The seemingly arbitrary categories may have made sense when emails were downloaded to desktops to save valuable space. Today, when messages and files can live forever in the cloud, these distinctions have become absurd. The law is so confusing, and so devoid of specific instructions with any relevance to current technology, that both law enforcement and the courts have interpreted it in myriad ways. In the absence of unambiguous federal law or applicable Supreme Court rulings, different jurisdictions now essentially have different laws. For instance, the Court of Appeals for the Sixth Circuit ruled in United States v. Warshak in 2010 that government agents violated the Fourth Amendment by reading the defendant’s emails without first obtaining a warrant—thus declaring the Stored Communications Act unconstitutional. But that ruling still only applies to the Sixth Circuit.
To the extent that local courts have a Supreme Court ruling to use for guidance, there’s Smith v. Maryland. In that 1979 case, the Court ruled that a warrant should not be required to obtain a person’s phone records because one can’t have the reasonable expectation of privacy when one knows the information is being held by the phone company anyway. Government and law-enforcement agencies have extrapolated from this ruling the permission to view content stored in the cloud without a warrant; their reasoning is that if you give your content to a third-party server, you surrender your strictest privacy protections along with it.
The implications for lawful, warrantless search are enormous. Beyond the federal government, there are countless state and local government agencies that, under ECPA, can easily get access to personal email and cloud content. If a warrant were required, an official would have to prove to a judge that there is probable cause he would find evidence of a crime there. But with a subpoena, the official could go to the service provider—Google, Microsoft, etc.—and just say it is potentially relevant to an investigation. “Relevance” is a pretty low bar.
The scope of what could be covered under “stored content” goes far beyond email, too. Think of how much of our lives exists in the cloud. While the statute doesn’t include any of these terms, privacy-law experts say government and law-enforcement agencies have interpreted “content” to include: address books, calendars, Dropbox accounts and notes backed up in the cloud, Web search histories, comments in e-books, and private photos on Facebook and Instagram. Not to mention, if they are more than 180 days old: Twitter DMs, Facebook and text messages, and online chats.
Many email and cloud service providers have policies saying they won’t hand over their customers’ content without a warrant. Ultimately, though, they’re in the awkward position of not having the legal standing to necessarily refuse, since exactly what ECPA protects is so poorly defined. And of course, some companies have better track records than others. Twitter fought a court order to hand over a customer’s postings (though it eventually lost). By contrast, The New York Times reported, Verizon surrendered the AP’s phone records without any fight at all.
Many tech companies have joined the Digital Due Process coalition, led by the Center for Democracy and Technology (CDT), to lobby for ECPA reform—specifically when it comes to requiring a warrant for email and cloud content, regardless of age or format. Their focus has been on the Electronic Communications Privacy Amendment Act in the Senate, and a companion bill, the Email Privacy Act, in the House.
Mark Stanley, a campaign and communications strategist for CDT, says the center also supports reform of another aspect of ECPA, one that does not yet have broad support: requiring a warrant for location information. This would be a huge next step for ECPA reform, and one of vital importance to journalists. Knowing that any phone line could be tapped and any keystroke recorded, many reporters rightly insist on in-person meetings to receive sensitive information. But how safe are meetings when both reporter and source carry GPS beacons in their pockets?