analytics ecommerce

ECPA 2013

It’s time for a pop quiz. In which of the following scenarios can the U.S. government obtain your data without a warrant?

If you answered, “yes,” to all of the above scenarios, then you are 100% correct! Current U.S. law allows the government to acquire all of the above data without a warrant. However, legislation that just unanimously passed the Senate Judiciary Committee may change some of that.

Where We Are Now

The law in question is the Electronic Communications Privacy Act of 1986 (ECPA). The ECPA protects wired and wireless transmissions from being searched by the government without a warrant. It also protects stored electronic records. However, it does not protect records that are stored on your behalf by a third-party provider. For example, email messages stored on a email provider’s servers are fair game, as are any documents stored in the cloud.

The reason for these exceptions, which now seem quite ridiculous (the government can read my email without a warrant?) dates back to a number of old supreme court cases, and in fact to the Fourth Amendment itself.

The first case in question is the 1967 case of Katz v. United States. Charles Katz was a gambler living in Los Angeles. One day, he used a public phone booth to call contacts in Boston and Miami and give them wagers, a form of gambling which was illegal in Los Angeles. Unfortunately for him, the FBI had placed a listening device on the outside of the phone booth. They heard his conversation, and used it to convict him. Katz appealed on the grounds that his Fourth Amendment right to privacy had been violated.

The text of the Fourth Amendment says nothing about phone booths. In fact, the only things it explicitly protects are, “persons, houses, papers, and effects.” A public phone booth is none of those. The founding fathers had never expected that one might require privacy in anything outside of oneself and one’s property, and in this expectation, forgot to include phone booths in the list of items protected from unreasonable search and seizure. Luckily, the justices of the Supreme Court recognized what they saw as the true intention of the founding fathers: to protect one’s privacy wherever one might reasonably expect to have it. They ruled in favor of Katz and introduced the concept of a “reasonable expectation of privacy.” That is, a person is protected by the Fourth Amendment in any situation in which they might reasonably expect to have privacy – a closed phone booth being one.

This new doctrine of expectation of privacy was used nine years later when Mitch Miller was arrested and convicted of operating an illegal distillery. In the process of the investigation, subpoenas were issued to his bank for, “all records of accounts, i.e., savings, checking, loan or otherwise, in the name of Mr. Mitch Miller…” Miller appealed on the grounds that his Fourth Amendment right to privacy had been violated when the government accessed his bank records without his permission. When the case, United States v. Miller, reached the Supreme Court, the question to be answered, thanks to the Katz case almost a decade previous, was whether or not Miller had had a reasonable expectation of privacy in his bank records.

The Court found that he did not. By giving away his records to a third party, they argued, he had demonstrated that he did not expect any privacy in those records. This decision, together with the 1979 case of Smith v. Maryland, established the third party doctrine. The third party doctrine states that by revealing information to a third party, a person demonstrates that he does not expect privacy in that information, and thus forfeits his Fourth Amendment rights to that privacy.

Fast forward yet another decade to 1986. The ECPA was being written, and it was being decided what protections should exist for consumer data stored by a third party. To Congress at the time, the answer was clear: The third party doctrine stated that a person had no expectation of privacy in information voluntarily given to a third party. The government needed nothing more than a subpoena to request the contents of a subscriber’s content in storage by a third party.

To their credit, Congress went farther than they needed to. They stipulated certain situations under which one’s data was protected from warrantless search and seizure, regardless of the fact that a less stringent law would have been deemed constitutional. Unread email which had been stored for up to 180 days required a warrant. Communications held for longer than 180 days or which are held purely for storage purposes required a warrant, a subpoena, or a court order. This included read email, which, it was argued, was being stored only for storage purposes.

Nonetheless, this still meant that the vast majority of electronic communications – emails more than 180 days old or that had already been read – were subject to a far lower degree of protection from search and seizure than most other forms of communication, even including phone calls.

Fast forward to the 21st century, and this lack of protection had suddenly become much more important. Email was ubiquitous, other forms of now-unprotected electronic communication were popping up left and right, and over all of them, serious business was being conducted. Just a few years into the new century, information began to move to the cloud. All of a sudden the ECPA, which had been written to fill the gap between law and technology, was yet again woefully behind the times.

Fast forward not so many years to right now, as I sit here writing this. Thursday, April 25th, 2013. Just yesterday, the New York Times ran a piece that made my heart skip a beat. In fact, it’s because of that piece that I sit here writing this now. Senator Patrick Leahy (D-Vermont), the original sponsor of the 1986 ECPA, has just introduced a new piece of legislation along with his colleague Senator Mike Lee (R-Utah). The bill, entitled the “Electronic Communications Privacy Act Amendment Act of 2013″ (ECPA 2013), aims to fix the holes in the original 1986 ECPA by requiring a warrant for the government to obtain any communication in electronic storage by a third party provider. No 180 day expiration, no condition of the communication remaining unread, just pure, unadulterated Fourth Amendment protection. So, hyperbole aside, what will this amendment really do?

What Will This Amendment Really Do?

Glad you asked. The bill defines the protected communications as “the contents of a wire or electronic communication that is in electronic storage with or otherwise stored, held, or maintained by the provider.”

In order to compel a third party service provider to hand over such communications, the government must obtain a warrant. Furthermore, unless the government has a warrant, it is a crime for a provider to hand them over voluntarily.

However, there is certain information which remains unprotected by a warrant. This information includes:

  • Name and address of the subscriber
  • Phone call records including numbers called, and times and durations of calls
  • Device identification numbers (for example, MAC addresses)
  • “Other subscriber number or identity,” including any temporarily assigned network addresses (for example, IP addresses)
  • Means or source of payment of a subscriber

In order to obtain this information, the government must do one of the following:

  • Get a warrant
  • Get a court order
  • Get the consent of the subscriber
  • In certain special cases, a formal written request can suffice to get only the “name, address, and place of business of a subscriber”

What This Means For You

So what does this mean for you? What sorts of things are protected by warrant requirement? Well, first and foremost, it means that your emails are most certainly protected, as are your documents stored in the cloud. [1] Second, it means that any data that you have stored with a third party provider which is clearly “content” is protected. This includes, for example, private messages and wall posts on Facebook (though note that anybody with legitimate access to these – ie, your friends – probably could legally disclose them to the police).

There are also some things which may be protected, depending on interpretation. For example, the identity of the recipient of messages may or may not be protected. The key here is whether such information would be considered “content.” This distinction could be very tricky in a number of cases. Technical readers may be interested in a few examples:

  • Are the IP addresses of the devices with which you communicate over the internet protected? The IP of your device isn’t protected, but what about the recipients of your internet traffic? An argument could be made that the bill does not intend to protect this information since it doesn’t protect the phone numbers you call, and destination IPs could be seen as analogous. Then again, it doesn’t ever mention destination IPs explicitly either.

  • Are the domain names of the websites you visit protected? When you look up those domain names using DNS, they would likely be considered part of the content of the messages sent between you and the DNS server. But what about when you connect to a website? HTTP, the protocol which handles Web traffic, includes the target domain name in every request made to a website. On the one hand, this is technically part of the HTTP header, and headers are usually not considered content, but rather metadata. On the other hand, the entire HTTP request, headers included, are sent as the content of the TCP/IP communication with the server.

  • The above example brings up another problem: If HTTP headers are protected as the content of TCP/IP communications, are all application-layer transactions equally protected? Does it depend on the service? For example, perhaps it is the case that your ISP cannot hand over HTTP headers since your ISP deals at the IP level, to which HTTP headers are considered content; but the operator of the website you visit could hand over the HTTP headers since, to them, HTTP headers are not content, but simply metadata.

  • The above example brings up yet another problem: Does the protection of data depend on what entity is observing that data? Certainly the intended recipient of an email is not barred from handing over your communications to the government, while your email provider is.

There are also, however, a few things which most certainly are not protected. In particular, none of the things explicitly exempted are covered. As mentioned above, this includes subscriber name and address; phone call recipients, times of calls, and durations; device identification numbers such as MAC addresses; other subscriber identification numbers such as IP addresses; and subscriber means of payment.

Another thing which definitely is not protected is your cell phone’s location. I included that example in the pop quiz at the beginning of this article because I think that it’s an interesting example of technology getting ahead of us, but ECPA 2013 adds no protections here. In particular, it strikes me as fairly definite that information about which cell phone towers you are connected to, and the signal strength of your phone observed by those towers [2], cannot reasonably be considered “message content.” An argument could be made that the list of towers to which you are connected could be considered a form of temporary network address, which enjoys light protection (subpoena, court order, etc.) under this bill. However, even if that were the case, I’m pretty sure that some sort of court order is already required for such information [3], so this bill adds no new protections.

Not Out of the Woods

Note that we’re not out of the woods yet. While most signs are pointing towards this bill becoming law, it’s not yet, so for the time being, know that not all of your electronic conversations are protected by the Fourth Amendment. Actually, even if this bill does pass, I’d still be careful – recently the government has taken a page out of the Pirates of the Caribbean handbook and has decided that the constitution and the bill of rights are really more like guidelines anyway.

That said, things are looking good. Really good. There has been support from a huge range of groups with a huge range of political views. According to the American Civil Liberties Union, “[a]fter the vote, messages of support poured in from libertarians, consumer groups, privacy advocates, civil rights organizations, groups like the Americans for Tax Reform and The Heritage Foundation, librarians, tech policy groups, media trade groups, Internet industry organizations, and more.” And it never hurts to have the committee vote be unanimous.

[1] To save space, Dropbox detects duplicate files, and only uploads those files which have not already been uploaded by another user. Thus, for duplicate files, your “data” stored in Dropbox really only consists of the links to the original files. If these links are considered the “content,” then they are protected under ECPA 2013. For technical readers: Dropbox accomplishes this by hashing the files. There’s a pretty strong argument to be made that hashes are content, considering that they don’t just store information about your data, but in some sense they store the identity of your data. This, in my mind, makes them content. In any case, if this ever comes up in court, I’ll look forward to watching aged justices arguing over hashing algorithms.

[2] Phone companies can figure out where you are by triangulating your location based on your phone’s distance from different cell towers.

[3] This is just a guess on my part – if I’m wrong, please correct me.