As Congress returns from recess, it faces many looming tasks, not least of which is reining in the NSA's mass surveillance programs.
At the same time, it's important for Congress—as well as Internet advocates—to not lose sight of the important unfinished business of reforming the Electronic Communications Privacy Act (ECPA), the outdated law that says the government can access our online messages and documents without a warrant.
Updating ECPA has been a goal of privacy advocates and Internet companies for years, and in 2013, we're closer to reform than we've ever been. This summer's revelations about NSA surveillance serve as a reminder of how easily the government can access our digital communications, and why it so important to have strong checks and balances in place to prevent the government from abusing this capability. Reforming ECPA is vital to curbing the government's increasing ability—and willingness—to reach into the private lives of Americans in the digital age.
Below are the top reasons we must reform ECPA now.
1. It's not just the NSA.
In June, as part of a series of stunning revelations about the NSA, The Guardian published a report that showed how the intelligence agency accessed communications without a warrant. What has gone missing in the ensuing NSA media blitz, however, is the fact that under ECPA, the Department of Justice, the IRS and hundreds of federal and even local government agencies can also access Americans’ digital communications without a warrant. As long as communications are over 180 days old, ECPA permits government agents to access them without a judge's sign off. And ECPA says that all documents stored in the cloud, regardless of age, are available to the government without a warrant. In the days of cheap and practically unlimited online storage, in which people store their documents online for years, ECPA leaves an untold amount of private information outside the protection of the Fourth Amendment's warrant requirement. This must change.
2. We must restore trust.
In the wake of the NSA revelations, we've seen two online services—Lavabit and Silent Circle—close shop to avoid handing over their customers' communications to the US government. We've also seen reports that government surveillance is hitting companies' bottom lines. One recent paper forecasted that the US cloud industry could lose between $22 to $35 billion over the next three years. The big takeaway is that when companies and customers lose confidence in the safeguards that are supposed to prevent government snooping, it's bad for business. ECPA certainly isn't the only reform that's needed to restore confidence in the security of the Internet and the cloud - but it's an important step.
3. There is unprecedented support.
Historically, the biggest opponent of ECPA reform has been the Department of Justice. But in an incredible about-face this year, Attorney General Eric Holder said that the DOJ would support legislation to reform the law.
And in the wake of scandals involving potential privacy violations on the part of the IRS and DOJ, bills to reform ECPA enjoy far-reaching support on both sides of the aisle. Meanwhile, corporate and non-profit membership in Digital Due Process, a coalition for ECPA reform, continues to climb, with representatives from the startup community, large Internet companies, telecoms, and conservative and liberal non-profits joining the ranks each month.
This kind of broad support for any issue in Washington is rare. We should not let the opportunity pass to leverage this support into strong reform.
4. There is momentum.
After years of inertia, ECPA reform legislation is moving. In the Senate, Judiciary Chairman Patrick Leahy (D-VT) and Sen. Mike Lee (R-UT) have introduced the ECPA Amendments Act, which passed out of the Judiciary Committee this spring with bipartisan support and is poised to go to a floor vote this fall. In the House, the Email Privacy Act, introduced by Representatives Kevin Yoder (R-KS) and Sam Graves (R-GA), now has over 137 bipartisan co-sponsors.
5. We're close, but opposition is working to derail reform.
Despite all of the progress on ECPA this year, there have been hurdles. The biggest has been an ongoing attempt by the SEC to attach a provision to the Leahy-Lee bill that would give regulatory agencies authority to access digital communications without a warrant. As CDT Senior Counsel Greg Nojeim warns, while the Leahy-Lee bill is a crucial and long overdue reform, the SEC exception would "neuter" the bill from a privacy standpoint.
The attempts by the SEC to hijack the Senate bill illustrate an important point: If advocates and all of those who care about digital rights stand on the sidelines this fall without pushing for clean legislation, we could get stuck with a bad bill or no bill at all. Now's not the time to sit back - it's time we finally update ECPA.