We Need to Cut a New Deal on Communications Privacy

It is (high) time to rewrite and modernize the law that regulates access to our private communications and to the detailed information those communications automatically create.

No, I'm not talking about the statutes relating to the U.S. Foreign Intelligence Surveillance Court, or the National Security Agency's collection of metadata. We do need to constrain the growth of a surveillance state, even if some intelligence activities can be justified. But ordinary government information collection and eavesdropping, in the course of normal law enforcement activities, are just as badly in need of reform.

Before 1986, the wiretap statute required a warrant only for the “aural” interception of communications. That formulation stemmed from the practice of attaching alligator clips to phone lines so the police could use earphones to listen in on a call. But information was increasingly being exchanged in digital form. Interception might involve reading an e-mail, not listening to a voice. So it was clear that the wiretap statute needed to be updated to cover new forms of electronic communication.

I was involved in the negotiations and drafting that led to the Electronic Communications Privacy Act (ECPA). A deal could be struck because:

1. Companies like IBM wanted to encourage use of electronic communications by assuring some level of privacy against both private and government “interception”;
2. Government representatives respected privacy interests and realized that normal law enforcement operations would proceed more smoothly if some clear statutory rules (rather than vague constitutional tests) established required procedures; and
3. Privacy advocates like the Electronic Frontier Foundation understood that what was needed were standards that allowed justified government access but prevented unreasonable intrusions.

The ECPA compromise was reached against the background of two assumptions. First, any new protection would have to be added on top of the existing wiretap statute, rather than disrupting the complex balance that had previously been struck re “aural” interception of phone calls. (This was achieved by requiring a wiretap warrant for the “interception” of any electronic communication.)

Second, insofar as e-mails and other digital communications might be stored on servers, they would also require some protection. But some stored electronic communication ' say a message posted to a public “bulletin board” ' could not reasonably be treated as a private communication (it was readily available to all). And because, under the then-current technology, most e-mail users downloaded e-mails to their local personal computer in order to read it, electronic messages stored for more than 180 days might reasonably be given somewhat less protection (just as property abandoned in a self-storage locker might be somewhat less protected against a government search).

The ECPA standards, supported by a broad consensus among technology companies, law enforcement agencies and civil rights organizations, served us all reasonably well for many years. But the technology has changed. Now we have the cloud and Gmail. Now your cell phone constantly reports where you are. It is no longer reasonable to assume that someone who stores e-mail on a remote server they don't own for more than 180 days has any less reason to want to protect the privacy of those “papers and effects.”

On the other hand, the practice of e-mail providers like Google of demanding a right to access the contents of e-mail for their own purposes (such as targeting advertising and building translation services) means that an aggressive invocation of the “third-party doctrine” by law enforcement could lead to claims to a right to access messages and tracking data at any time without a warrant. (If your bank uses your account information for its own purposes, the argument goes, the government can demand access to such “business records” without getting a warrant or giving you any notice ' and the bank can cooperate without breaching any contractual obligation to you.)

At about the same time that the original ECPA bargain was struck, the government was pressing telephone companies to redesign their cell phone systems to make it possible to wiretap conversations. (Again, those old alligator clips weren't working the same way when the conversations were converted to digital formats). Some suggested that the Internet itself (and all e-mail systems) should also be required to be designed to be “wiretap-able.” At a minimum, some argued, because the phone company had always been allowed and required to turn over telephone call (billing) records without a warrant ' because these were considered to be just the business records of the company itself rather than the “content” of customer communications ' the same rule should apply to all the address and header information associated with e-mail.

I distinctly remember the conversation in which companies and civil liberties groups pushed back against these law enforcement demands. We brought in a small glass jar, first filling it to the top with small rocks, then adding lots of pebbles, and then, even though it was seemingly full, adding a lot more sand. The message: granularity matters. And aggregation matters. In particular, giving government access to all the address information for all of a person's e-mail could be just as unreasonably intrusive as listening to a call or reading the “contents” of the message. At least at that point, the government stepped back.

New Compromise Required

Changes in technology and in the way we use electronic communications now require us to forge a new compromise. The question is whether we will get there by means of court decisions about the meaning of the Fourth Amendment or by Congressional action to update the outmoded ECPA statute. The constitutional test trumps any statute, but the whole purpose of the original wiretap statute, enacted after the courts established that the privacy of “aural” conversations was entitled to reasonable protection, was to create clear procedures and ground rules that law enforcement agencies could comply with and that provided a level of protection, even against private eavesdropping, to which courts might defer.

The question is whether we can reach a widely supported deal today. Law enforcement still has an interest in having some clear rules ' but it is not clear whether officials terrified by the prospect of terrorism can acknowledge the need for some privacy protections. Companies still have an interest in assuring their customers' privacy ' but they themselves have gone a long way down the road of undermining any privacy claims by using customer data for their own purposes (and demanding that users agree to this).

Civil liberties groups still favor requiring a warrant for government searches, prohibiting private eavesdropping, and providing protection against unreasonable collection of “metadata” ' but, given current practices and aggressive interpretations of the “third-party doctrine,” they may not have anything to offer to law enforcement (in exchange for reasonably protective rules) that law enforcement doesn't consider itself already to have (especially in light of the mismatch between ECPA and current technology). And, as long as aggregated information about our communications is used mainly to target ads, it's hard to generate much opposition to “snooping” by private companies.

The Center for Democracy and Technology (CDT) has brought together a broad coalition of companies and public interest groups to support a comprehensive revision of ECPA. U.S. Senator Patrick Leahy (D-VT), who led the way toward adoption of the original (current) version supports this reform. But law enforcement has so far resisted and regulatory agencies are demanding increased rights to access communications information without a warrant.

The government might reconsider if the courts, potentially including the Supreme Court, conclude that under current circumstances the wiretap statute (including ECPA) is itself unconstitutional under the Fourth Amendment. That's a real possibility because government access without a warrant to all of a user's e-mail, even if it is stored on someone else's cloud server and even if it is used by that third party for limited purposes with user “consent” (and even if all that is accessed is the detailed records of who is communicating with whom), is, at current levels of granularity and aggregation, an unreasonable intrusion into core privacy interests.

ECPA Outdated

I helped to write ECPA and think it served the country well for a while. But technology changed. Industry practice changed. And as a result, ECPA no longer serves its key purpose of providing a congressionally approved set of clear rules that satisfy constitutional standards and limit unreasonably intrusive governmental and private party snooping.

The Katz v. United States, 389 U.S. 347 (1967), decision that first recognized a right to privacy in “aural” communications had dicta regarding protection of a person's “reasonable expectations” of privacy. That line has often been misunderstood to suggest that our collective loss of any actual expectation that Google will not read our Gmail or analyze the records of our online social interactions must defeat any claim to privacy protection against the government. But the core constitutional test has always been tied to unreasonable intrusion. And shared values against unjustified snooping, even by private actors, persist.

If we have to wait for courts to develop new Fourth Amendment doctrine, most often in the context of criminal prosecutions, we may not achieve a good balance, clear guidelines, or widespread support for any resulting rules. If we leave ECPA unmodified, we'll see more class actions brought against private companies for innovative practices ' practices that might be agreeable to some users and not to others but that create surprises for all concerned in the absence of rules based on current technology and on shared values about when collection and use of detailed information about our communications is wrongful (creepy). In short, we need to cut a new deal on communications information privacy.

David R. Johnson retired as a partner from Wilmer, Cutler & Pickering, and is the former chair of the Electronic Frontier Foundation (EFF). He served as the founding director of the Aspen Institute Internet Policy Project, and was founding president, CEO and chair of Counsel Connect, the predecessor of ALM's Law.com. This article originally appeared in e-Commerce Law & Strategy's ALM sibling Law Technology News.

It is (high) time to rewrite and modernize the law that regulates access to our private communications and to the detailed information those communications automatically create.

No, I'm not talking about the statutes relating to the U.S. Foreign Intelligence Surveillance Court, or the National Security Agency's collection of metadata. We do need to constrain the growth of a surveillance state, even if some intelligence activities can be justified. But ordinary government information collection and eavesdropping, in the course of normal law enforcement activities, are just as badly in need of reform.

Before 1986, the wiretap statute required a warrant only for the “aural” interception of communications. That formulation stemmed from the practice of attaching alligator clips to phone lines so the police could use earphones to listen in on a call. But information was increasingly being exchanged in digital form. Interception might involve reading an e-mail, not listening to a voice. So it was clear that the wiretap statute needed to be updated to cover new forms of electronic communication.

I was involved in the negotiations and drafting that led to the Electronic Communications Privacy Act (ECPA). A deal could be struck because:

1. Companies like IBM wanted to encourage use of electronic communications by assuring some level of privacy against both private and government “interception”;
2. Government representatives respected privacy interests and realized that normal law enforcement operations would proceed more smoothly if some clear statutory rules (rather than vague constitutional tests) established required procedures; and
3. Privacy advocates like the Electronic Frontier Foundation understood that what was needed were standards that allowed justified government access but prevented unreasonable intrusions.

The ECPA compromise was reached against the background of two assumptions. First, any new protection would have to be added on top of the existing wiretap statute, rather than disrupting the complex balance that had previously been struck re “aural” interception of phone calls. (This was achieved by requiring a wiretap warrant for the “interception” of any electronic communication.)

Second, insofar as e-mails and other digital communications might be stored on servers, they would also require some protection. But some stored electronic communication ' say a message posted to a public “bulletin board” ' could not reasonably be treated as a private communication (it was readily available to all). And because, under the then-current technology, most e-mail users downloaded e-mails to their local personal computer in order to read it, electronic messages stored for more than 180 days might reasonably be given somewhat less protection (just as property abandoned in a self-storage locker might be somewhat less protected against a government search).

The ECPA standards, supported by a broad consensus among technology companies, law enforcement agencies and civil rights organizations, served us all reasonably well for many years. But the technology has changed. Now we have the cloud and Gmail. Now your cell phone constantly reports where you are. It is no longer reasonable to assume that someone who stores e-mail on a remote server they don't own for more than 180 days has any less reason to want to protect the privacy of those “papers and effects.”

On the other hand, the practice of e-mail providers like Google of demanding a right to access the contents of e-mail for their own purposes (such as targeting advertising and building translation services) means that an aggressive invocation of the “third-party doctrine” by law enforcement could lead to claims to a right to access messages and tracking data at any time without a warrant. (If your bank uses your account information for its own purposes, the argument goes, the government can demand access to such “business records” without getting a warrant or giving you any notice ' and the bank can cooperate without breaching any contractual obligation to you.)

At about the same time that the original ECPA bargain was struck, the government was pressing telephone companies to redesign their cell phone systems to make it possible to wiretap conversations. (Again, those old alligator clips weren't working the same way when the conversations were converted to digital formats). Some suggested that the Internet itself (and all e-mail systems) should also be required to be designed to be “wiretap-able.” At a minimum, some argued, because the phone company had always been allowed and required to turn over telephone call (billing) records without a warrant ' because these were considered to be just the business records of the company itself rather than the “content” of customer communications ' the same rule should apply to all the address and header information associated with e-mail.

I distinctly remember the conversation in which companies and civil liberties groups pushed back against these law enforcement demands. We brought in a small glass jar, first filling it to the top with small rocks, then adding lots of pebbles, and then, even though it was seemingly full, adding a lot more sand. The message: granularity matters. And aggregation matters. In particular, giving government access to all the address information for all of a person's e-mail could be just as unreasonably intrusive as listening to a call or reading the “contents” of the message. At least at that point, the government stepped back.

New Compromise Required

Changes in technology and in the way we use electronic communications now require us to forge a new compromise. The question is whether we will get there by means of court decisions about the meaning of the Fourth Amendment or by Congressional action to update the outmoded ECPA statute. The constitutional test trumps any statute, but the whole purpose of the original wiretap statute, enacted after the courts established that the privacy of “aural” conversations was entitled to reasonable protection, was to create clear procedures and ground rules that law enforcement agencies could comply with and that provided a level of protection, even against private eavesdropping, to which courts might defer.

The question is whether we can reach a widely supported deal today. Law enforcement still has an interest in having some clear rules ' but it is not clear whether officials terrified by the prospect of terrorism can acknowledge the need for some privacy protections. Companies still have an interest in assuring their customers' privacy ' but they themselves have gone a long way down the road of undermining any privacy claims by using customer data for their own purposes (and demanding that users agree to this).

Civil liberties groups still favor requiring a warrant for government searches, prohibiting private eavesdropping, and providing protection against unreasonable collection of “metadata” ' but, given current practices and aggressive interpretations of the “third-party doctrine,” they may not have anything to offer to law enforcement (in exchange for reasonably protective rules) that law enforcement doesn't consider itself already to have (especially in light of the mismatch between ECPA and current technology). And, as long as aggregated information about our communications is used mainly to target ads, it's hard to generate much opposition to “snooping” by private companies.

The Center for Democracy and Technology (CDT) has brought together a broad coalition of companies and public interest groups to support a comprehensive revision of ECPA. U.S. Senator Patrick Leahy (D-VT), who led the way toward adoption of the original (current) version supports this reform. But law enforcement has so far resisted and regulatory agencies are demanding increased rights to access communications information without a warrant.

The government might reconsider if the courts, potentially including the Supreme Court, conclude that under current circumstances the wiretap statute (including ECPA) is itself unconstitutional under the Fourth Amendment. That's a real possibility because government access without a warrant to all of a user's e-mail, even if it is stored on someone else's cloud server and even if it is used by that third party for limited purposes with user “consent” (and even if all that is accessed is the detailed records of who is communicating with whom), is, at current levels of granularity and aggregation, an unreasonable intrusion into core privacy interests.

ECPA Outdated

I helped to write ECPA and think it served the country well for a while. But technology changed. Industry practice changed. And as a result, ECPA no longer serves its key purpose of providing a congressionally approved set of clear rules that satisfy constitutional standards and limit unreasonably intrusive governmental and private party snooping.

The Katz v. United States, 389 U.S. 347 (1967), decision that first recognized a right to privacy in “aural” communications had dicta regarding protection of a person's “reasonable expectations” of privacy. That line has often been misunderstood to suggest that our collective loss of any actual expectation that Google will not read our Gmail or analyze the records of our online social interactions must defeat any claim to privacy protection against the government. But the core constitutional test has always been tied to unreasonable intrusion. And shared values against unjustified snooping, even by private actors, persist.

If we have to wait for courts to develop new Fourth Amendment doctrine, most often in the context of criminal prosecutions, we may not achieve a good balance, clear guidelines, or widespread support for any resulting rules. If we leave ECPA unmodified, we'll see more class actions brought against private companies for innovative practices ' practices that might be agreeable to some users and not to others but that create surprises for all concerned in the absence of rules based on current technology and on shared values about when collection and use of detailed information about our communications is wrongful (creepy). In short, we need to cut a new deal on communications information privacy.

David R. Johnson retired as a partner from Wilmer, Cutler & Pickering, and is the former chair of the Electronic Frontier Foundation (EFF). He served as the founding director of the Aspen Institute Internet Policy Project, and was founding president, CEO and chair of Counsel Connect, the predecessor of ALM's Law.com. This article originally appeared in e-Commerce Law & Strategy's ALM sibling Law Technology News.