Your e-mail is nearly as public as the words you are now reading.
As it currently stands, government authorities can download and examine all your e-mail, store it, search it, and never inform you—with virtually no oversight or fear of violating any laws. Medical information, personal love missives, exchanges with your child’s teachers and doctors are all open to such searches. However, this situation may be about to finally change, depending on how discussions about the Electronic Communications Privacy Act (ECPA) go later this week.
One might first wonder if there is a real problem of abuse in terms of arbitrarily accessing citizens’ personal electronic information. The numbers seem to show that there is a problem, a big problem. For example, the everyman search engine, Google, reported earlier this month in its biannual transparency report that in the first half of 2012 it received 20,938 requests from governments to hand over user data (including e-mail, searches, and other stored information)—a more than 50 percent increase over 2010. The U.S. government was first in line, accounting for more than a third of those official requests (India was second in line).
Compounding the problem, cell phone carriers are also coughing up private digital information at an alarming rate. U.S. carriers recently revealed to Congress that they collectively responded to 1.3 million law enforcement demands in 2011 for text messages and location data about subscribers. Some of that information is being built into searchable databases, such as the NYPD’s Enterprise Case Management System that includes personal cell calling information, The New York Times reported this week. Much of the calling information has been culled without court order.
'Cell phone carriers are coughing up private digital information at an alarming rate.'
Many information demands are legitimate—searches for missing persons, evidence in criminal investigations—and not all information requests are honored, of course (Google has a daunting legal department) but many are, thanks in part to the ECPA. It was written back in 1986 during the early days of the digital revolution. The legislation was conceived of as a way of establishing the ground rules for law enforcement to access not only phone calls and voice mail but also the increasingly popular use of e-mail at the time. The problem is that e-mail was nascent communication tool then and it has changed considerably in the last 26 years.
At the time, most people downloaded and stored e-mail on their personal computers. So it was assumed that any e-mail left on a server (such as Earthlink or AOL) for more than 180 days had been abandoned. So law enforcement could look at it without a warrant (only a subpoena was required). Of course, now storage is cheap and most of us leave thousands of old e-mails on servers in the cloud using Google or Yahoo (you never know when you may want to rekindle an old acquaintance).
But isn’t the Fourth Amendment supposed to protect us all from such “unreasonable searches”? Well, yes and no.
It only does so when there is a reasonable expectation of privacy, such as personal letters, your home and hearth, etc. One exception to this protection is something legal folks call the third-party doctrine, which means that if you publicly expose information (say in your office) then you give up the expectation of privacy. That’s why it’s legal for someone to search through your trash on the sidewalk, for example, or to subpoena bank records. It also has been interpreted to mean that if you are storing all your personal information with a third party—beer pong photos on Facebook, e-mail on Google—then it could be subject to the third-party doctrine and you have therefore given up your privacy rights.
Of course, this is an outdated idea. No one expects their personal e-mails to be public just because they store them on Yahoo rather than their home computer. General Petraeus certainly didn’t expect his e-mails to be revealed this way, and he was the head of the CIA. And even though I may remind people to only put in texts and e-mails information they would be comfortable sharing on a billboard in Times Square, I sure wouldn’t want my comments about a certain person’s Thanksgiving dinner stuffing made public.
The Supreme Court, for one, seems to recognize this Internet Age problem and the inconsistent use of the expectation of privacy. In a landmark decision that cited one of my own articles on the subject, the Court ruled that there was an expectation of privacy against warrantless digital tracking of a person’s car. In the decision, the Court hinted at the fact that the same issue may apply to other digital information, such as e-mails and all the volumes of data accumulated on smart phones today.
Supposed you have nothing to hide? Well, you shouldn’t assume that personal information collected about you by local police departments is secure and could not be misused by criminals. Recently, the security firm NorseCorp showed me scores of hacking attacks in progress. The crooks weren’t using their own computers to steal records; they were using compromised police department systems across the U.S. to launch the attacks. So much for protecting your personal data.
The collection of information by law enforcement is essential for the police to do their jobs. But when it is necessary, it should be easy to go through a court and obtain a warrant, just as they do to search through your home office. In other words, rather than administrative subpoenas issued by government agents to carriers and ISPs, court-approved warrants should be required spelling out precisely the nature of the probable cause involved in the suspected crime. It would help businesses burdened by millions of arbitrary information requests and would put some teeth back into the Fourth Amendment.
A simple way to look at the problem is to dispense with the distinction without a difference between analog and digital information. Texts, e-mails, handwritten letters, phone calls, documents yellowing in your file cabinet at home, and Gmail in the cloud are all equivalent in terms of the expectation of privacy. If anything, texts are considered by many people to be the most private form of communication—which is why people text rather than phone each other. No one is supposed to be able to eavesdrop on your texts.
So the ECPA is due for an overhaul, which the Senate Committee on the Judiciary will begin discussing this Thursday. Stay tuned.