The ECPA–Its Limitations and Possible Changes to Come
Google recently released their transparency report detailing information regarding government requests for Google users’ data. It contains some interesting information, including Google’s compliance rates. Although Google still complies with most government requests the percentage has declined a little from one year ago.
Most of the requests Google gets are under the Electronic Communications Privacy Act. The ECPA has come under criticism as being outdated. The issue is that the ECPA was written in 1986 when the internet was still in it’s infancy. As Ars Technica reports, the bill sets up a regulatory scheme that was suited to the times – namely, that the government needs a warrant if it wants to see what’s in your hard drive but if it wants to see information stored with a third party like Google it might be able to get access without a warrant as long as the information has been deemed to be abandoned. That is, information that has been stored with a third party for longer than 180 days. This made sense when emails were mainly kept locally on a personal computer and were only stored in a third party server long enough for a user to download them onto their physical hard drives. However, cloud computing has changed the way we access our emails. Now emails are usually kept indefinitely on third party servers that can be accessed from any computer.
The distinction between emails in your hard drive and emails in the cloud is due to the Supreme Court developed third party doctrine. In essence, the third party doctrine says that one cannot expect the same Fourth Amendment protections (such as the search warrant requirement) when you entrust information to a third party. Some have questioned the logical consistency of the third party doctrine in its totality but it is particularly troubling when applied against modern communications technology such as email. Most people treat email conversations in much the same way they would a phone call yet don’t realize they aren’t protected in the same way. Similarly, most people think of emails in the same way as they do a letter stored in a desk drawer yet as it stands right now, one requires a warrant to access it and not the other. In the link above, Greg Nojeim makes a strong argument that the continuation of the third party doctrine would mean forcing people to choose between protections they’ve come to expect with other means of communicating or efficient modern communication.
Luckily, things are starting to change both judicially and legislatively. Some courts and even Supreme Court Justices have shown skepticism to the doctrine. Additionally, The Senate Judiciary Committee voted in November of last year to amend the ECPA. The amendments would extend the same protections afforded information physically stored on your hard drive to all emails (and other documents) whether on the cloud or not. Of course, the amendment still needs to make its way through the Senate and the House. As often happens, the bill could undergo significant changes. For the time being, all one can do is wait and maybe use one of these for sensitive communications.