Last week, Senator Leahy proposed detailed language to update the Electronic Communications Privacy Act (ECPA), the primary law governing privacy rights for stored email. ECPA is woefully outdated—it was passed in 1986 before ubiquitous cloud computing and archived email even existed—so this is great news. The language will be discussed by the Judiciary committee this week and then hopefully advance to the whole Senate for consideration. If you haven't done so already, you should take our action alert urging Congress to protect our privacy by updating ECPA.
Right now, ECPA doesn’t always require a probable cause warrant to force service providers to turn over the contents of users’ private emails, instant messages, and social networking messages. The government can compel the handover of email stored at a “remote computing service” with a so-called “D order” without showing probable cause. Nor does the government need a warrant if an email message is older than 180 days. This low threshold to electronic messages is in stark contrast to the fourth amendment protections for physical letters. Most troubling, the Justice Department has maintained that opened, read mail left in your mailbox (e.g., Gmail) falls completely outside of the privacy protections of the Stored Communications Act.
None of this makes sense. The Sixth Circuit Court of Appeals said as much in 2010 when it held that the government's ability to obtain a person's email from a service provider without a warrant was unconstitutional. Leahy's proposed language extends that holding to the rest of the country, beginning the task of bringing ECPA into the 21st century. Leahy's bill also requires that the government use a probable cause warrant if it wants to obtain much non-content customer information. The proposed Senate language joins similar privacy-protective bills in the House like Rep. Nadler's introduction of a free-standing bill that requires the government to obtain a warrant before obtaining electronic communications.
The tide is clearly turning. Along with the Digital Due Process Coalition, a coalition of which EFF is a member, we continue to advocate for updating ECPA. The same protections found in the physical world should apply equally to the virtual world.
Unfortunately, Senator Leahy's proposed language would also weaken privacy-protective measures in the Video Privacy and Protection Act (VPPA). Currently, the VPPA requires users' consent each time a video tape service provider wants to disclose a user’s request or purchase of any video and also specifies that this information may only be disclosed to law enforcement with a warrant, court order, or grand jury subpoena. It also stops companies from sharing the data for marketing purposes. When Netflix recently challenged whether or not the law applies to online video, a federal district court ruled: “Congress [intended to protect] the confidentiality of private information about viewing preferences regardless of the business model or media format involved.”
As a result, video and social media companies like Facebook and Netflix are lobbying hard for changes. The former has spent $1.6 million dollars in the first half of 2012, while the latter has spent close to $400,000. Both companies have been successful so far—changes to the VPPA have already passed the House. Senator Leahy's language significantly rewrites the VPPA and breaks down its core privacy protections. The proposed language allows for one-time advance consent—blanket sharing for any and all videos a user watches without any nuance as to who the user is sharing the information with or what exactly the user is giving up control over.
At a hearing in January on the VPPA, Senator Leahy warned about certain "dominant companies," which want to "simplify matters so they can more easily track Americans activity across the board—obviously for their own financial benefit." At the same hearing, Leahy also said: "We need to be faithful to our fundamental right to privacy." We agree. Requiring warrants for stored email is a huge step in protecting privacy; weakening VPPA should not be the price paid.