ECPA and the Law of Disruption

I write in “The Laws of Disruption” of the risk of unintended consequences that regulators run in legislating emerging technologies. Because the pace of change for these technologies is so much faster than it is for law, the likelihood of defining a legal problem and crafting a solution that will address it is very slim. I give several examples in the book of regulatory actions that quickly become not just obsolete but, worse, wind up having the opposite result to what regulators intended.

An unfortunate example of that problem in the news quite a bit lately is the Electronic Communications Privacy Act or ECPA. (My first published legal scholarship, in 1994, was an article about a provision of ECPA that allowed law enforcement officers to use evidence they came across by accident in the course of an otherwise lawful wiretap, see “Electronic Communications and the Plain View Exception: More ‘Bad Physics.’”)

Passed in 1986, ECPA at the time was a model of smart lawmaking in response to changing technologies. It updated the federal wiretap statute, known as Title III, to take into account the rise of cellular technologies and electronic messages--which didn’t exist when the original law was passed in 1968.

In essence, ECPA brought these new forms of communications under the legal controls of the wiretap law, meaning for example that police could not intercept cell phone transmissions without a warrant, just as under Title III they needed to intercept wireline calls. Private interception was also made illegal.

A lot has happened since 1986, and unfortunately for the most part ECPA hasn’t kept up. Most significantly has been the explosion of new data sources of all varieties, and in particular the now billions (trillions?) of messages sent and received each day by individuals communicating through the Internet. The potential evidence those messages contain for a variety of investigations—criminal, civil, terror-related—has made them an irresistible target for law enforcement as well as civil litigants.

In addition to the sheer volume of new data sources, the other significant change undermining ECPA’s assumptions has been the movement to cloud-based services, particularly for email. In the early days of email (say, 1995), ISPs kept messages on their servers only until the user, through a client email program such as Eudora, downloaded the message to his or her personal computer. Once downloaded, the message was immediately or soon after deleted from the server, if for no other reason than to save storage space.

Storage, however, has gotten cheap, and the potential uses of stored data for a variety of purposes has made it attractive for ISPs and other services (e.g., Google’s Gmail) to retain copies of messages and other user data on a permanent basis.

The drafters of ECPA had great foresight, but they couldn’t have imagined these changes.

Here come the unintended consequences. Under the law, law enforcement agents hoping to get access to your emails as part of an investigation are required to obtain a warrant, just as they would need a warrant to search your home and seize your computer.

But for data stored on a third party computer—an ISP or other cloud provider—the warrant requirement applies only for “unopened” messages and only for 180 days after receipt. Once the message is opened and 180 have passed, any stored data can be obtained without a warrant based on the much lower standard of a subpoena.

In some sense, this means that as users move to cloud computing they are inadvertently and unknowingly waiving protections against law enforcement uses of their data. Keep your data only locally on equipment in your home or office, and the police need a warrant to look at or take it. Leave it in the cloud somewhere, and they can get at it without much fuss at all.

This turn of events, the result not of any secret conspiracy so much as the random confluence of technological inventions since 1986, is almost certainly not what the drafters of ECPA had in mind. It is more likely to be just the opposite. For ECPA, like the wiretap law it amended, was intended to give greater protection to communications than what the Fourth Amendment to the U.S. Constitution would otherwise have provided.

For more, see "There's Something About ECPA."

Add new comment