When it comes to online data, the feds appear to believe in privacy for some, but not all

Most personal documents are no longer stored in a filing cabinet in the basement, nor are they sent through the postal service to physical addresses. Instead, people are using advanced communications technology to send, retain, and maintain their personal information, and the protection of that information from both private and governmental intrusion has become more important than ever.

When Congress enacted the Electronic Communications Privacy Act (ECPA) in 1986, clarifying laws covering wiretaps and intentional electronic eavesdropping, individuals and companies were far from connecting with one another and storing information on remote servers through email and the cloud. This law has been critically important to businesses, government investigators, and ordinary citizens by creating a constitutionally valid process through which law enforcement could access electronic data. However, society communicates in a dramatically different manner today than in 1986, with an increasing amount of data stored digitally with third party providers, including emails and other data stored in the cloud.

{mosads}This vacuum in the law has become increasingly problematic, as law enforcement officials seek information, including email content from cloud service providers, rather than from the subjects of their investigations. In 2013, the Department of Justice (DOJ) sought the contents of a Microsoft customer’s email account stored in a server located in Ireland. Microsoft made many reasonable arguments against DOJ’s demands, setting the stage for a privacy battle in the case of United States v. Microsoft Corp. The case was argued before the Supreme Court on Feb. 27, 2018.

To clarify the law for electronic communications stored overseas, Congress included the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), as part of the fiscal year 2018 Omnibus Appropriations (omnibus) bill. The CLOUD Act, while incomplete, will help protect personal information stored overseas from undue government intrusion. It was a relatively bright spot in the omnibus bill, which Citizens Against Government Waste found to be loaded with wasteful spending, including boosted or maintained funding for the National Endowments for the Arts and Humanities; TIGER grants; Export-Import Bank; Low Income Home Energy Assistance Program; and renewable energy subsidies.

On March 31, following enactment of the omnibus, DOJ asked the Supreme Court to drop the Microsoft case because the new law created improved criteria for requests of electronic data stored overseas. While the CLOUD Act will help companies that have consumer data stored abroad, it does not apply to customer data stored in the U.S. The law only relates to international communications, and does not protect against warrantless searches of consumer data by law enforcement. The outdated laws on the books for consumer privacy remain in effect.

For example, ECPA does not prohibit access to user communications and information stored online without a warrant if the item had been marked “read” or opened, or if it is older than 180 days. In those cases, only a less-strict subpoena is required for government entities to read user emails as part of an investigation. However, because most users now store information and emails with third-party providers online using cloud computing providers, it makes little sense to treat this information differently based whether the item’s status is marked as “read” or dated more than 180 days.

There is legislation pending in Congress that would provide clarity to email protection and provider certainty through language that was not included in the CLOUD Act. H.R. 387, the Email Privacy Act would revise the circumstances under which the U.S. government may require a cloud services provider to disclose the contents of email and other electronic information stored or otherwise maintained by the provider. With broad, bipartisan support and co-sponsorship, the House passed H.R. 387 by voice vote on Feb. 6, 2017. Yet, the Senate continues to fail to move the legislation forward. 

Ensuring that communications among individuals, regardless of their source or destination, have equal protection under the law is critical to keeping the freedoms that are guaranteed under the Fourth Amendment. Law enforcement is required to obtain a search warrant to access information in homes, offices, and mailboxes. Certainly, the same standard should apply to information that is stored electronically. It is time to provide certainty to the protection of that information by updating ECPA and enacting the Email Privacy Act.

Deborah Collier serves as the director of technology and telecommunications policy for Citizens Against Government Waste, a nonprofit group aimed at promoting limited government.