We brought you word yesterday that the House Judiciary Committee would be holding a hearing on the Electronic Communications Privacy Act, or ECPA. One of the people called in to testify is Google’s Legal Director of Law Enforcement and Information Security, Richard Salgado. We weren’t sure exactly which way he would go with his testimony, but it appears that privacy advocates have a friend in Google.
Google published Salgado’s written testimony to give us an idea of what he will bring to the table this morning during the hearing. Contained therein is an argument for ECPA reform that addresses how we use the Internet today:
ECPA was enacted in 1986 — well before the web as we know it today even existed. The ways in which people use the Internet in 2013 are dramatically different than 25 years ago.
In 1986, there was no generally available way to browse the World Wide Web, and commercial email had yet to be offered to the general public. Only 340,000 Americans subscribed to cell phone service, and not one of them was able to send a text message, surf the web, or download applications. To the extent that email was used, users had to download messages from a remote server onto their personal computer, holding and storing data was expensive, and storage devices were limited by technology and size.
In 2013, hundreds of millions of Americans use the web every day — to work, learn, connect with friends and family, entertain themselves, and more. Data transfer rates are significantly faster than when ECPA became law — making it possible to share richer data, collaborate with many people, and perform more complicated tasks in a fraction of the time. Video sharing sites, video conferencing applications, search engines, and social networks — all the stuff of science fiction in 1986 — are now commonplace. Many of these services are free.
The distinctions that ECPA made in 1986 were foresighted in light of technology at the time. But in 2013, ECPA frustrates users’ reasonable expectations of privacy. Users expect, as they should, that the documents they store online have the same Fourth Amendment protections as they do when the government wants to enter the home to seize documents stored in a desk drawer. There is no compelling policy or legal rationale for this dichotomy.
Later in the testimony, Salgado dives into how ECPA reform is needed to preserve innovation and keep everybody on the same page when it comes to the law:
ECPA worked well for many years, and much of it remains vibrant and relevant. In significant places, however, a large gap has grown between the technological assumptions made in ECPA and the reality of how the Internet works today. This leaves us, in some circumstances, with complex and baffling rules that are both difficult to explain to users and difficult to apply.
The current complexity can be demonstrated by the requirements to compel production of communications content such as email. ECPA provides that the government can compel a service provider to disclose the contents of an email that is older than 180 days with nothing more than a subpoena (and notice to the user, which can be delayed in certain circumstances). If the email is 180 days or newer, the government will need a search warrant. The Department of Justice also takes the position that a subpoena is appropriate to compel the service provider to disclose the contents of an email even if it is not older than 180 days if the user has already opened it. The Ninth Circuit Court of Appeals has rejected this view.
In 2010, the Sixth Circuit held in United States v. Warshak that ECPA violates the Fourth Amendment to the extent that it does not require law enforcement to obtain a warrant for email content. Google believes the Sixth Circuit’s interpretation in Warshak is correct, and we require a search warrant when law enforcement requests the contents of Gmail accounts and other services. Warshak lays bare the constitutional infirmities with the statute and underscores the importance of updating ECPA to ensure that a warrant is uniformly required when government entities seek to compel production of the content of electronic communications.
The inconsistent, confusing, and uncertain standards that currently exist under ECPA illustrate how the law fails to preserve the reasonable privacy expectations of Americans today. Moreover, providers, judges, and law enforcement alike have difficulty understanding and applying the law to today’s technology and business practices. By creating inconsistent privacy protection for users of cloud services and inefficient, confusing compliance hurdles for service providers, ECPA has created an unnecessary disincentive to move to a more efficient, more productive method of computing. ECPA must be updated to help encourage the continued growth of the cloud and our economy.
If the above is any indication, Salgado will a solid testimony ready for the House this morning. The other party arguing for ECPA reform – George Washington University Law Professor Orin Kerr – will likely have a similar argument. It will be interesting to see what the representatives of law enforcement – who have a vested interest in keeping the ECPA as is – say in response to these privacy proponents.