The Strange Case Against ECPA Reform

The Senate Judiciary Committee held hearings last week on the need to reform the increasingly badly outdated Electronic Communications Privacy Act, the 1986 legislation that governs how the cops conduct telephone and Internet surveillance in criminal investigations. Two officials from two different government agencies offered up rather strikingly different testimony.

Cameron Kerry of the Commerce Department acknowledged what legal scholars and technologists have been saying for years: The law's byzantine and inconsistent standards—which provide wildly varying levels of protection for the same e-mail as it's being composed, sent, received, read, and archived—are wholly out of touch with the ways we actually use technology today. The distinctions the law draws make no real sense in principle, and are confusing and needlessly burdensome to Internet companies in practice. 

By contrast, James Baker of the Justice Department was eager to sing the praises of ECPA in its current form, and to raise FUD (that's "Fear, Uncertainty, and Doubt for the non-geeks) about reforms proposed by the Digital Due Process Coalition, a group of civil liberties advocates and tech companies that are urging Congress to update the law. Let nobody say that DOJ is behind the curve on technology: Baker's testimony is almost totally virtual, a simulation of a real argument, worthy of the Matrix. But as with Oakland and cyberspace, when you look a little more closely, there's no there there.

A surprising amount Baker's time was devoted to establishing that electronic records—whether e-mail contents, Internet "metadata," or cell phone location information—are often useful to investigations. Well, of course they are! So are phone wiretaps! So are physical searches of homes! There wasn't really any doubt about that, was there? They're useful, of course, precisely because they tend to reveal private information about people's activities. The question is what standard is appropriate, and whether that standard should exhibit some kind of basic consistency, both with respect to a single communication at different stages, and across technologies. 

By the same token, suggesting that higher standards for access to electronic records may "impair" investigations may sound like a dire warning, but in fact it borders on tautology. Having to ask a judge to compel the production of records is a bigger impediment or delay than simply being able to demand them, and having to establish probable cause first is more difficult still. That's the point! But it doesn't tell you which standards establish a reasonable balance between user expectations of privacy and the needs (as opposed to convenience) of law enforcement. At times, the argument did sound an awful lot like Mike Masnick of Techdirt's snarky summary: "The Fourth Amendment shouldn't apply to online e-mail because... that would make us have to work harder."  The funny thing is, when you look at Baker's own anecdotes, it's hard to see how the reforms being proposed would have presented a serious obstacle to an investigation:

• In one case, cell location data used to locate a suspect for whom an arrest warrant had been issued in the shooting of a Louisiana cop. That's excellent, but at the risk of stating the obvious, if they had already obtained an arrest warrant for the suspect, they had already made the showing that would be needed to get a warrant for location tracking. 

• In another case, officers were chasing down a fugitive wanted for a triple-murder, presumably armed and dangerous, at two in the morning. It's not clear whether there was a warrant out for this suspect. But ECPA has always had an exception permitting emergency disclosures in cases where there's imminent danger of death or serious injury, and everyone seems to agree that makes good sense. So examples invoking armed cop-shooting suspects in flight or kidnappers or ticking time bombs are all red herrings. In genuine emergencies where there's really no time for a warrant, the law is flexible. But those exceptional circumstances are no basis for watering down standards in every case. By the same token, we understand that in many circumstances, police in hot pursuit of a violent suspect will be allowed to continue the chase into a private building without stopping for a warrant. But it would be absurd to make the exception the rule and suggest that the warrant requirement for searches of homes be jettisoned entirely.

• An ECPA subpoena was used to identify a computer from which an FBI agent had downloaded child pornography—a computer that turned out to belong to a high school special needs teacher. But again, nobody objects to this: Of course the agent should be able to obtain those records by some process. But what process? Under the circumstances, the image itself is prima facie evidence of a crime, so presumably even the stringent standard of probable cause would be met. So it's hard to imagine how the investigation would have been derailed if the agent were merely required to show a judge "specific facts" showing the records were "relevant" to a legitimate investigation. 

Given all the sensitive activities people engage in online—including political and religious speech or association—there's a clear civil liberties benefit to requiring some kind of judicial approval before identifying anonymous Internet users, even if it's only subject to a highly permissive "relevance" standard. Maybe there's some compelling argument that a little paperwork delay is too high a price to pay for this protection, even in non-emergency situations, but Baker certainly didn't make it.

So much for "metadata."  How about full e-mail contents, then? A probable cause warrant is needed if the government wants to search your hard drive or tap your phone conversations. Is there any reasonable case for treating e-mail differently if it happens to be stored "in the cloud" rather than on a hard drive in your home? Baker argues that "If a person stores documents in her home, the government may use a subpoena to compel production of those records," and some government agencies are authorized to issue subpoenas, but not search warrants. Therefore, he claims, it doesn't make sense to impose the higher warrant standard across the board for digitally stored records.

It's hard to call this argument anything but disingenuous. ECPA governs what investigators can obtain directly from electronic service providers. Just as with privately stored documents, it would remain possible to issue a subpoena to the person whose documents are sought compelling them to turn over certain records (including e-mail correspondence) or to authorize their release. This illustrates pretty well the differences between search warrants and subpoenas that have traditionally justified applying quite different standards to them. A search warrant is generally executed without (much) advance notice: The police come in and seize what the warrant authorizes them to take. When you receive a subpoena, you yourself find the responsive documents (instead of having the police rummage through your files looking for what's relevant), after you've had an opportunity to attempt to quash the subpoena if it's unreasonably burdensome or seeks constitutionally or statutorily protected information.

The government can issue a "preservation order" to an ISP if they're afraid a subpoena recipient would attempt to erase incriminating files—but still, often the nature of an investigation is that you don't want to tip off the suspect. But since that necessarily involves a greater invasion of privacy, those are precisely the circumstances in which a warrant is appropriate.

There are some reforms Baker would be happy to have Congress consider: He suggests it might be appropriate to impose stricter standards on ISP sharing of non-content records with entities other than the government, and that the provisions requiring compensation to providers for the time and manpower it takes to comply with data requests should be revisited. Call this the "Nice ECPA arrangement you've got there; be a shame if something wuz to happen to it" component of the testimony. The Digital  Due Process Coalition has been successful in large part because it's not just the ACLU and other usual suspects complaining: Big players in the tech industry have thrown their weight behind the push for reform as well.  This sounds an awful lot like an attempt to "split the popular front," as the Trotskyites used to say.  

A final observation.  Baker argues that "ECPA is complex because our nation's communications systems are complex" and that "Congress should take care not to disrupt the current balance of interests that is reflected in ECPA." This sounds reasonable on face, but if you actually look at the bizarro distinctions ECPA makes between (say) an e-mail stored in draft form on a server, or unopened in an inbox, or in transit on the wire, it's pretty clear that the complexity of the statute has nothing at all to do with the practical complexity of modern communications or the diverse interests involved. Indeed, the "balance of interests that is reflected in ECPA" is actually the very different set of interests that Congress weighed back in 1986, when the landscape looked quite different.

As a modest proposal, what if we froze the "balance" as it stood at that time? The ability to track the location of a suspect in motion, except by visual observation, would barely exist at all. Because storage space was more expensive by several orders of magnitude, very little transactional data would be stored by telecommunications providers for prolonged periods, and nobody would be storing draft documents or read e-mails on third-party "cloud" servers: They'd be immediately downloaded to the user's home hard drive. 

That balance—the balance that Congress actually intended back when the statute was written—is clearly not what the Justice Department has in mind. There's a conspicuous double standard here: If technological change makes it harder in any respect for investigators to obtain private information, law enforcement is quick to urge the need for "modernization" to preserve the "balance" Congress intended against the vagaries of progress.  If—as is more often the case—technology makes it vastly easier for them to obtain and process vast amounts of information, that technologically driven change establishes a new, sacrosanct baseline for government capabilities, whether or not it was foreseen or intended by Congress.

Let's hope Congress is not fooled by this kind of sleight of hand. "Balance" is exactly what has already been disrupted by a technological world nobody in 1986 envisioned; it's time to restore it.