECPA reform can be a great tool for more Internet freedom. It enforces fourth amendment protections on the vast majority of content out there and grants more protection from unreasonable search and seizure of digital information than the laws of all but a small handful of nations. But today’s ECPA is old and clearly compromised. It is in need of serious updating to reflect the changes in the Internet of the last 25 years and to prepare for the changes coming in the next 25.
Be sure to check out the rest of our blog series: A Short History of U.S. Internet Regulation.Photo by vaXzine.