The law that lets police hack your email

By Greg Nojeim and Jake Laperruque on August 8th, 2014

Next time you open your personal email account, spend a moment browsing through the thousands of old messages you have saved. Compare your most recent messages with those that are more than six months old. Is there anything different between them? Does something change about your private communications after they hit that half a year mark?

According to the government, there is a huge difference: All those emails older than six months are subject to unwarranted search and seizure.

The reason for this is the Electronic Communications Privacy Act—commonly called ECPA—a law that defines the rules for government access to electronic communications such as email.

Setting privacy protections to a 1980s standard is as crazy as trying to plug a floppy disc into a MacBook Air

Generally, ECPA requires that police obtain a warrant before they can read an individual’s emails, just as they must get a warrant when they want to search a house or listen in on someone’s phone calls. But ECPA contains one highly problematic exception: If the email is over 180 days old, the statute says the government no longer needs a warrant—it can read your private communications with just a subpoena, which doesn’t require judicial approval. Worse still, draft emails, stored documents, and photos are available without a warrant regardless of how old they are, according to ECPA.

This bizarre rule was not created with malicious intent—it’s simply the byproduct of a law that’s gone too long without an update.

ECPA was adopted in 1986, back when email services could only store about two dozen messages, and an email more than 180 days old was considered “abandoned.” Modern email is entirely different. We receive dozens of messages every day, even every hour, and we permanently archive old emails not on our local devices but with services that can easily hold hundreds of thousands messages. Setting privacy protections to a 1980s standard is as crazy as trying to plug a floppy disc into a MacBook Air, but after nearly 30 years, ECPA is still waiting for an upgrade.

What more, the law’s 180-day rule is not only outdated; it’s also unconstitutional. In 2010, a federal Court of Appeals ruled in United States v. Warshak that the Fourth Amendment protects all emails from unwarranted search. Leading Internet companies now refuse to comply with subpoenas for older emails based on Warshak, but because the case is not binding nationally, legislative action is needed to remove the uncertainty and bring the law on the books back in line with citizens’ expectations.

Major tech companies and public interest groups (including ours, the Center for Democracy & Technology) from across the political spectrum want reform. Through the Digital Due Process coalition, we are urging Congress to close the 180-day loophole and apply the warrant standard to the contents of all private electronic communications— to treat all electronic documents, photos, messages, and other items stored in the cloud just as they would be if they were paper copies kept in a desk drawer.

These efforts have been paying off. Last year, Representatives Kevin Yoder (R-Kan.) and Jared Polis (D-Colo.) introduced the Email Privacy Act, a bill that would give ECPA its long-overdue upgrade. Even in our polarized Congress, there is a clear consensus that our personal emails deserve more protection than ECPA offers. The Email Privacy Act currently has 263 cosponsors, well over half the members of the House of Representatives, including a strong mix of Democrats and Republicans.

Despite the immense bipartisan support for this measure, however, progress remains at a standstill.

The Securities and Exchange Commission (SEC) has worked vigorously to block the bill, claiming it needs the ability to obtain emails without a warrant for civil investigations. However, civil agencies like the SEC already have full authority to obtain records directly from the targets of their investigations, including the target’s email—no warrant needed.

Meaningful change begins with the simple need to make it clear that a warrant is necessary to read someone’s email. 

When a civil agency, such as the SEC, investigates an individual, the agency can serve a subpoena on the target demanding all relevant materials. If the agency fears the target will delete the email, it can write a letter to the target’s communications service provider and compel that provider to preserve the email. If the target refuses to comply, the agency can go to court to have the subpoena enforced. This system applies regardless of whether materials are in a safe deposit box or the Internet cloud.

What’s really going on is that the SEC—and other regulatory agencies—wants to circumvent that process for private electronic communications. In truth, the SEC isn’t stopping changes to ECPA out of fear of losing investigative ability; its holding up a much needed reform in the hopes of acquiring a new, invasive power.

As the fight for better email privacy lingers in stalemate, a host of other privacy issues continue to percolate rapidly to the surface. One is location privacy. Although the Supreme Court ruled in 2012 that police need a warrant to attach a GPS device to your car, the government insists that it does not need a warrant to track you using your cellphone. Given the intimate details about your life that your cellphone location data can reveal, a warrant should be required for this information, regardless of if it comes from a GPS tracker or a smartphone.

It is the fight for greater privacy protections for all Internet users—from smartphone-packing grandmas to cybersecurity researchers, from forgotten emails to you current location—to which the Digital Due Process coalition and privacy advocates like us have committed.

Meaningful change begins with the simple need to make it clear that a warrant is necessary to read someone’s email. When Congress return from its August recess, surveillance reform and National Security Agency bulk collection are likely to be big items of discussion. Protecting our emails from warrantless searches by government agents should be part of that discussion.

It’s time for Congress to start updating our privacy laws to meet the realities of today’s technology, and the place to begin is by approving the Email Privacy Act.

 

Greg Nojeim serves as director of Center for Democracy & Technology’s Freedom, Security & Technology Project. Jake Laperruque is a Privacy, Surveillance and Security Fellow, Center for Democracy & Technology.

Illustration by Max Fleishman