ACSblog Symposium on ECPA Reform

  • September 8, 2015
    Guest Post

    by Susan Freiwald, Professor of Law, University of San Francisco School of Law

    *This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).

    As eyes focus on the Microsoft appeal, people are asking why the Electronic Communications Privacy Act (ECPA) fails to resolve more clearly the questions presented. Anyone with a passing familiarity with ECPA could guess the answer: ECPA’s provisions, most of which are nearly 30 years old, are incomplete, ambiguous, and in dire need of amendment. Hence the calls to Congress to pass the LEADS Act (S. 512H.R. 1174). But those bills, and other ECPA reform bills getting traction in Congress, leave uncovered gaping holes in the law. Only the California Electronic Communications Privacy Act (CalECPA, SB 178), which is up for its final vote in California today, would bring the needed coverage and clarity to protect modern electronic privacy rights. CalECPA applies in California to state and local entities, but it provides a blueprint for comprehensive federal reform.

    At the federal level, ECPA fails adequately to protect our most personal information: the communications, movements, documents and online activities that we store on our cell phones and share with our service providers. Though it should, ECPA does not clearly require a warrant for the location data generated when we use our cell phones to make and receive calls or texts and access the internet, even though, in one recent Fourth Circuit case, United States v. Graham, agents obtained well over 100 location data points per day from the subject’s provider.  Other recent cases have been all over the map on whether and when a warrant is required. CalECPA takes its cue from the Supreme Court, which recently recognized the intrusiveness of location data acquisition in Riley v. California and United States v. Jones. CalECPA requires a warrant for access to any location data (with appropriate exceptions for emergencies in any case where it requires a warrant).

  • September 8, 2015
    Guest Post

    by Jennifer Daskal, Assistant Professor of Law, American University Washington College of Law; former counsel to the Assistant Attorney General for National Security at the Department of Justice

    *This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA). Daskal’s piece is also cross-posted at Just Security. 

    Tomorrow, the Second Circuit will hear arguments in the almost two-year old dispute between Microsoft and the government over emails stored extraterritorially. Earlier,  I opined (in discussion with Orin Kerr) on the statutory questions raised by the case. The purpose of this post is to focus on the policy issues.  And viewed solely from a policy perspective, neither position—Microsoft’s nor the government’s—is satisfying. 

    For those unfamiliar with the case, the dispute started in December 2013, when the government served a warrant on Microsoft, compelling the production of certain emails. Microsoft refused to comply, arguing that the emails were stored in Ireland, that the government’s warrant authority does not extend extraterritorially, and that therefore the warrant was invalid.  But so far its fight has been unsuccessful.  Both the magistrate and district court judge sided with the government: Because the data could be accessed and controlled from Microsoft employees operating within the United States, the warrant was territorial, not extraterritorial; it is therefore valid.

    While often described as a “privacy case,” that’s not really what the case is about.  The government is, after all, proceeding by a warrant based on a finding of probable cause.  No one suggests that compelled production would be a privacy violation if the data were stored in the United States.  It does not become a privacy violation simply because the data is stored in Ireland.  That said, the case has major privacy implications.  The case raises fundamental questions about sovereignty and jurisdiction in an increasingly interconnected world, with key privacy rights—and related free speech and associational rights—turning on the answer to those sovereignty and jurisdictional questions.  It reflects a new world order in which State A can compel the production of data located in State B, with neither the government agent or the company employee querying the data ever leaving State A.  And the case poses key questions about who does—and should—control access to the data in such a situation—State A or State B?

  • September 4, 2015
    Guest Post

    by Anupam Chander, Director of the California International Law Center and Professor of Law at the University of California, Davis. He is the author of The Electronic Silk Road: How the Web Binds the World Together in Commerce, published by Yale University Press.

    *This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).

    My parents grew up in a pen and paper world, where most of their writings and records were kept at home, in their offices, or with close confidantes. I grew up in a world of computers, but even my writings were mostly kept at home on hard drives and floppy disks (for today’s students, many of whom have never seen a floppy disk, a history of the floppy disk). My first writings were kept, astonishingly, on a cassette recorder, which stored what I typed on my TRS-80, a computer made by Radio Shack. That computer had a total memory of 16K, roughly 16,000 characters (not even words) of text.

    My children are growing up in the cloud, where their writings and their records are being stored in remote computers. Because those computers are managed by Dropbox, Google, Microsoft, and their peers, their writings are far more secure than I ever managed when I stored my files on a floppy or a hard drive, both of which failed with remarkable regularity and maximally devastating timing.

    But even if our kids never know the pain of losing a week’s work to faulty computing or an accidental deletion, they face a world where their writings are far more subject to government scrutiny than mine ever were. Not only are their writings subject to government searches, but also their whereabouts, through the tracking of smartphones. This is because while the Fourth Amendment clearly protects homes from searches and seizures without a warrant, it is not so clear that it protects writings and the records about us stored on a remote computer.

    Do our children deserve less protection from government snooping because they are relying on cloud services? Right now, the law says that if the government wants to read what’s on my home computer, it has to get a warrant to do so. But if the government wants to read what our kids are storing privately online, they may not. (For a more detailed account of when the government can access information online without a warrant, see this ProPublica summary, updated as of June 2014, but not including Riley v. California, described below.)

  • September 3, 2015
    Guest Post

    Greg Nojeim, Director of the Freedom, Security and Technology Project at the Center for Democracy & Technology.

    *This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).

    As more and more data flows across state borders, the ability of law enforcement agencies to access information stored outside their jurisdiction or managed by a foreign company becomes increasingly complex. What country’s laws should apply to data requests? How quickly should access be granted and to whom? Should there be different standards for different countries? Mutual Legal Assistance  (MLA) processes have been one way to address these questions.

    MLA processes are those that law enforcement officials in one country trigger in another country to gain access to information over which the 2nd country has jurisdiction.  The information sought may range from witness testimony to communications content and metadata.  For example, if an investigating official in France needs communications content of a Gmail user in France to investigate a crime, she does not make the request directly to Google, but rather approaches a central authority in France which makes a request for mutual legal assistance of the US Department of Justice (DOJ), which can provide that assistance by applying for a warrant to serve on Google to compel disclosure of this information. 

    It is widely perceived that MLA processes are too slow for law enforcement investigations in the digital era and that they are not up to the task of dealing with the volume of cross-border demands for data that law enforcement agencies need to make.  A number of ideas are being put forth to address this problem and its many complexities.  This post is an attempt by the Center for Democracy & Technology (CDT) to spur public debate on one such idea and to solicit input that would inform a solid MLAT reform proposal. 

  • September 2, 2015
    Guest Post

    by Kate Westmoreland, Non-Residential Fellow, The Center for Internet & Society at Stanford Law School

    *This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).

    As internet companies and cloud providers hold more and more communications and user data, access to this information has become a key part of criminal investigations and prosecutions. The current system for managing international access to this data is struggling under the increased demand. Microsoft’s Brad Smith has been vocal in his calls for a new international convention on access to user data for criminal matters. But is a whole new convention really necessary?

    The answer depends on (1) whether the system is actually broken and, if so, (2) whether a new international convention is the right solution. Perhaps I should give a spoiler alert on this, but I think the answer is “yes, but don’t put all your eggs in the one basket.” Ultimately, we should be working towards a new international system for managing government requests for user data, but this is a very long-term, ambitious project. In the meantime, we need to pursue a range of shorter-term improvements at the domestic and international levels.

    There is a growing consensus that the current system for international government access to user data in criminal matters is broken. It is governed by a creaky old system of bilateral and multilateral treaties (mutual legal assistance treaties or “MLATs”), relationships between law enforcement officers and companies, and a mishmash of domestic legislation. A government report last year stated that MLAT requests to the United States take an average of at least 10 months to process. The White House then called for increased funding to process the requests more quickly, but the appropriation has stalled. When law enforcement agencies feel that they cannot access the information through mutual legal assistance, they turn to alternative, informal methods, including directly asking companies to hand over the data.