The 30-year-old law holding back the Internet

The year was 1986. Nintendo had just released the original Zelda. Microsoft, then on Windows 1.0, offered its shares publicly for the first time in an IPO. Gas was 89 cents a gallon and Top Gun was the year’s biggest film. That was also the year Congress (the Senate had just allowed its debates to be televised for the first time) enacted a key law controlling the government’s access to Internet data and communications.

Despite the fact that game consoles, gas prices and movies have all evolved, the 1986 Electronics Communications Privacy Act (ECPA) remains on the books today, despite stagnant provisions that failed to imagine the exponential evolution of the Internet and computers over three decades. For example, in 1986 we stored the majority of information on numerous floppy disks, often swapping them multiple times to find the files we needed.  As a result, storage came at premium, both in terms of time and cost, and the law’s authors never envisioned users keeping emails for longer than six months.  Fast forward to 2015 where the ECPA allows the government to seize emails older than 180 days without a search warrant.  This open access is especially troubling because virtually all email is housed on third party servers – what we now call the cloud – and often goes back years or even decades.  The Justice Department has also used the law to argue in court that cell phone users have relinquished their expectation of privacy by providing their location to their service providers.

{mosads}The ECPA’s failings are not the fault of the late Rep. Robert Kastenmeier (D-Wis.), who authored the law, or the late President Ronald Reagan, who signed it into law. No one could have predicted what disruptive technology like the Internet would look like 30 years later. Today, practically our whole lives are stored in the cloud, and we don’t expect governments to have free reign to look over our shoulder whenever they want. That’s why Google, Dropbox, Twitter and other leading communication technology companies are coalescing behind legislation to update the law.

The Law Enforcement Access to Data Stored Abroad (LEADS) Act, introduced by Sens. Orrin Hatch (R-Utah), Chris Coons (D-Del.) and Dean Heller (R-Nev.) would go a long way to improve the antiquated ECPA, for instance by dropping the 180-day demarcation for emails. The LEADS Act requires a warrant before the government can access people’s private electronic storage. It also clarifies that U.S. warrants apply to data on overseas servers, unless disclosure of the data would violate the laws of the originating country and as long as the data belongs to a U.S. citizen. “Law enforcement agencies wishing to access Americans’ data in the cloud ought to get a warrant,” Coons said recently, “and just like warrants for physical evidence, warrants for content under ECPA shouldn’t authorize seizure of communications that are located in a foreign country.”

The arrival of new technology has always posed challenges to privacy laws. For instance, Congress’s first law requiring law enforcement officials to obtain a warrant before eavesdropping on telephone calls came decades after the invention of the phone. Of course, a key distinction is that electronic communications are conducted with technology that creates a nearly permanent record of what was said – making privacy concerns considerably more urgent. It’s not 1986 anymore. It’s time to update the rules for how you can access our conversations.

O’Neill is a former FBI counterintelligence operative and a cyber security consultant at The Georgetown Group.