Today Google released its latest Transparency Report, which shows that U.S. government requests for user data have increased yet again. But that’s not the important part – the important part is how the government has requested this data.
Of the 8,438 requests made by the U.S. government from July through December 2012, 5,784 of them (68 percent) came in the form of subpoenas issued under the Electronic Communications Privacy Act (ECPA). The next largest chunk (22 percent) came from search warrants issued under ECPA. The remaining 758 (10 percent) “were mostly court orders issued under ECPA by judges or other processes that are difficult to categorize,” writes Google Legal Director Richard Salgado.
The fact that two-thirds of user data requests came in the form of subpoenas is a major problem, and further evidence that we need to overhaul ECPA as soon as possible.
Unlike search warrants, which require law enforcement to show a judge “probable cause” that user information is related to a crime, subpoenas can be granted without this judicial oversight. The reasons 68 percent of data requests were subpoenas is because ECPA mandates that any online “communications” held by third-party servers for more than 180 days is considered “abandoned” by users; therefore, this data may be accessed via subpoena rather than a search warrant.
The so-called ‘180-day rule’ may have made sense back in 1986, long before what we thought of as “the Internet” existed, before the majority of our communications took place online, through third-party servers. But it certainly doesn’t make sense anymore. Nowadays, most people’s communications history would be considered “abandoned” under ECPA. Six-month-old emails, instant messages, files stored with cloud services like DropBox, photos on Facebook, online calendars – all of this and more are accessible to law enforcement under ECPA with a simple subpoena.
This, ladies and gentlemen, is a problem.
Unfortunately, it’s a problem Congress is unwilling to solve – despite the fact that Federal courts have repeatedly found that a warrant should be required to obtain electronic communications data. Late last year, Sen. Patrick Leahy (D-VT) added an an amendment to an update of the Video Privacy Protection Act (VPPA) that would have rid this world of the 180-day rule and required law enforcement to obtain a search warrant before accessing most of our digital communications, thus bringing the Fourth Amendment protections of “unreasonable searches and seizures” firmly into the Internet age. This was the second time Leahy tried to pass the ECPA amendment, and the second time he failed.
Instead of standing firm for our rights, Leahy caved to the law enforcement community, which said the search warrant requirement would hamper their abilities to stop criminals, and rewrote the bill to allow 22 federal agencies to access our communications without a warrant. For better or worse, even that version was trashed, and the 25-year-old ECPA remains unchanged to this day.
Fortunately, “we the people” have “we the Internet companies” on our side for this fight. A coalition of rights advocacy groups, legal experts, and corporations have joined together to form Digital Due Process (DDP), which is devoted toward updating ECPA. DDP includes regular warriors in this battle, like the Electronic Frontier Foundation and the Center for Democracy & Technology, as well as industry behemoths like Apple, Google, Facebook, and many more.
According to The Hill, Leahy plans to push his ECPA amendment again this year (and we can only hope that it’s not the cowardly, gutted version he reverted to when the law enforcement community came knocking). So, in other words, there’s hope. Until then, keep this in mind: Anything you say anywhere online can and will be used against you in a court of law, no search warrant required.
To learn more about ECPA, click here.
Image via Mesut Dogan/Shutterstock