The Fine Print in the Government's Privacy Policy
How technology and misguided legal reasoning have made your life an open e-book
In 1986 The American Banker defined E-mail as "a trademark of CompuServe," Computerworld noted that sending a single message required a 10-minute phone call, and InfoWorld described "a pilot scheme that will allow users of one system to send messages to mailbox holders on another." That was the year Congress enacted the Electronic Communications Privacy Act (ECPA), so it is hardly surprising that the once forward-looking law seems antiquated today.
In fact, ECPA is so out of date that it has left us vulnerable to government snooping in ways most Americans do not appreciate. With the Senate Judiciary Committee considering possible fixes this week, now is a good time to reflect on how technological advances and misguided legal reasoning have eroded the Fourth Amendment guarantee against unreasonable searches of our "papers and effects," which nowadays take forms the Framers could not have anticipated.
Computerworld described ECPA as a law regulating "the interception of data communications, such as electronic mail and bulk data transfers, during transmission and while stored in a computer." According to a Senate report, the legislation was supposed to strike "a fair balance between the privacy expectations of American citizens and the legitimate needs of law enforcement agencies."
Since ordinary paper mail and telephone calls have long enjoyed Fourth Amendment protection, you might think such a law would be unnecessary. But a series of Supreme Court decisions dealing with information held by third parties, including tax, bank, and phone records, had left the constitutional status of email highly uncertain.
As a 1976 decision put it, "This Court has held repeatedly that the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed." This logic suggests we have no constitutional right to privacy in the personal data we routinely exchange and store via the Internet; hence the need for a statute like ECPA.
But the law, written during a time of dial-up connections and expensive data storage, draws distinctions that no longer make sense now that people are online all the time and commonly keep years of messages, photos, contacts, calendars, and word processing files on servers located hundreds of miles away. Under ECPA, for instance, law enforcement agencies must obtain a judicial warrant based on probable cause to read unopened, remotely stored email that is up to six months old. But they can look at email that has been opened or retained more than six months (i.e., anything important) simply by claiming it is "relevant and material to an ongoing criminal investigation."
As George Washington law professor Orin Kerr observes, ECPA "offers surprisingly low privacy protections when the government seeks to compel contents other than unretrieved communications held pending transmission for 180 days or less." In fact, depending on how the statute is interpreted, information stored online through services such as Gmail and Facebook, including a great deal of sensitive material that people do not intend to share with the world, may not be protected at all.
The law is also hazy on the question of whether police need a warrant, a court order, a subpoena, or simply a whim to obtain geolocation data showing everywhere you and your cellphone have been. While the Supreme Court ruled in January that police need a warrant to track a suspect by attaching a GPS device to his car, it left unresolved the constitutionality of surveillance that does not require a physical trespass, as Justice Sonia Sotomayor noted in a concurring opinion.
Sotomayor suggested "it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties." Without such a reconsideration, more and more of what you thought was your private business will become an open e-book.
