by Mark M. Jaycox, Legislative Analyst, Electronic Frontier Foundation
The Electronic Communications Privacy Act (ECPA), which governs when service providers may disclose private online messages like Twitter direct messages, was ahead of its time in 1986. In the nearly three decades since it passed however, it has fallen woefully out of date. The government has used one archaic section to skirt the Fourth Amendment’s warrant requirement and obtain online messages older than 180 days with a simple subpoena based on much less than probable cause. Courts are leading the charge to ensure ECPA doesn't violate the Fourth Amendment, but Congress must step to the plate and make common sense changes to ECPA by explicitly requiring a warrant before the government can access your private online messages or your mobile phone location data.
Just because your emails are stored online must not mean they have any less protection than if they were printed out and sitting on your desk. The Fourth Amendment's warrant requirement can not be ignored. The archaic law is an example of a typical statute that isn't "technology neutral." Nowadays people store emails and other private messages they care about most for extended periods of time online.
The statute is also out of date regarding how law enforcement can obtain location data from your mobile phone. ECPA does not specifically say when geolocation can be obtained by law enforcement, so many law enforcement agencies don't currently obtain a warrant when they want your mobile location in the past or present. It's another example of how flaws in ECPA have been abused by the government to skirt the Fourth Amendment’s protections.
In both instances, Courts are leading the charge to ensure ECPA is in line with Fourth Amendment requirements. In a U.S. Court of Appeals for the Sixth Circuit opinion called U.S. v. Warshak, the Court noted that emails and other private communications are protected by the Fourth Amendment. As a result, many Internet providers and other companies storing online communications require a warrant in all cases, despite any language in ECPA to the contrary. When it comes to issuing a warrant for geolocation, a circuit split exists between the U.S. Court of Appeals for the Third Circuit, which ruled that a warrant could be required for location information, and the U.S. Court of Appeals for the Fifth Circuit, which ruled that an order based on a lower threshold suffices. At the state level, courts in New Jersey and Massachusetts have firmly sided on ensuring law enforcement obtains a warrant, while states like Utah, Indiana and Montana passed laws requiring a warrant for geolocation.
Congress is only now beginning to catch up with the judiciary. Representatives Kevin Yoder, Tom Graves, and Jared Polis have introduced The Email Privacy Act, which provides a "clean" update to ECPA by requiring law enforcement obtain a warrant before seeking any online private messages. And Senator Ron Wyden and Representative Jason Chaffetz have introduced the GPS Act, which requires law enforcement to obtain a warrant before obtaining geolocation.