Most things electronic get updated at least every couple of years. But one of the main laws governing electronic privacy protections hasn’t been updated since . . . 1986.
That law is the Electronic Communications Privacy Act, enacted when Ronald Reagan was president, people still rented VHS tapes from Blockbuster on Friday nights and the Internet didn’t exist.
A huge loophole.
Under the ’86 ECPA, law enforcement can access electronic data such as emails and social media posts that are more than 180 days old without a court order because back in ’86, there was no such thing as an “email” or “social media” – and no law can cover something that hasn’t been conceived at the time the law was written. Also, because back in the ’80s, the state of server technology was such that old data was routinely deleted to make room on those servers for new data. It was presumed that warrants for data more than 180 days old wouldn’t be needed because data more than 180 days old would no longer exist.
But it’s not 1986 any more, Donald Trump is president, almost no one writes physical letters anymore and online data is forever – because server storage capacity is now effectively unlimited and data is no longer routinely deleted to make space for new data.
Whether it is 180 days old or 10 years old.
The emails you sent or received last year or even ten years ago are likely still in existence on a server somewhere, even if they no longer exist on your computer. And – because of the legal loophole dating back to ’86, they could be accessed, anytime – and without a court order.
Very possibly, without you even knowing about it, too – because under the ’86 law, there is no legal requirement that you be told there are eyes on your email and other online data.
This includes data stored on cloud servers and servers located outside the borders of the United States. The latter has created problems no one could have foreseen 30-something years ago. But it’s a big problem, nonetheless.
For the past several years, the Obama Justice Department has been attempting to strong-arm Microsoft to turn over data stored on servers located in Ireland, contravening Irish privacy laws.
The data is alleged to be relevant to an ongoing drug investigation DOJ is conducting, which may be absolutely true. But the fact that the DOJ wants the data doesn’t mean it has a legal right to just take it – or to force Microsoft to just hand it over, contrary to local laws.
The DOJ put Microsoft – and in principle – other companies such as Amazon and Google who store data outside the boundaries of the United States – in the untenable position of violating the privacy of their customers and the laws of the country in which the data is stored.
All because of a 30-year-old law that’s as applicable to our time as knowing who was an up-and-coming member of the Soviet Politburo back in ’86.
It’s time for a fast-forward.
The same privacy protections that apply to physical data such as letters and paper documents also ought to apply to online/digitized data – without a time limit.
And the U.S. government shouldn’t be pressuring American companies to flout the laws of foreign countries in which they do business, if only for the very good reason that it invites foreign countries to respond in kind and ignore American law when doing business within the United States.
There are two efforts under way in Congress toward fixing this mess.
One is S. 2986, the International Privacy Communications Act – which would specifically address the concerns raised by the Microsoft/DOJ overseas (and cloud storage) data kerfuffle. It is sponsored by Sens. Orrin Hatch, Chris Coons and Dean Heller. It would establish ground rules for cooperation between nations regarding law enforcement access to data stored in servers located outside the United States (and vice versa) so that local laws are respected.
Another – in the House – is the Emails Privacy Act, which would specifically address the issue of the eternality of emails and other online data such as social media posts, Tweets and so on. These could no longer be accessed without a criminal warrant, no matter their vintage. A six-month-old (or six-year-old) email would enjoy the same privacy protections under the law as one sent today.
The legislation is sponsored by Reps. Kevin Yoder (R-Kan.) and Jared Polis (D-Colo), with the backing of Washington Rep. Suzan DelBene (D) and has broad bipartisan support, as well as support among civil libertarians and the tech community.
All of them understand the importance of updating a law that’s as out of step with the times as Ocean Pacific shorts and VHS players.