In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to regulate government access to Internet communications and records. ECPA is widely regarded as outdated, and ECPA reform is now on the Congressional agenda. At the same time, existing reform proposals retain the structure of the 1986 Act and merely tinker with a few small aspects of the statute. This Article offers a thought experiment about what might happen if Congress were to repeal ECPA and enact a new privacy statute to replace it.
The new statute would look quite different from ECPA because overlooked changes in Internet technology have dramatically altered the assumptions on which the 1986 Act was based. ECPA was designed for a network world with high storage costs and only local network access. Its design reflects the privacy threats of such a network, including high privacy protection for real-time wiretapping, little protection for noncontent records, and no attention to particularity or jurisdiction. Today's Internet reverses all of these assumptions. Storage costs have plummeted, leading to a reality of almost total storage. Even U.S.-based services now serve a predominantly foreign customer base. A new statute would need to account for these changes.
This Article contends that a next generation privacy act should contain four features. First, it should impose the same requirement on access to all contents. Second, it should impose particularity requirements on the scope of disclosed metadata. Third, it should impose minimization rules on all accessed content. And fourth, it should impose a two-part territoriality regime with a mandatory rule structure for U.S.-based users and a permissive regime for users located abroad.
INTRODUCTION I. THE HISTORY AND STRUCTURE OF ECPA A. Federal Surveillance Law Before ECPA B. The Office of Technology Assessment Report and the Need for ECPA C. The Enactment of ECPA and Its Major Amendments D. The Current Criticisms of ECPA--and Their Limits II. HOW CHANGING LAW AND TECHNOLOGY RENDER ECPA OUTDATED A. Real-time Versus Stored Access B. ECS Venus RCS and the Limited Coverage of the SCA C. Content Versus Noncontent Metadata D. Particularity and Minimization of Internet Communications and Records E. The Territoriality of ECPA III. CRAFTING A NEXT GENERATION PRIVACY ACT A. Congress Should Enact a Uniform Requirement for Access to Any Remotely Stored Contents Held by or for a Customer or Subscriber B. Particularity Requirements for Noncontent Data Should Be Imposed, Perhaps Based on a Concept of Customer-hours C. Minimization Rules Should Apply to All Obtained Contents of Communications D. Congress Could Establish a Two-Part User-Based Regime for Territoriality CONCLUSION INTRODUCTION
In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to govern the privacy of computer network communications. (1) The Act grants Internet users a set of statutory privacy rights that limits the government's power to access a person's communications and records. (2) ECPA has governed Internet privacy in the U.S. for over a quarter century with only minor revisions. (3)
In recent years, ECPA has become widely perceived as outdated. (4) Senator Patrick Leahy, the Chairman of the Senate Judiciary Committee, recently announced that ECPA reform is now a "top priority." (5) His counterpart on the House side, Representative Robert Goodlatte, chairman of the House Judiciary Committee, has also endorsed the need to reform ECPA and recently held hearings on ECPA reform. (6)
Despite the congressional interest in ECPA reform, existing reform proposals mostly nibble at the edges of the 1986 statute. (7) Those proposals accept the basic structure of ECPA as fixed, and they aim to tweak privacy protections within the Act's framework. This Article considers a thought experiment: What would the electronic communications privacy laws ideally look like if Congress could start from scratch and enact an entirely new law?
The Article contends that such a new privacy act would look quite different from the current ECPA. Network technologies have dramatically transformed since the 1980s. The extraordinary pace of technological change in the last quarter century means that the Internet of today bears only a slight resemblance to the Internet of the 1980s. Indeed, today's Internet is quite different from the Internet of a decade ago, often in ways that are imperceptible to the user but that have profound implications for privacy law. If Congress could start fresh and enact a new statute, those changes would lead to a law very different from ECPA statute on the books today.
Two technological changes are particularly important. First, the plummeting costs of storage have changed how surveillance threatens privacy. (8) ECPA was drafted at a time when electronic storage was expensive and therefore relatively rare. Accordingly, ECPA treated real-time wiretapping as the chief privacy threat. Access to stored communications was a lesser concern. The opposite is true today. Storage has become remarkably cheap and therefore ubiquitous. Service providers now routinely store everything, and they can turn over everything to law enforcement. As a result of this technological change, access to stored records has become the greater privacy threat. The incredible growth of stored records renders ECPA's structure exactly backwards for the operation of modern computer networks.
Second, the Internet has become truly global. (9) ECPA was drafted when computer network usage was very heavily U.S.-based. The Act created statutory protections for U.S. users of U.S. services. Today's network usage looks dramatically different: only about ten percent of the today's global Internet usage involves U.S.-based individuals. (10) The overwhelming majority of users of Internet services such as Gmail and Facebook are based abroad. (11) The global nature of today's Internet creates a series of jurisdictional headaches for global Internet services that might have corporate headquarters in one country, servers in another, and users all around the world.
More than just technology has changed: new principles of constitutional law have emerged that alter the proper role of statutory law. In the last five years, courts have begun to settle the basic parameters of how the Fourth Amendment applies to the Internet. (12) The original ECPA was designed as a statutory stand-in for uncertain Fourth Amendment protection. As the scope of Fourth Amendment protection becomes more certain, however, the statute's coverage may change with it.
As a practical matter, lawmakers rarely start from scratch when passing legislation. Amending prior laws is the norm for a variety of reasons. But if Congress were forced to enact a new privacy act, that new law ideally would be based on four principles. First, the new statute would impose a uniform warrant requirement for compelled access to contents held for a customer or subscriber. (13) The new statute would abolish ECPA's antiquated distinctions, such as the difference between real-time access and stored access and the complex categories of coverage of the Stored Communications Act. In place of those distinctions, the new statute would treat all access to contents under the same warrant standard.
Second, the law would enact a particularity requirement for compelled access to noncontent information. (14) One approach might rely on the concept of customer-hours. When the government obtains a court order to compel records, it should not be entitled to all of a user's records--or even worse, all records of hundreds of users. Instead, each court order could be limited based on both the time coverage of the order and the number of users implicated. If the government seeks records associated with many users, it must accept the tradeoff that those records will span a shorter window of time.
Third, the new law would impose minimization limitations for contents of communications obtained by government investigators. (15) When the government collects the contents of communications pursuant to a court order, investigators should be limited in what they can access. ECPA only imposes such limits for contents obtained by real-time wiretapping, reflecting the traditional sense that real-time access poses the greatest privacy threat. The functional collapse of the distinction between real-time and stored access means that those limits should now apply to all contents.
Fourth, a new law would adopt an explicit territoriality regime. (16) One solution would be to focus on the location of the user, with full warrant protections for users based in the United States and a permissive disclosure regime to foreign legal process for users based abroad. A global network demands different protections for local and foreign users. Under my proposal, U.S. users would receive full warrant protection regardless of the location of servers or corporate headquarters. By contrast, U.S. providers should be permitted, but not required, to disclose records pursuant to foreign legal processes for users based in the country seeking those records.
The argument will proceed in three parts. Part I introduces the history and structure of ECPA. This Part explores the computer technology that existed when ECPA was passed and explains how ECPA evolved in response to that technology. Part II explains why the existing statute is based on outdated assumptions. Changing technology and evolving constitutional law have dramatically shifted the factual and legal ground on which ECPA was based. Part III identifies the four major principles on which a next generation privacy act could be based. It points the way to new principles based on existing network technology.
THE HISTORY AND STRUCTURE OF ECPA
It is difficult to analyze ECPA without first understanding early Internet technology. This Part begins by explaining surveillance law before ECPA. It then turns to the new technological problems...