Google, provider of the world’s largest email service, has once again aired its long-standing call for reform of the federal Electronic Communications Privacy Act (ECPA) of 1986.
In testimony before the Senate Judiciary Committee this week, Richard Salgado, Google’s director for law enforcement and information security, described ECPA reform as critical to protecting email and other stored digital content from overzealous government access.
“The inconsistent, confusing and uncertain standards that currently exist under ECPA fail to preserve the reasonable privacy expectations of Americans today,” he said in written testimony before the committee.
Internet service providers, law enforcement agencies and courts alike have had problems understanding the law and how it should be applied to current technology and business practices. “By creating inconsistent privacy protection for users of cloud services and inefficient and confusing compliance hurdles for service providers, ECPA has created an unnecessary disincentive to move to a more efficient, more productive method of computing,” Salgado said.
The biggest problem with ECPA is that it was drafted in the pre-Internet era and is, therefore, largely incompatible with current expectations for reasonable privacy around email and other digital content, he said.
Back when the bill first went into effect, people had no way to browse the World Wide Web and email was not available to the general public. Less than 350,000 Americans had cell phone service, and features like text messaging, Web browsing and application downloading were not available.
Today, hundreds of millions of Americans use the Web every day to send email and share ever-richer data and media content with others. Increasingly, Americans have come to rely on third-party providers to store everything from highly confidential communications to videos and family photos. “The expectation is that such service providers can and will provide infinite storage indefinitely,” he said.
In such an environment, ECPA’s provisions do not provide adequate privacy protections, according to Salgado.
The ECPA is a three-part law pertaining to the interception of oral, wire and electronic communications. The statute prohibits the unauthorized interception of such communications while setting ground rules for authorized government access to it. The part of the law that Google and others have said needs urgent reform pertains specifically to stored electronic communications and the government’s ability to compel service providers to disclose the communications to them on request.
The law, as currently written, allows government agencies and law enforcement to compel service providers to hand over the contents of an email that has been stored for more than 180 days, with little more than a subpoena. The law requires the government to obtain a search warrant for access to unopened email or email that is less than 180 days old.
Google and other service providers have argued that such distinctions make no sense and create unnecessary problems.
In a blog post Friday, Salgado said users have a right to expect that documents they store online are entitled to the same Fourth Amendment privacy protections as documents stored in a desk drawer at home. “ECPA allows government agencies to compel a provider to disclose the content of communications, like email and photos, without a warrant in some circumstances,” he noted.
“It is undeniable that ECPA no longer reflects users’ reasonable expectations of privacy and no longer comports with the constitution,” Salgado said.
Google and other Internet service providers have a major stake in getting the law revised. Edward Snowden’s revelations about the government’s extensive surveillance and data collection activities have raised considerable concerns about the safety and privacy of customer data held by American cloud providers and Internet service providers. Concerns that the U.S. government can force these service providers to hand over customer data using statutes like ECPA have caused some companies, especially overseas firms, to be wary of U.S. cloud services.