by Susan Freiwald, Professor of Law, University of San Francisco School of Law
*This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).
As eyes focus on the Microsoft appeal, people are asking why the Electronic Communications Privacy Act (ECPA) fails to resolve more clearly the questions presented. Anyone with a passing familiarity with ECPA could guess the answer: ECPA’s provisions, most of which are nearly 30 years old, are incomplete, ambiguous, and in dire need of amendment. Hence the calls to Congress to pass the LEADS Act (S. 512, H.R. 1174). But those bills, and other ECPA reform bills getting traction in Congress, leave uncovered gaping holes in the law. Only the California Electronic Communications Privacy Act (CalECPA, SB 178), which is up for its final vote in California today, would bring the needed coverage and clarity to protect modern electronic privacy rights. CalECPA applies in California to state and local entities, but it provides a blueprint for comprehensive federal reform.
At the federal level, ECPA fails adequately to protect our most personal information: the communications, movements, documents and online activities that we store on our cell phones and share with our service providers. Though it should, ECPA does not clearly require a warrant for the location data generated when we use our cell phones to make and receive calls or texts and access the internet, even though, in one recent Fourth Circuit case, United States v. Graham, agents obtained well over 100 location data points per day from the subject’s provider. Other recent cases have been all over the map on whether and when a warrant is required. CalECPA takes its cue from the Supreme Court, which recently recognized the intrusiveness of location data acquisition in Riley v. California and United States v. Jones. CalECPA requires a warrant for access to any location data (with appropriate exceptions for emergencies in any case where it requires a warrant).
ECPA currently provides anemic protections for so-called metadata, which means that it is much easier for law enforcement agents to acquire information that is not “content.” We know all too well that whom we contact and how often we contact them reveals much about our personal lives and deeply implicates not just our privacy rights but our right to speak and associate freely. And ECPA does not clearly require a warrant for all the revealing information we provide when we use the internet (search terms, browsing history, etc.) that seem to fall out of traditional “content” definitions. CalECPA rejects the need to make such distinctions; its warrant requirement applies to everything but such basic information as: name, address, contact information, etc.
As for the content of electronic communications (what we say in our emails, for example), CalECPA fixes the confusing and outdated current scheme under which ECPA limits its warrant protection for emails based on how long the email has been stored, the type of provider that stores it, and even whether the email has been read or accessed. CalECPA requires a warrant whenever law enforcement accesses electronic communications content, and also protects information about the sender, recipients, format, location, and time of communications. That comprehensive coverage reflects the latest federal law developments (United States v. Warshak required a warrant for all stored email), as well as the greater coverage that the California constitution provides. Decades ago, the California Supreme Court found reasonable expectations of privacy were intruded upon by the collection of information sufficient to furnish a person’s “virtual current biography.” Though California rejected the third party precedents of the 1970s at the time, recent cases like Riley and Jones case suggest that the Supreme Court may be coming around to California’s view.
By requiring law enforcement agents to obtain a warrant to collect electronic communications content, the LEADs Acts and the other two federal bills getting the most traction in Congress (The ECPA Amendments Act, S.356 and the Email Privacy Act, H.R. 1852) effectively codify the Warshak case. But they fail to extend the warrant requirement to location data or metadata, as CalECPA would. They fail to codify Riley, by requiring a warrant for access to information gathered directly from a device, as CalECPA would. Other bills addressing location data have retained weaker protection for stored data, an approach that the Fourth Circuit recently rejected when it required a warrant for historical location data in United States v. Graham. As the court explained, CalECPA codifies, “A person’s expectation of privacy in information about where she has been is no less reasonable, or less deserving of respect, that that regarding where she is or where she is going.” As I have explained elsewhere, treating historical location data as less private than real time or prospective data provides incentives to agents to end-run the warrant requirement.
A huge coalition of large tech companies, industry groups and civil social groups support the passage of CalECPA. So far, 37 experts in internet law, privacy and criminal procedure have signed a letter in support. Critically, major law enforcement groups have pledged neutrality or even support the bill after considerable negotiations and meaningful amendments to the bill. Two of California’s major newspapers, the Sacramento Bee and the Los Angeles Times, have recently published editorials urging its prompt enactment. If its passes the Assembly today, CalECPA could be on the Governor’s desk for signature by the end of this week. ECPA reform may well be here soon, but, if all goes well, it will be California that will show us how to do it on the national level.