ECPA: Again, and Again, and Again

This week the Senate Judiciary Committee will work on amendments to the Electronic Communications Privacy Act, commonly referred to as "ECPA."  When passed in 1986 it updated the Omnibus Crime Control and Safe Streets Act of 1968, the first "wiretap" federal law.  This law codified procedures for the rule the Supreme Court established in the landmark Katz v. U.S. case that created a Fourth Amendment privacy right in electronic communications, telephony principally in that day.  In my cheat sheet on different kinds of privacy law outlined in the last couple of previous blogs, this would be type 2 privacy law.  

ECPA updated the 1968 law to include data networking which demonstrated a degree of prescience on the part of Congress because the Internet was not yet public nor would be for some six or seven years.  It does not take a law or a history degree, however, to venture the guess that developments in technology, law, user practices and the market have outdated it significantly.  Indeed, much of the concern that both Democrats and Republicans expressed about the U.S.A.-Patriot Act in 2001 ultimately had more to do with the outmoded aspects of ECPA than the anti-terrorism law, but it is also true that the latter exacerbated the problems of the former.  Let's explore some of the most egregious problems with the law, and then let's look at what has kept fixes to it from occurring.  It is time now to amend it, but getting procedures in line with a principle of ordered liberty will be no small task for Congress.  

For the sake of a brief blog, there are two main existing problems with ECPA: the first is its interminable complications.  Numerous jurists having to interpret the law have commented on this point with considerable exasperation, often with the effect of figuratively throwing up their hands and winging it for a decision … that becomes fodder for more and more appeals and conflict among circuit courts.  Circuit court conflicts usually are a prescription for Supreme Court action, but in this case the Court is too smart to get caught in that morass.  The underlying message is that the Court is waiting for Congress to fix it at least sufficiently to the point of where interpretation is confined to appreciable issues.  As it stands now, serious confusion about rules as they apply to stored or transmitted communications or technical complexity that sets telephony and data networking at different Fourth Amendment angles have kept this law at the Court's arm's length.

The second is this technical complexity concern.  Originally the law attempted to draw a clear Fourth Amendment line differentiating "conversational detail" such as billing information for telephony or network flow logs for data networking.  That line would allow those bills or logs to fall below the threshold for a warrant, and therefore require only a subpoena.  Content triggers action for a warrant, or reasonable belief of criminal activity, a search particularly defined, and judicial sign off. Differences between the technologies foiled the plan, which if those differences were not entirely evident in 1986, they should have become so as data networking, or the TCP/IP protocols, have overtaken telephony.  In short, the kind of information gathered in telephony by and large does not capture content: for example, timed stamped source and destination numbers (900 numbers is a minor exception).  Data networking flow logs do, however, as in the case of email capturing headers, including subject lines, or in Internet browsing the addresses of web sites that can be plugged into browsers to disclose the content of web pages.   When the U.S.A.-Patriot Act lowered the bar by which law enforcement can gather "conversational detail," often with just a letter filed with a clerk, the technological difference blossomed into full relief as a wholesale violation of the Fourth Amendment principle upon which the law rests.     

Off the top of my head, I can think of three major reasons why Congress has not fixed this obviously broken law.  First, political party paralysis is real and has generated substantial gridlock in Congress; that point speaks for itself.  Second, this law defies party politics because this kind of privacy plays on both sides of the aisle, libertarians care about it as much as liberals.  That crafters of a revised bill have to navigate both technically and politically complicated waters would appear to be too much to ask of a Congress that revels in simplistic, Manichaeism distinctions.  Third, the Bush Administration willfully took advantage of the confusion.  Not only did Justice under Bush ignore due process altogether in tracing content of international communications, violating both ECPA and the Foreign Intelligence Surveillance Act, or "FISA," the "secret court" law designed specifically for terrorism, but it played the confusion against communications companies by not educating their lawyers or technologists to limit searches.  Greedily, law enforcement grabbed and/or accepted everything, including content without a warrant. As is often the situation when due process is by-passed, the situation has created a downstream legal crisis.  Telecommunications companies panicked at the thought that they might be sued for collusion with the government and violating consumer privacy and lobbied for immunity, which a hobbled Congress gave them at the expense of personal privacy codified in the original law, and prosecutors who have attempted to use the evidence gathered in this chaotic manner have found worthy cases thrown out of court by judges who are not amused with being asked to bless such obvious Fourth Amendment violations.  

It is beyond the scope of this blog to offer a recommended mark up of the amended bill.  The purpose here is to let you know why it is important that Congress accept this mission, one would like to hope, in this remaining session.  At virtually every point privacy law touches individuals, individual privacy is strained.  That should be reason enough even though it would appear not to be sufficient to move Congress in the last twenty years since the Internet became public.  I will share with you what I think is the straw that will finally break ECPA's back: the market.  Internet companies from Google to Box want it.  Google does not always want to be on the line to define privacy because of the realized potential that implicit power has to backfire in the community of public opinion.  Box, as an example of a cloud company, wants it because they, like every other cloud service, wants government to establish the trust that users will need to fully buy into their business model.  For motivation, at this point, I'll accept whatever it takes to get the party started.  But getting it started does not mean that consumers should relinquish all control over the substance of the revisions.  Pay attention to both what and how this law will be amended, that is, if you care about privacy for yourself and the next generation to come.