In 1986, the year President Reagan signed the Electronic Communications Privacy Act (ECPA), most reporters did their work with a pencil and pad, a rotary phone, and a pair of sensible shoes. Email was virtually unheard of, and just about the only person to regularly use a mobile phone was Gordon Gekko.
Twenty-seven years later, it’s an understatement to say, times have changed. Emails travel at astonishing speed and can remain forever on remote servers. We have constant access to the internet with pocket computers that can simultaneously pinpoint our locations wherever we go. And in so many ways, journalists and their news organizations increasingly depend on the cloud.
Yet ECPA, which governs how easily law enforcement and government agencies can access our “electronic communications” in the course of investigating crimes—including emails, everything we store in the cloud, and, debatably, even our physical locations as recorded by our cell phones—hasn’t changed to reflect the new digital reality. Several reform bills are slowly chugging through Congress, but even if they pass there still will be holes and weaknesses in the law. Until those gaps are filled and the protections strengthened, journalists will be putting themselves, their work, and their sources at risk, maybe without even knowing it.
Earlier this year, former CIA contractor Edward Snowden’s leaks of classified information revealed the scope of the National Security Agency’s surveillance of American citizens. They also raised the public’s awareness of digital privacy issues and bolstered political momentum in Congress for strengthening individual privacy protections of all kinds. But when it comes to journalists doing their jobs, fixing ECPA is arguably an even more pressing issue than the NSA’s secret snooping. “Frankly, for journalists, you’re never going to know if the NSA is watching you,” says Paul Ohm, an associate professor at the University of Colorado Law School who specializes in information privacy. But an investigation by the FBI? “That will be a lot more destructive to your personal life.”
Just ask New York Times reporter James Risen, who for several years has been fighting a subpoena to testify in court against one of his sources. In their efforts to identify his source for a story about a flawed CIA operation against Iran, federal agents accessed Risen’s phone, credit-card, bank, and airline records, ran three credit checks on him, and read his emails—all without his knowledge.
Or consider one of the most aggressive examples of judicial overreach in a leak case in recent years: the Justice Department’s subpoena of two months of records for 20 phone lines used by The Associated Press. In its search for information about another CIA leak, the government served its subpoena not to the AP but to the newswire’s phone provider. Verizon didn’t challenge the subpoena, the Justice Department didn’t need a warrant, and no one even told the AP until 90 days after the fact—and it all was done in accordance with ECPA rules.
“ECPA comes up in every one of those investigations,” says Mark Jaycox, a policy analyst at the Electronic Freedom Foundation, one organization among many lobbying for reform. “It has one of the lowest bars to getting information.”
Here’s why ECPA is so problematic. The Stored Communications Act, which is the part of ECPA that deals with emails and the like, distinguishes between emails in transit, emails that have been delivered but not read, and emails that have been read. Emails in transit and unread emails that are less than 180 days old require a warrant for access. But, bafflingly, emails that have been read, or that are more than 180 days old, are fair game with a simple subpoena, no judge required.