Great ECPA expectations
When the Electronic Communications Privacy Act first was passed back in 1986, lawmakers mostly didn’t even imagine that email might play a central role in American life. Scarcely anyone in 1986—whether inside or outside of Congress—foresaw a day when we’d use the internet to help us find our misplaced phones and watches.
The digital landscape for Americans has vastly changed over the last three decades, but the central law spelling out when government needs to get a warrant to capture electronic communications has not. Because the internet is central to most of our lives, and because the potential scope of government intrusion on our lives has thus become vastly greater, it’s high time (or, really, past time) for Congress to update ECPA. That’s why we are pleased to see today’s introduction of the ECPA Modernization Act of 2017 by Sens. Mike Lee, R-Utah, and Patrick Leahy, D-Vt.
Congress is now poised to update the law in ways that reflect how pervasively we use digital communications and tools (computers, phones, watches, fitness trackers, and many other devices) in our everyday lives. The act aims to fix some serious flaws in the older law. The ECPA Modernization Act is not just about the content of digital communications; it’s also about the geolocation features (and other non-email, non-messaging features) that internet services increasingly offer us.
That’s not to say that the ECPA Modernization Act is perfect. It is a fundamental principle of liberal democracy that there should be limits on what government can grab from your digital world. These limits are essential to understanding the Fourth Amendment in the 21st century. Even as we see progress toward updating digital-privacy laws, it’s essential to point out that plenty of issues, such as the gathering and analysis of metadata, still need to be revisited and more thoroughly reviewed from a pro-privacy standpoint. (I’ve written about the underlying problems with ECPA’s inadequate protections for metadata here.)
And as Chris Calabrese of the Center for Democracy and Technology testified in 2015, the last time the Senate considered updating ECPA, the consequence of failing to update this creaky 1980s statute has been ambiguity and inconsistency. Is a Google Doc subject to the law if you’re only using Google Docs to store a document for later editing? Or, if it isn’t, does it become subject to ECPA provisions when you share the document for others to edit? Inquiring minds wanted to know.
This latest ECPA-revision language takes steps toward addressing both my concerns about metadata and Calabrese’s concerns about ambiguity. It adds warrant requirements for information stored in the cloud and for location information, as well as adding new limits on metadata collection. The ECPA Modernization Act may not be perfect (and what legislation is, really?), but it’s a good start, and it ought to serve as a good reminder that we shouldn’t wait another three decades—or even another three years—before we take another comprehensive look at how our individual privacy, and Fourth-Amendment-based limits on government snooping on citizens, should be updated for our fast-evolving digital landscape.
Image by Maksim Kabakou