Internet Privacy Law Needs an Upgrade

Imagine for a moment that all your computing devices had to run on code that had been written in 1986. Your smartphone is, alas, entirely out of luck, but your laptop or desktop computer might be able to get online using a dial-up modem. But you'd better be happy with a command-line interface to services like e-mail, Usenet, and Telnet, because the only "Web browsers" anyone's heard of in 1986 are entomologists. Cloud computing? Location based services? Social networking? No can do, though you can still get into a raging debate about the relative merits of Macs and PCs.

When it comes to federal privacy law, alas, we are running on code written in 1986: The Elecronic Communications Privacy Act, a statute that's not only ludicrously out of date, but so notoriously convoluted and unclear that even legal experts routinely lament the "mess" of electronic privacy law. Scholar Orin Kerr has called it "famously complex, if not entirely impenetrable." Part of the problem, to be sure, lies with the courts.  It is scandalous that in 2010, we don't even have a definitive ruling on whether or when the Fourth Amendment requires the government to get a search warrant to read e-mails stored on a server. But the ECPA statute, meant to fill the gap left by the courts, reads like the rules of James T. Kirk's fictional card game Fizzbin.

Suppose the police want to read your e-mail. To come into your home and look through your computer, of course, they'd need a full Fourth Amendment search warrant based on probable cause. If they want to intercept the e-mail in transit, they have to go still further and meet the "super-warrant" standards of the Wiretap Act. Once it lands on your Internet Service Provider's server, a regular search warrant is once again the standard—assuming your ISP is providing access "to the public." If it's a more closed network like your work account, your employer is permitted to voluntarily hand it over. But if you read the e-mail, or leave it on the server for more than 180 days, then suddenly your ISP has become a "remote computing service" provider rather than an "electronic communications service provider" vis a vis that e-mail. So instead of a probable cause warrant, police can get a 2703(d) order based on "specific and articulable facts" showing the information is "relevant and material" to an investigation—a much lower standard—provided they notify you. Except they can ask a judge to delay notification if they think that would impede the investigation. Oh, unless your ISP is in the Ninth Circuit, where opened e-mails still get the higher level of protection until they've "expired in the normal course," whatever that means.

That's for e-mail contents.  But maybe they don't actually need to read your e-mail; maybe they just want some "metadata"—the equivalent of scanning the envelopes of physical letters—to see if your online activity is suspicious enough to warrant a closer look.  Well, then they can get what's called a pen/trap order based on a mere certification to a judge of "relevance" to capture that information in realtime, but without having to provide any of those "specific and articulable facts." Unless it's information that would reveal your location—maybe because you're e-mailing from your smartphone—in which case, well, the law doesn't really say, but the Justice Department thinks a pen/trap order plus one of those 2703(d) orders will do, unless it's really specific location information, at which point they get a warrant. If they want to get those records after the fact, it's one of those 2703(d) orders—again, unless a non-public provider like your school or employer wants to volunteer them. Oh, unless it's a counterterror investigation, and the FBI thinks your records might be "relevant" somehow, in which case they can get them with a National Security letter, without getting a judge involved at all.

Dizzy yet? Well, a movement launched today with the aim of dragging our electronic privacy law, kicking and screaming, into the 21st century: The Digital Due Process Coalition.  They're pushing for a streamlined law that provides clear and consistent protection for sensitive information—the kind of common sense rules you'd have thought would already be in place.  If the government wants to read the contents of your letters, they should need a search warrant—regardless of the phase of the moon when an e-mail is acquired. If they want to track your location, they should need a warrant. And all that "metadata" can be pretty revealing in the digital age—maybe some stricter oversight is in order before they start vacuuming up all our IP logs.

Reforms like these are way overdue. You wouldn't trust your most sensitive data to software code that hadn't gone a few years without a security patch. Why would you trust it to legal code that hasn't had a major patch in over two decades?