The feds need to stop using a 30-year-old law to access user data online

Last week, the Supreme Court agreed to hear Microsoft Corp. vs. United States, in which a New York district judge issued a warrant under the Electronic Communications Privacy Act (ECPA), ordering Microsoft to turn over data stored in Ireland related to a criminal suspect. Microsoft fought the warrant, arguing that the court could not rightfully demand data held outside the U.S. and that it would require the company to violate local data privacy requirements in Ireland. The Second Circuit Court of Appeals agreed, prompting the U.S. government to appeal the decision.

At the center of this case is ECPA, a little-known law that governs how law enforcement gains access to data stored by third-party technology providers (such as Google, Microsoft, and Yahoo) during criminal investigations. This law has changed little since it was first enacted in 1986, creating significant gaps between current law and the realities of how citizens and businesses use the modern internet. Despite limited media attention, ECPA and its implications are significant.

{mosads}When the law was written, electronic communications were a novelty, data storage came in the form of floppy disks, and the largest personal computer hard drives measured in the tens of megabytes. Today, electronic communications are ubiquitous, terabytes of storage can be purchased in the cloud for pennies, and citizens store data on every aspect of their lives in their email and on electronic devices. Consumers now expect the same level of privacy for their electronic data they do for their written communications. As we have pointed out, it is almost inconceivable to modern Americans that the law makers of the 1980s would think it appropriate to treat electronic communications differently than our phone calls or mailed letters—our personal communications are personal no matter the form.

Regardless of what the Supreme Court’s decision in this case, only Congress can update ECPA and address the underlying issues. The Second Circuit Court of Appeals recognized this in its own opinions, calling on Congress to take action on ECPA and address its flaws. The courts cannot change how the law treats electronic communications nor can they address ECPA’s focus on the physical location of data in a world where electronic data moves without regard to national borders. Accepting the government’s argument forces companies to choose between compliance with a U.S. warrant and compliance with local law—why should they have to make this choice? 

This line of logic also creates an incentive for other countries to adopt positions like that of the U.S. government, asserting extraterritorial application of their domestic laws over data stored in the U.S. — do we really want Brazil to be able to force a U.S. provider to turn over data on a U.S. citizen stored in the U.S.? Citizens expect the laws of their own country to apply to their everyday lives, U.S. law for U.S. citizens and German law for German citizens. Why should U.S. law apply to the citizens of countries around the globe because their email provider has offices in the U.S.?

The broad goals for a legislative solution are reasonably clear. U.S. citizens expect the same level of privacy protections for their personal communications regardless of whether they are 200-day-old emails, a posted letter, or a phone call. All communications should be subject to the same privacy protections and warrant requirements. Any solution should seek to eliminate, or at least minimize, international conflicts of law and disincentivize extra-territorial applications of domestic law. Finally, Congress should address the uncertainty that law enforcement faces when trying to obtain digital evidence stored abroad. It is vital that law enforcement have clear, effective, and efficient mechanisms to collect digital evidence without creating additional legal conflicts.

Extending privacy protections to all electronic communications, including older than 180 days, is a step that already has bipartisan support in Congress. Other bi-lateral efforts, such as the proposed U.S.-U.K. data sharing agreement, offer opportunities to improve cross-border law enforcement cooperation by allowing law enforcement in both countries to rely upon local legal processes to gain access to data stored in either country. Such agreements can reduce conflicts of law for U.S. companies while preserving important privacy protections. Finally, shifting the focus of the law from the physical location of data to other considerations, such as the citizenship of the data subject and the location of the crime, would better reflect the global nature of the internet.

Only Congress can address the shortcomings of ECPA. Only Congress can address the conflicts of law facing providers, safeguard the rights of our citizens, and ensure lawful access to suspects’ data for law enforcement. No matter the Supreme Court’s decision in this case, at least one finding of the Second Circuit Court of Appeals will stand: Congress must act.

Alan Wehler is a senior associate at The Chertoff Group, a global security and risk management advisory firm, where he advises clients on technology and security policy issues.