Old law, new tricks

Can we modernize the Electronic Communications Privacy Act?

In 1986, the year President Reagan signed the Electronic Communications Privacy Act (ECPA), most reporters did their work with a pencil and pad, a rotary phone, and a pair of sensible shoes. Email was virtually unheard of, and just about the only person to regularly use a mobile phone was Gordon Gekko.

Twenty-seven years later, it’s an understatement to say, times have changed. Emails travel at astonishing speed and can remain forever on remote servers. We have constant access to the internet with pocket computers that can simultaneously pinpoint our locations wherever we go. And in so many ways, journalists and their news organizations increasingly depend on the cloud.

Yet ECPA, which governs how easily law enforcement and government agencies can access our “electronic communications” in the course of investigating crimes—including emails, everything we store in the cloud, and, debatably, even our physical locations as recorded by our cell phones—hasn’t changed to reflect the new digital reality. Several reform bills are slowly chugging through Congress, but even if they pass there still will be holes and weaknesses in the law. Until those gaps are filled and the protections strengthened, journalists will be putting themselves, their work, and their sources at risk, maybe without even knowing it.

Earlier this year, former CIA contractor Edward Snowden’s leaks of classified information revealed the scope of the National Security Agency’s surveillance of American citizens. They also raised the public’s awareness of digital privacy issues and bolstered political momentum in Congress for strengthening individual privacy protections of all kinds. But when it comes to journalists doing their jobs, fixing ECPA is arguably an even more pressing issue than the NSA’s secret snooping. “Frankly, for journalists, you’re never going to know if the NSA is watching you,” says Paul Ohm, an associate professor at the University of Colorado Law School who specializes in information privacy. But an investigation by the FBI? “That will be a lot more destructive to your personal life.”

Just ask New York Times reporter James Risen, who for several years has been fighting a subpoena to testify in court against one of his sources. In their efforts to identify his source for a story about a flawed CIA operation against Iran, federal agents accessed Risen’s phone, credit-card, bank, and airline records, ran three credit checks on him, and read his emails—all without his knowledge.

Or consider one of the most aggressive examples of judicial overreach in a leak case in recent years: the Justice Department’s subpoena of two months of records for 20 phone lines used by The Associated Press. In its search for information about another CIA leak, the government served its subpoena not to the AP but to the newswire’s phone provider. Verizon didn’t challenge the subpoena, the Justice Department didn’t need a warrant, and no one even told the AP until 90 days after the fact—and it all was done in accordance with ECPA rules.

“ECPA comes up in every one of those investigations,” says Mark Jaycox, a policy analyst at the Electronic Freedom Foundation, one organization among many lobbying for reform. “It has one of the lowest bars to getting information.”

Here’s why ECPA is so problematic. The Stored Communications Act, which is the part of ECPA that deals with emails and the like, distinguishes between emails in transit, emails that have been delivered but not read, and emails that have been read. Emails in transit and unread emails that are less than 180 days old require a warrant for access. But, bafflingly, emails that have been read, or that are more than 180 days old, are fair game with a simple subpoena, no judge required.

The seemingly arbitrary categories may have made sense when emails were downloaded to desktops to save valuable space. Today, when messages and files can live forever in the cloud, these distinctions have become absurd. The law is so confusing, and so devoid of specific instructions with any relevance to current technology, that both law enforcement and the courts have interpreted it in myriad ways. In the absence of unambiguous federal law or applicable Supreme Court rulings, different jurisdictions now essentially have different laws. For instance, the Court of Appeals for the Sixth Circuit ruled in United States v. Warshak in 2010 that government agents violated the Fourth Amendment by reading the defendant’s emails without first obtaining a warrant—thus declaring the Stored Communications Act unconstitutional. But that ruling still only applies to the Sixth Circuit.

To the extent that local courts have a Supreme Court ruling to use for guidance, there’s Smith v. Maryland. In that 1979 case, the Court ruled that a warrant should not be required to obtain a person’s phone records because one can’t have the reasonable expectation of privacy when one knows the information is being held by the phone company anyway. Government and law-enforcement agencies have extrapolated from this ruling the permission to view content stored in the cloud without a warrant; their reasoning is that if you give your content to a third-party server, you surrender your strictest privacy protections along with it.

The implications for lawful, warrantless search are enormous. Beyond the federal government, there are countless state and local government agencies that, under ECPA, can easily get access to personal email and cloud content. If a warrant were required, an official would have to prove to a judge that there is probable cause he would find evidence of a crime there. But with a subpoena, the official could go to the service provider—Google, Microsoft, etc.—and just say it is potentially relevant to an investigation. “Relevance” is a pretty low bar.

The scope of what could be covered under “stored content” goes far beyond email, too. Think of how much of our lives exists in the cloud. While the statute doesn’t include any of these terms, privacy-law experts say government and law-enforcement agencies have interpreted “content” to include: address books, calendars, Dropbox accounts and notes backed up in the cloud, Web search histories, comments in e-books, and private photos on Facebook and Instagram. Not to mention, if they are more than 180 days old: Twitter DMs, Facebook and text messages, and online chats.

Many email and cloud service providers have policies saying they won’t hand over their customers’ content without a warrant. Ultimately, though, they’re in the awkward position of not having the legal standing to necessarily refuse, since exactly what ECPA protects is so poorly defined. And of course, some companies have better track records than others. Twitter fought a court order to hand over a customer’s postings (though it eventually lost). By contrast, The New York Times reported, Verizon surrendered the AP’s phone records without any fight at all.

Many tech companies have joined the Digital Due Process coalition, led by the Center for Democracy and Technology (CDT), to lobby for ECPA reform—specifically when it comes to requiring a warrant for email and cloud content, regardless of age or format. Their focus has been on the Electronic Communications Privacy Amendment Act in the Senate, and a companion bill, the Email Privacy Act, in the House.

Mark Stanley, a campaign and communications strategist for CDT, says the center also supports reform of another aspect of ECPA, one that does not yet have broad support: requiring a warrant for location information. This would be a huge next step for ECPA reform, and one of vital importance to journalists. Knowing that any phone line could be tapped and any keystroke recorded, many reporters rightly insist on in-person meetings to receive sensitive information. But how safe are meetings when both reporter and source carry GPS beacons in their pockets?

The most relevant Supreme Court ruling on location tracking, US v. Jones, left the issue opaque. The Justice Department’s current practice is to subject historical cell phone location data to the same low bar of “relevance” as other online content, says Susan Freiwald, a privacy-law expert and professor at the University of San Francisco School of Law—although, she adds, courts do usually require a warrant for real-time location tracking.

Requiring warrants would stop fishing expeditions but not specific searches for information. In a criminal case concerning a leak to the media, for instance, it wouldn’t be hard for the government to demonstrate probable cause. “So all this energy about probable cause may not really change the lives of journalists that much,” says Paul Ohm. “If you look at the celebrated stories of the last couple years, they’re not dragnets; they are targeted searches about things that are at the heart of what journalism is about.”

See, for instance, James Rosen, of Fox News, whom the Department of Justice named a possible criminal “co-conspirator” for his role in publishing sensitive national security information. After Rosen published a story about North Korea’s plans for a nuclear bomb test, the FBI got a warrant for Rosen’s Gmail account to identify his anonymous source. The ECPA reforms currently on the table in Congress wouldn’t have prevented that.

The weaknesses in ECPA have led some reporters’ rights advocates to focus on passing a federal shield law with features that counter some of the act’s more troublesome provisions. The Newspaper Association of America, for instance, is lobbying to add a stronger advance-notice requirement to the proposed shield law currently under consideration in Congress. This would pre-empt ECPA if the target of the search were a journalist, so he or she would be able to challenge the request in court.

There are notice requirements built into ECPA, but they are relatively weak: A warrant for content can be served to a service provider without notifying the account holder; and while a subpoena for content requires notice, that notice can be delayed. Take, again, the AP phone-records scandal. In his June speech to the National Press Club, AP CEO Gary Pruitt emphasized what a difference advance notice could have made. The Justice Department had seized the records of 20 individual and general office phone lines, sweeping up thousands of calls by more than 100 AP staffers—at least some of whom, presumably, were working on other stories with sources who expected their identities to be protected. “Had the DOJ come to us in advance, we could have helped them narrow the scope of the subpoena,” Pruitt said in his speech. “If AP and the DOJ did not agree, then a court could decide which was right.”

Government and law-enforcement agencies making requests under ECPA often take advantage of various exemptions in the law to waive advance notice, seal the requests, or attach “gag orders”—all of which keep the real targets of their investigations in the dark. That suggests a more fundamental problem for reporters: Even the best-written laws can be bent or broken. So while meaningful improvements to ECPA are likely to pass Congress, the burden remains on journalists to become literate in all the ways they can protect their sources and themselves.

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Lauren Kirchner is a freelance writer covering digital security for CJR. Find her on Twitter at @lkirchner