This story is over 5 years old.

The Quiet Battle to End Warrantless Email and Cloud Surveillance

For an issue of such critical privacy implications, the ECPA reform push is flying under the radar.
January 15, 2014, 8:15pm

Image via Flickr

Last month, the Center for Democracy and Technology's Mark Stanley launched a We the People petition in support of Electronic Communications Privacy Act reform. Mere days before the deadline, it looked like the petition wouldn't hit the 100k threshhold required to trigger a White House response. With one final push on a national Day of Action, a coalition of internet activists and organizations reached their goal.

Written in 1986, ECPA is an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968, otherwise known as the Wiretap Statute. Originally designed to prohibit government intrusion into electronic communications, ECPA allows federal agencies to subpoena 180-day old emails without notifying users. To add insult to injury, there is no judicial or other independent review of these data requests.

While Stanley isn't sure when Obama will comment on ECPA reform, he hopes that the president will address the issue this Friday when he announces his NSA surveillance reform plans. For an issue of such critical privacy implications, the ECPA reform push is flying under the radar, drowned out perhaps by the larger NSA reform debate. Even so, Stanley is optimistic of the chances for reform, even as the Securities & Exchange Commission's blockade attempt continues.

MOTHERBORD: How exactly is ECPA outdated?

Stanley: It is outdated because email and electronic communication storage in 1986 was really different than how it works now. Back then, storage was more cumbersome and expensive. People wouldn't store emails for very long. What we have now is practically unlimited storage with our email providers. In the past, people would download important emails onto their hard drives, then emails would either be deleted or taken off of the email service after 180 days.

If the emails were over 180 days old they were basically considered abandoned, so users no longer had an expectation of privacy for those emails. Obviously, we now store emails for years because of unlimited storage. With ECPA, if an email is over 180 days old it can be accessed without a warrant.

**As I undersand it, many government agencies have access to email through ECPA. In that respect, it's not simply a digital coup for spy agencies. **

Right. ECPA applies to law enforcment and regulatory agencies. When we're talking about law enforcement, it's everyone from the Department of Justice to the FBI, down to state and local law enforcemenet agencies. The regulatory agencies would include the IRS, SEC, and others.

Have there been any legal challenges to ECPA?

Yes, there was a case in the 6th Circuit called United States v. Warshak, which found the law unconstitutional. Unfortunately, the 6th Circuit only contains four states: Michigan, Ohio, Kentucky, and Tennessee. By updating the law, we're trying to get a national standard that warrants are necessary for the content of communications.

Frankly, it's not very controversial that these communications should require warrants. Actually, the Justice Department, which had been the strongest opponent of ECPA reform in the past, is now in support of a warrant update.

**DOJ's reversal make sense. The last thing law enforcement want is a case they've worked hard on getting thrown out of court. **

Exactly. In a lot of cases right now, we're seeing law enforcement actually go over to the warrant standard for email, electronic communications, and documents in the cloud. But, the fact that the law remains as it is leaves a big loophole open for law enforcement to get at emails. We're really trying to close that loophole.

Now, if a person uses an encrypted cloud service, would ECPA allow law enforcement or regulatory agencies to gain access to data through a key?

I really don't know. What the law says right now is that any document stored in the cloud is accessible without a warrant. When we're talking about the cloud as opposed to an email service provider, it actually doesn't matter how long it's been stored. Law enforcement can access any document in the cloud.

What is the SEC's reasoning for blockading reform?

They're the last big hurdle. Basically, what the SEC is saying is that regulatory agencies don't have the power to use warrants the way law enforcement agencies do. The SEC is asking for the ability to go to third parties and subpoena information without the customer ever knowing. They're saying they need to do this to more effectively investigate cases of insider trading. That is one hypothetical.

What most privacy advocates are saying is that they already have ample ability to go directly to the target. They can go directly to you and me and subpoena our emails. As far as the power they have over congress, I think they have enough influence that they've been able to hold up the bill to this point. We're trying to break that logjam. A few senators have been influenced by the SEC's argument, and that has been a hold up.

Which senators?

It's actually kind of hard to say because the senate procedural process is such that this bill was voted out of the Judiciary Committee on a voice vote. As far as taking the next step to move it to the floor, we know that there have been objections, but it's not exactly clear where the objections are coming from.

Well, that's convenient for those senators. What other federal agencies are supporting the SEC?

It's hard to say if other regulatory agencies want this power. But, if the SEC gets this power, then it will open up the door for other regulatory agencies to have this authority. In fact, it would be hard to legislate a scenario where only the SEC has this power.

What happened during the final push to send the ECPA reform to the White House through the We the People petition drive?

We had a Day of Action. We had something like 60+ organizations, everything from advocates to companies and startups, really pushing that week. This helped put us over the edge. And I think that the closer you get to the goal of 100,000, the more people start to pile on to build momentum. There was a lot of work being done that final week.

When do you expect to get a response from the White House?

One thing that we haven't confirmed yet but we're hoping for is that the president will actually mention ECPA reform this Friday in his NSA surveillance reform speech. Obviously, ECPA doesn't pertain directly to the NSA, but it is an important privacy reform that has been before the White House and is being considered by Congress.

Any privacy reform in this country should really include ECPA reform. A lot of attention has been paid to the NSA issue, as it should be. But, it seems to have flown under the radar a bit that there is a law on the books that actually allows dozens of government agencies this warrantless access to our communications. We're looking forward to the speech, and we're hoping that Obama says something.