Email, Cloud, Privacy and the ECPA

Congress passed the Electronic Communications Privacy Act (ECPA) in 1986. This federal law is comprised of three different Acts: the Wiretap Act, amending Title III of the Omnibus Crime Control and Safe Street Act of 1968, the Stored Communication Act (SCA), and the Pen Register Act.

It is now time to reform the ECPA, and this reform is on Congress’ agenda. The House of Representative Committee on the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, heard testimonies on September 23 regarding “ECPA Reform and the Revolution in Cloud Computing.”

The Fourth Amendment of the United States Constitution guarantees the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” The Supreme Court held in Katz v. United States, that the government cannot eavesdrop on telephone communications held in a place where one has an actual (subjective) expectation of privacy that society is prepared to recognize as reasonable (J.Harlan, concurring).The Court noted that it had emphasized “over and again… that the mandate of the [Fourth] Amendment requires adherence to judicial processes, and that searches conducted outside the judicial process, without prior approval by judge or magistrate, are per se unreasonable under the Fourth Amendment subject only to a few specifically established and well-delineated exceptions…” Indeed, pursuant to the Fourth Amendment, warrants may only be issued upon probable cause, and must “particularly describe the place to be searched, and the persons or things to be seized.”

In Berger v. New York, the Supreme Court emphasized that “the need for particularity and evidence of reliability in the showing required when judicial authorization of a search is sought is especially great in the case of eavesdropping. By its very nature eavesdropping involves an intrusion on privacy that is broad in scope…”

Enacted after Katz and Berger, Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (the “Wiretap Act”), as amended in 1986 by the ECPA, defines electronic communication as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include — (A) any wire or oral communication.”18. U.S.C. §2510(12) Electronic storage is defined as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” 18. U.S.C. §2510(17)

The ECPA was enacted in 1986 to set a "fair balance between the privacy expectations of American citizens and the legitimate needs of law enforcement agencies." (Senate Report No. 99-541, 99th Cong., 2d Sess. 5 (1986). At this time, only a few Americans had heard about the Internet. Storing data was expensive. In his testimony, Richard Salgado, Google’s Senior Counsel, Law Enforcement and Information Security, noted that it took $650 in 1986 to buy a 10 megabyte hard drive with room to store “about two high resolutions photos”, whereas today it will cost less than $100 to buy a 1.5 terabyte hard drive !

Data was not tucked in a cloud. A Gartner survey showed this month that cloud-computing services represents in 2010 10 percent of spending on external IT services. A Pew Research Center survey revealed in 2008 that 69% of only Americans store data online or use a web-based software application.

New technologies, new privacy challenges. In his testimony, Michael Hintze, Microsoft Associate General Counsel, argued that the ECPA, since having been enacted in to law in 1986, has failed to keep pace with technology. He took the example of the difference made by the ECPA between emails stored for less than 180 days and those stored for more than 180 days, and concluded that this distinction no longer makes any sense.

Indeed, the SCA, as codified at 18. U.S.C. §2703 (a), allows the government to require the disclosure by an electronic communication service provider of the contents of a wire or electronic communication that is in electronic storage in an electronic communications system for 180 days or less, but only if the government first obtains a federal or state court-issued warrant. If the data has been in storage for more than 180 days, the government can require the provider to disclose the data without prior notice to the subscriber or customer if it first obtains a federal or state court-issued warrant. If the government provides prior notice to the subscriber or customer, the government must still obtain (i) an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena; or (ii) obtain a court order for such disclosure. 18. U.S.C. §2703 (b)

Therefore the ECPA provides more protection for emails stored for less than 180 days, than for emails stored for more than 180 days. That made sense in 1986, when storing data was extremely costly, but we are now living in a world where some of us keep emails for months, sometime years, tucked in the cloud. Should the privacy of these emails be less protected than when they were first arrived in our mailboxes?
The first version of Microsoft Exchange was released in 1996. The user was able to download emails from a server to a local machine. One could then conceive that an email which had not been downloaded after 180 days had been abandoned by the recipient, and thus had no expectation of privacy in the message. However, Hotmail, offered for the first time in 1997, stored emails in the cloud. The cloud retained the message even after its intended recipient had read it. Yet, data storing capacity was still limited in 1997, but it is no longer the case. Mr. Hintze concludes that users reasonably expect their data to be as private on day 181 as it is on day 179. It is hard to disagree with that statement.

A coalition of companies and non-profit organizations, the Digital Due Process Coalition, has also been advocating SCA reform. Members of the coalition include among others, the American Civil Liberties Union, the Center for Democracy and Technology, the Electronic Frontier Foundation, Google, Microsoft, IBM, and AT&T.

The coalition recommends the Act to be reformed so that the government could only require electronic communications providers to give it access to the non-public content of communications if producing a search warrant based on probable cause, and this “regardless of the age of the communication, the means or status of its storage or the provider’s access to or use of the content in its business operations.” (see p. 5 of Becky Burr, ECPA: PRINCIPLES FOR REFORM)

We need a new Katz!

Bruce Schneir writes: « Our protections against police abuse have been severely watered down. The courts have ruled that the police can search your data without a warrant, as long as others hold that data. If the police want to read the e-mail on your computer, they need a warrant; but they don't need one to read it from the backup tapes at your ISP” and that “just as the Supreme Court eventually ruled that tapping a telephone was a Fourth Amendment search, requiring a warrant -- even though it occurred at the phone company switching office and not in the target's home or office -- the Supreme Court must recognize that reading personal e-mail at an ISP is no different.”

The Supreme Court would then reconciliate somehow these two famous statements: the Fourth amendment protects people, not place” (Katz v. United States), but “ the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.” (US v. Miller).

In US v. Miller, the respondent, relying on Katz, claimed that he had a Fourth Amendment interest in the records kept by his banks because they were merely copies of personal records that were made available to the banks for a limited purpose and in which he has a reasonable expectation of privacy. The Supreme Court argued that the Katz Court had stressed that "[w]hat a person knowingly exposes to the public . . . is not a subject of Fourth Amendment protection."

So we have these concepts, "copies", "limited purposes", "exposing knowingly to the public"…
In Miller, the Court noted that “checks are not confidential communications but negotiable instruments to be used in commercial transactions.” But our data, even though they are becoming a commercial commodity more and more every day, may be still confidential, if we treat them that way.

Our email could be considered copies of a confidential message sent to us, made available to our ISP for the limited purpose of storing it so we can access it later and read it on our private computer. We would then be in charge of storing that private message, in our own hard drive., protected by the Fourth Amendment. Well, what if we use web mail, what if our company is cloud computing? Should users of Outlook be more protected than the ones using, say Gmail?