The Need for ECPA Reform

April 10, 2014
Guest Post
by Christopher Wolf, Director, Privacy and Information Management Practice Group, Hogan Lovells LLP; Founder and Co-Chair, Future of Privacy Forum
 
The Snowden revelations about NSA activities have brought government access to online data into the public eye over the past year. Allegations that surveillance programs may have impacted American citizens have led to public outrage. In response, the president has promised to reform the U.S. government surveillance apparatus to “provide greater transparency to our surveillance activities and fortify the safeguards that protect the privacy of U.S. persons.”  
 
Long before the Snowden revelations, enhancing the privacy of U.S. persons was the focus of less-visible efforts to reform the Electronic Communications Privacy Act (ECPA), a law enacted well before the Internet era that allows law enforcement access to a panoply of electronic information held by third-party information service providers without first obtaining a warrant.
 
In December 2013, more than 100,000 Americans signed an online petition calling on the Obama administration to support ECPA reform. Although a warm spring finally is emerging in Washington, D.C., the White House has remained silent as reform bills (e.g., S. 607 and H.R. 1847) remain frozen in Congress. 
 
ECPA, established in 1986 to create "a fair balance between the privacy expectations of citizens and the legitimate needs of law enforcement," now fails at its original goal. The lines drawn by ECPA to distinguish between various stages of the digital communications lifecycle, such as “in transit” or “electronic storage,” have been erased by the forward march of technology. The development of cloud computing, which allows communications and other data to be stored indefinitely on a remote system, has withered the reasoning that allows law enforcement to unilaterally access communications stored remotely for more than 180 days.
 
The now arcane principles established by ECPA have created confusion in the courts and have impeded the application of Fourth Amendment protections to personal information. As remote storage processes replace local storage, it is counterintuitive that data stored locally should be more protected legally than that stored on a remote server. While law enforcement has a clear need to access data expeditiously and maintain substantial investigative abilities, the powers afforded those entities by a modern-day application of ECPA exceed their intended scope.
 
A reimagining of ECPA, such as that proposed by pending reforms in the House and Senate, should update the law to recognize technological advances and the normative shift from local storage to remote storage. Standards for government access should be based on content type and not on which technological platform is used to store that content; the distinction between transit and storage lifecycle stages of communications should be removed; and the probable cause threshold guaranteed by the Fourth Amendment should take precedence over the age of a communication or its status on a server.
 
Modern-day standards for government access must more adequately balance technological considerations to meet traditional expectations of privacy. The Obama administration has propelled efforts to refine tools used by the surveillance apparatus and now must support similar efforts to reform law enforcement’s access to digital communications. Only then will a level of consumer trust that should form the foundation of the digital marketplace be attainable.