Politics don’t change, but technology continues to evolve and lawmakers cannot keep up. That is my big takeaway from my CompTIA trade association lobbying effort in Washington DC in mid-February. As a technologist and privacy rights advocate for small business, my goal is reform of the Electronic Communications Privacy Act (ECPA), which was drafted in 1986 to give Fourth Amendment protection to electronic communications. Remember, no one had email in 1986. But fast forward 30 years and communication by email and storage in the Cloud is the lifeblood of my company Clever Ducks, an IT service provider for small businesses on the Central Coast of California.
I was surprised to learn that the Federal law governing government access to private information stored on the Internet, including emails, social posts, or corporate data, says that stored information over 180 days old is “abandoned” and can be obtained without a warrant. That means that under current ECPA law, government agents can demand access to stored data with just a subpoena, which is issued without the requesting party obtaining approval by a judge. This runs roughshod over our civil rights. The Fourth Amendment protects citizens against all unreasonable searches by the government. It is unreasonable that in today’s world the expectation of privacy for digital information should be different than for physical papers, which would require a warrant.
The only reason service providers are not handing over content solely based on a subpoena is a 2010 Sixth Circuit Court of Appeals decision in US v. Warshak ruling that law enforcement must use a warrant to obtain digital content from providers. Large providers nationwide are treating the Warshak decision as law of the land, but it is not unanimous across all eleven judicial circuits and there could be a conflicting decision in another circuit court.
This needs to change. When government agents want ISPs and cloud providers to disclose sensitive data, there should be a uniform law in our country requiring a warrant from a judge. With support across the political spectrum and from the ACLU and Heritage Foundation to the US Chamber, why has legislation not passed yet to fix this? Because of the one constant in DC: politics.
H.R. 699 is currently the most sponsored bill with 310 sponsors in the House. It is headed for markup in March. Everyone agrees that a warrant standard is appropriate, but civil agencies like the SEC and FTC are asking for an exception to the warrant requirement. The civil agency exception, along with other more controversial topics like third party access, international protections, and geolocation and metadata treatment do not have broad support. Instead of passing a widely-supported bill that everyone can agree upon, political squabbling may kill the bill if these other issues are attached to HR 699. I remain hopeful that this bill might move during this legislative term, but in light of Apple refusing to unlock the San Bernardino terrorist’s cell phone, issues might be lumped together and a good bill might die. It reminds me of the School House Rock lyrics:
“It’s a long, long wait
While I’m sitting in committee,
But I know I’ll be a law someday
At least I hope and pray that I will,
But today I am still just a bill.”
In the meantime, technology will continue to be an important part of our lives. Clear legislation is needed to support the trust and security critical to information technology operations. Companies need to be confident in the confidentiality of their data and the data customers entrust to them. This level of confidentiality includes preventing overzealous government investigators from accessing constitutionally protected data. Of course, there are cases when law enforcement agents need electronic evidence, but government power should be subject to checks and balances. The requirement – followed every day in the physical world – is that government agents obtain a warrant from a judge before accessing private papers.
It is up to us in the industry to educate our lawmakers that reforming ECPA to require a warrant to access any electronic communication is an important issue. Not all folks in Congress are steeped in technology and understand the impact of the issue. It would be a shame if politics got in the way of privacy.
Amy Kardel / Co-Founder
Clever Ducks, San Luis Obispo, California