Privacy protection hole of 29-year-old law is hard to measure

U.S. technology companies and digital-rights groups are working to update a 1986 law they argue doesn’t adequately protect the privacy of consumers’ electronic documents.

The Electronic Communications Privacy Act allows law enforcement agencies to seek access to electronic documents stored for more than 180 days without obtaining a court-issued warrant. It does not, however, require companies to give the agencies access without a warrant.

Twenty-nine years ago, when the ECPA passed, electronic storage was prohibitively expensive for most people; lawmakers considered documents stored electronically for longer than 180 days abandoned by their owners. But through many free or inexpensive services, people today stash and frequently access all kinds of personal documents in digital file cabinets.

In response to government surveillance concerns in recent years, several large Web-based companies and Internet service providers—Apple, AT&T, Comcast, Facebook, Google, Microsoft, and Verizon among them—have opposed subpoenas and begun requiring warrants.

But it’s anyone’s guess how many smaller companies lacking their legal resources are readily cooperating with police and prosecutors’ warrantless subpoenas for customers’ cloud-archived e-mails, text messages, voice messages, and private documents.

“The police are going to show up with a subpoena, and [small companies] going to turn over all of that information.” — Chris Calabrese, senior policy director, Center for Democracy and Technology

“We think it’s outstanding that several major Internet companies believe that their users deserve warrant protection from the government,” says Chris Calabrese, senior policy director at the Center for Democracy and Technology. The tech titans’ rejection of warrantless subpoenas for access to older communications—along with a 2010 U.S. Court of Appeals ruling requiring warrants for newer communications—gives consumers some privacy protections.

But there are tens of thousands of Internet companies, cloud providers, and mobile-app makers that “aren’t as steeped in the law,” he says. Small companies don’t necessarily have “lawyers to help sort out the law. The police are going to show up with a subpoena, and they’re going to turn over all of that information.”

No group appears to know how often law enforcement agencies across the country seek to exploit the ECPA’s so-called protection gap.

The Administrative Office of the United States Courts publishes an annual report detailing the number of delayed-notice search warrants, or sneak-and-peek search warrants, for which law enforcement agencies apply in federal courts, but the report doesn’t categorize the type of information sought. And the number of small companies receiving and complying with subpoenas is hard to measure, advocates for ECPA reform say.

“ECPA reform legislation “poses significant risks to the American public by impeding the ability of the SEC and other civil law enforcement agencies to investigate and uncover financial fraud and other unlawful conduct.” — Andrew Ceresney, director, enforcement division, U.S. Securities and Exchange Commission

Since early 2010, a diverse group of companies and organizations have called for warrant protections for older stored documents, including e-mails and text messages, saying they’re covered by the Fourth Amendment.

“Technology changes, but the Constitution should not,” the Digital Fourth coalition’s website says.

Hundreds of lawmakers have also voiced support for two ECPA reform bills. But federal agencies such as the Internal Revenue Service and the Securities and Exchange Commission have fought changes, arguing that the bills would diminish their power to issue investigative subpoenas.

ECPA reform legislation “poses significant risks to the American public by impeding the ability of the SEC and other civil law enforcement agencies to investigate and uncover financial fraud and other unlawful conduct,” Andrew Ceresney, the director of the SEC’s Division of Enforcement, told lawmakers in September.

Changes to ECPA are still a priority, says Nate Wessler, staff attorney with the Speech, Privacy, and Technology Project at the American Civil Liberties Union.

“The public shouldn’t have to rely on the goodwill of these [large] companies to provide legal protection,” he says. “Any of them could abandon or suspend their policies at any time, and it is unclear how vigorously many of these companies would defend their policies, if pressed.”

Opposing a subpoena takes “significant resources,” Wessler says. “In our justice system, courts and Congress need to provide protections against violations of our rights; we shouldn’t have to count on private companies to fill the gap left by technology outpacing the law.”