By Carly Nuttall
Most people understand that statements shared on Twitter, status updates posted on Facebook, or photos uploaded to Instagram are not private. But what about emails, text messages, health and financial records, or photos stored in the cloud? Although most people would assume that this information is protected—both by passwords and the Fourth Amendment—it isn’t.
At present, online content stored in the cloud is governed by the Electronic Communications Privacy Act of 1986 (ECPA). Although the Fourth Amendment protects Americans against unreasonable searches and seizures of their persons, houses, papers, and effects by requiring law enforcement to obtain a warrant before accessing your property, the same is not true for all online content. The ECPA distinguishes your virtual information from your more tangible information (such as physical printouts of financial or health records). Under the ECPA, information stored online for more than 180 days is considered abandoned and is not guaranteed protection.
The ECPA in its current form is often justified on national security grounds. When it comes to combating terrorism, it is certainly to the government’s advantage to have ready access to this kind of information. However, this need to protect the homeland must be appropriately balanced with preserving civil liberties and privacy rights. The only way to accomplish this is through effective legislative reform.
This legislation is clearly outdated and at odds with contemporary usage of cloud storage. Legislators have come to recognize this in recent years, with several proposals coming forward to solve the problem. In the House, Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO) have put forth the Email Privacy Act, while Senators Mike Lee (R-UT) and Patrick Leahy (D-VT) have introduced the ECPA Modernization Act in the Senate. Both pieces of legislation would require that law enforcement obtain a warrant before accessing content kept in cloud storage. Notably, the ECPA Modernization Act would also eliminate gag order provisions that prevent service providers from notifying you that they have turned over your personal records to the government pursuant to a search warrant. Under current law, if the U.S. government supplies a search warrant to your internet service provider requesting access to your personal information, your internet service provider is required to comply and is forbidden from notifying you, the customer, that they have provided your information to the government.
In another effort to modernize the ECPA, Senators Orrin Hatch (R-UT), Chris Coons (D-DE), and Dean Heller (R-NV) have also put forth the International Communications Privacy Act (ICPA), which aims to clarify law enforcement’s ability to access extraterritorial communications. While the bills mentioned previously focus on the protection of Americans’ digital information stored within U.S. borders, the ICPA extends this protection to Americans’ digital information that is stored abroad, requiring law enforcement agencies to obtain a warrant to access any information stored online, no matter the location of the storage.
Without modernizing the ECPA, these issues will continue coming to the fore, as exemplified in the different outcomes of Microsoft Corp. v. United States and In re Search Warrant No. 16-960-M-01 to Google. The over thirty-year-old ECPA legislation has long overstayed its welcome and does not comply with modern conceptions of what is considered adequate protection of information under the Fourth Amendment. It makes little sense that health or financial records printed out and stored in your home would receive protection under the Fourth Amendment, while digital copies of the same information stored in the cloud would not. It is high time to bring the ECPA into the twenty-first century.