Last week, the Second Circuit heard oral argument in the Microsoft Ireland case (transcript). The dispute raises a number of pressing questions about the Electronic Communications Privacy Act (ECPA), a bill that was written in 1986 and is badly in need of reform. Oral argument ended with Judge Lynch delivering the following plea to Congress: “I do think the one thing that probably everyone agrees on is that, as so often, it would be helpful if Congress would engage in that kind of nuanced regulation, and we’ll all be holding our breaths for when they do.”
Perhaps the Senate has heard him. Today, the Judiciary Committee is holding hearings regarding ECPA reform. Because there are so many different reform proposals on the table, it’s worth briefly exploring each proposal and its limitations. ECPA reform comes in essentially two flavors: efforts to strengthen privacy protections within the US, and efforts to improve the process by which foreign law enforcement obtain digital evidence managed by US firms. Both sorts of reforms are needed. Because I think none of the current proposals go far enough, I end by briefly outlining my own proposal to alleviate the international tensions that threaten the health of the global Internet — tensions I have described here and on ACS Blog.
Mostly Domestic ECPA Reform
1. The Email Privacy Act (R. 699) & The Electronic Communications Privacy Act Amendments Act of 2015 (S. 356, H.R. 283)
As it stands right now, ECPA does not require law enforcement to obtain a warrant — and therefore does not trigger Fourth Amendment due process standards — in order to access emails stored longer than 180 days. These related bills would require law enforcement to get a warrant for any stored communications, regardless of how long they’ve been stored. The bills would also eliminate a distinction in ECPA between emails stored by an “electronic communication service” and those stored by a “remote computing service” — a distinction that has been the cause of some controversy and does not map well onto the current technological landscape. (For an exploration of these issues, this article by Orin Kerr is helpful.) Effectively, these bills codify the rule in United States v. Warshak, which found that the Fourth Amendment requires a warrant before Internet service providers can turn over emails.
These bills are entirely concerned with domestic law enforcement access to stored data. This is an important reform, but the bills do nothing to alleviate the concerns of foreign law enforcement who are putting enormous pressure on the mutual legal assistance (MLA) regime.
2. The Law Enforcement Access to Data Stored Abroad (LEADS) Act (S. 512)
The bill that seems to have the most momentum coming off the heels of the Microsoft Ireland case, is the LEADS Act. (Microsoft is the loudest sponsor.) The bill has domestic and some international components. Domestically, like the ECPA Amendments Act, it would establish a clear warrant requirement before technology firms can hand over stored communications, regardless of how long they’ve been stored and regardless of whether they are stored by an “electronic communication service” or a “remote computing service.” In addition, the bill would require the Attorney General to implement a number of important changes to the existing procedures for handling MLA requests for data, including creating an online tracking system for such requests. The bill also calls for the Justice Department to publish statistics about the number of MLA requests for data each year.
These reforms to the MLA regime are much needed — and entirely consistent with the findings of my report for the Global Network Initiative. But they do not go far enough. No matter how many improvements are made to the MLA process at the DOJ’s Office of International Affairs, it makes little sense to route hundreds of thousands of law enforcement requests from all over the world through the US, clogging up US courts. If British police are investigating a British crime on British soil, US law should not prohibit American technology firms from cooperating with UK law enforcement requests for criminal evidence.
Mostly International ECPA Reform
3. The “Visa Waiver Program” Model
To address the problem of foreign government access to data for law enforcement purposes, Peter Swire and Justin Hemmings have proposed modeling ECPA on the Visa Waiver Program. According to this model, law enforcement agents in a predetermined club of countries would be able to request data directly from technology firms. Countries outside the club would have to go through the usual (tedious) MLA process.
The problem with this proposal is that it appears to solve the easiest cases — like British law enforcement access to data — while exacerbating the harder cases (Brazil, India, and so on). Not only would such a proposal leave some countries out of the club, but the optics of creating an in-group and an out-group are problematic. Those who followed the ITU debates a few years back know how important it is that Internet governance issues not turn into clubs and anti-clubs. Countries like Brazil that have threatened to require data localization — forcing technology firms to store all relevant data on servers in country — will be emboldened if they are explicitly excluded from such a regime.
4. CDT’s “Straw Man” Proposal
The Center for Democracy and Technology (CDT) has offered a “straw man” proposal, one that they insist should not be credited as a CDT proposal. This is a shame, because in many respects it is a very strong proposal. The CDT proposal would, among other things, revise ECPA to allow American technology firms to cooperate with foreign law enforcement directly only where the request is “wholly domestic” — meaning the citizenship and location of the alleged victim, perpetrator and data subject, are all the same country and the crime occurred in that country. If British cops are investigating a British crime committed on British soil between two Brits, this reform would allow American technology firms to cooperate with the British law enforcement request for data related to the crime.
The problem with this proposal — as CDT acknowledges — is that it only applies in the limited number of cases where every aspect of the case is domestic except for the data controller. The lawyers and policymakers that I’ve discussed this proposal with tell me that the cases that matter the most to foreign governments — the cases regarding transnational smuggling rings or terrorist networks — would still need to go through the usual MLA regime. This means that requests for data would need to meet an American constitutional standard and be evaluated by American courts, even though the case has nothing to do with the US except for the fact that the data controller is an American firm.
In my view, ECPA should be reformed to allow US firms to voluntarily comply with foreign government demands for US-stored electronic content if, and only if: (1) the data belongs to a non-American, (2) whom the state suspects of committing a crime, (3) the effects of which are felt on their soil, and (4) an independent third party (judge, magistrate, commission, etc.) has approved the request, (5) according to international standards of due process and human rights.
This proposal has a number of benefits: It relies on international due process standards rather than American ones; it frees companies to comply directly with local law enforcement requests, but it does not require them to comply; it does not create an explicit list of in-group and out-group countries; it mitigates the prospect of companies and users being caught in a conflict of laws; and it is consistent with the existing law of state jurisdiction. There is much more that could be said about each of the elements of this proposal, a task I will take up in another post.
Let me end with a call for feedback. I’m mindful that some readers here are ECPA experts, and this brief post cannot capture all aspects of all of the competing ECPA reform proposals, so I look forward to hearing from you if you have any reactions to this analysis.