To the extent that local courts have a Supreme Court ruling to use for guidance, there’s Smith v. Maryland. In that 1979 case, the Court ruled that a warrant should not be required to obtain a person’s phone records because one can’t have the reasonable expectation of privacy when one knows the information is being held by the phone company anyway. Government and law-enforcement agencies have extrapolated from this ruling the permission to view content stored in the cloud without a warrant; their reasoning is that if you give your content to a third-party server, you surrender your strictest privacy protections along with it.
The implications for lawful, warrantless search are enormous. Beyond the federal government, there are countless state and local government agencies that, under ECPA, can easily get access to personal email and cloud content. If a warrant were required, an official would have to prove to a judge that there is probable cause he would find evidence of a crime there. But with a subpoena, the official could go to the service provider—Google, Microsoft, etc.—and just say it is potentially relevant to an investigation. “Relevance” is a pretty low bar.
The scope of what could be covered under “stored content” goes far beyond email, too. Think of how much of our lives exists in the cloud. While the statute doesn’t include any of these terms, privacy-law experts say government and law-enforcement agencies have interpreted “content” to include: address books, calendars, Dropbox accounts and notes backed up in the cloud, Web search histories, comments in e-books, and private photos on Facebook and Instagram. Not to mention, if they are more than 180 days old: Twitter DMs, Facebook and text messages, and online chats.
Many email and cloud service providers have policies saying they won’t hand over their customers’ content without a warrant. Ultimately, though, they’re in the awkward position of not having the legal standing to necessarily refuse, since exactly what ECPA protects is so poorly defined. And of course, some companies have better track records than others. Twitter fought a court order to hand over a customer’s postings (though it eventually lost). By contrast, The New York Times reported, Verizon surrendered the AP’s phone records without any fight at all.
Many tech companies have joined the Digital Due Process coalition, led by the Center for Democracy and Technology (CDT), to lobby for ECPA reform—specifically when it comes to requiring a warrant for email and cloud content, regardless of age or format. Their focus has been on the Electronic Communications Privacy Amendment Act in the Senate, and a companion bill, the Email Privacy Act, in the House.
Mark Stanley, a campaign and communications strategist for CDT, says the center also supports reform of another aspect of ECPA, one that does not yet have broad support: requiring a warrant for location information. This would be a huge next step for ECPA reform, and one of vital importance to journalists. Knowing that any phone line could be tapped and any keystroke recorded, many reporters rightly insist on in-person meetings to receive sensitive information. But how safe are meetings when both reporter and source carry GPS beacons in their pockets?
The most relevant Supreme Court ruling on location tracking, US v. Jones, left the issue opaque. The Justice Department’s current practice is to subject historical cell phone location data to the same low bar of “relevance” as other online content, says Susan Freiwald, a privacy-law expert and professor at the University of San Francisco School of Law—although, she adds, courts do usually require a warrant for real-time location tracking.
Requiring warrants would stop fishing expeditions but not specific searches for information. In a criminal case concerning a leak to the media, for instance, it wouldn’t be hard for the government to demonstrate probable cause. “So all this energy about probable cause may not really change the lives of journalists that much,” says Paul Ohm. “If you look at the celebrated stories of the last couple years, they’re not dragnets; they are targeted searches about things that are at the heart of what journalism is about.”
See, for instance, James Rosen, of Fox News, whom the Department of Justice named a possible criminal “co-conspirator” for his role in publishing sensitive national security information. After Rosen published a story about North Korea’s plans for a nuclear bomb test, the FBI got a warrant for Rosen’s Gmail account to identify his anonymous source. The ECPA reforms currently on the table in Congress wouldn’t have prevented that.