September 8, 2016

Digital Privacy Shouldn't Depend on a Law Written in the Time of 'Stranger Things'

Veronique de Rugy

Senior Research Fellow
Summary

More importantly, if implemented, [the International Communications Privacy Act] would codify into law a simple and clear standard: A warrant should always be required to access private information from a third party.

Contact us
To speak with a scholar or learn more on this topic, visit our contact page.

One of the most powerful arguments for limiting the size and scope of government is the inability of politicians and regulators to keep up with the pace of technological change. Case in point: Congress has not updated the rules regulating when and how law enforcement may access stored online data since the time period depicted in Netflix's 1980s nostalgia-heavy hit, "Stranger Things."

The Electronic Communications Privacy Act was passed in 1986, when data storage was considerably more expensive and primitive. At the time, it was not common for data to be kept online for very long. As such, the ECPA considers emails held online by a third party for more than 180 days to be abandoned and thus open to access by law enforcement without a normal warrant. Sure puts that cluttered inbox in a new light, doesn't it?

Now that free online email hosts are commonplace and terabytes of cloud storage are available at little cost, the ECPA is a troubling anachronism. Today's internet users expect their data to be protected from prying government eyes for as long as they choose to store it.

There are additional reasons driving the need for data access reform. One was clearly demonstrated in July, when the 2nd U.S. Circuit Court of Appeals rebuked the Justice Department after a three-year legal battle with Microsoft, which hosted data for an Irish citizen being pursued by U.S. authorities. The data was being kept in a server located in Ireland, yet the U.S. government insisted it had jurisdiction to demand access just because the company that held it is a subsidiary of Microsoft, an American corporation.

The government sought to use a warrant that was issued pursuant to a statute under the ECPA, which provides no authority for access to data held overseas. The government officials most likely made this overreach rather than go through the mutual legal assistance treaty, or MLAT, process — which would have enabled them to work with the appropriate overseas authority — because of the fact that MLAT procedures are also cumbersome and outdated.

There is a bill making its way through Congress that attempts to address these issues. It's the International Communications Privacy Act. The bipartisan bill — introduced by Sens. Orrin Hatch, R-Utah, Chris Coons, D-Del., and Dean Heller, R-Nev. — presents significant changes meant to reduce the temptation for law enforcement to overstep its bounds as it did against Microsoft by making MLATs viable options through greater transparency and accountability. More importantly, if implemented, it would codify into law a simple and clear standard: A warrant should always be required to access private information from a third party.

The reforms in the ICPA would move us away from the current '80s drama. It also seems that the package could even move through Congress during a contentious election season because it safeguards consumer data while also acknowledging that there must be legitimate and accessible law enforcement tools to pursue digital evidence across borders. Businesses that operate or store data in multiple jurisdictions would also benefit from clearer rules regarding their users' expectations of privacy and avoid unnecessary and costly legal battles.

No one really disputes that it's time to update the ECPA, and the ICPA has support from key leadership figures from both parties. That said, if legislators were known for their swift action, the law would never have been allowed to become so outdated in the first place.