Skip to main content

It's time to reformat data privacy for the 21st century, but does Congress want the upgrade?

It's time to reformat data privacy for the 21st century, but does Congress want the upgrade?


A newly-proposed bill is attempting to reconfigure an antiquated privacy law, ensuring that all requests for cloud data require a warrant citing probable cause. But is such sweeping reform even possible under our current Congress?

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Google Congress
Google Congress

In 1986, years before the emergence of the World Wide Web, few people expected that the whole "internet" thing would take off. Nor did they anticipate the widespread use of cellphones, or that a good deal of our day-to-day activities would be mediated by monolithic info-vacuums like Google and Facebook, thus placing troves of our most sensitive information into private third party databanks.

And yet it was during this time that the Electronic Communications Privacy Act (ECPA), the sole reference point for our current guidelines on data privacy, was written into law. For more than two decades, the ECPA has been American citizens' only defense against unchecked electronic surveillance. And since it was framed during a time when most peoples' email lived on local machines and ubiquitous cloud storage was nothing more than a pipe dream, ECPA's outdated text gives law enforcement broad and dangerous powers over private data that regularly collide with First and Fourth Amendment rights.

Now a newly-proposed bill, the ECPA Modernization Act [PDF], is attempting to finally reconfigure that antiquated legislation by making all law enforcement requests for cloud data require a warrant. If passed, it would forbid the collection of not only email, but other forms of online communication recorded in cloud servers — like private documents, location information, and social networking data — unless law enforcement can cite probable cause that a crime has been committed. But with police surveillance and warrantless wiretapping already becoming the norm, is such sweeping reform even possible under our current Congress?

ECPA has been the Achilles Heel of privacy advocates hoping to preserve these protections for the internet age

"Communications technology is evolving at an exponential rate and, as such, requires corresponding updates to our privacy laws," reads a statement from Rep. Jerrold Nadler, the New York Congressman who is co-sponsoring the bill along with Rep. John Conyers of Michigan. "This bill will both protect the privacy of the information transmitted by digital communications and provide clear standards to guide law enforcement and the courts."

Currently, under ECPA, law enforcement is allowed to search emails without a warrant, as long as they've been stored on cloud servers for at least 180 days and have been declared "relevant" to an investigation. Combined with the troublesome "third party doctrine," which dictates that property given to third parties forfeits protections from search and seizure under the Fourth Amendment, ECPA has been the Achilles Heel of privacy advocates looking to preserve these protections for the internet age.

Unsurprisingly, law enforcement officials have been especially resistant to such reforms, stating on multiple occasions that the restrictions and reporting requirements would "hamstring" efforts to crack down on criminal activity.

It's also no surprise considering that US law enforcement has been going buck-wild making demands for third party data. Last year, Google reported that those groups made 6,321 data requests targeting 12,243 accounts between July and December, increased from 5,950 requests and 11,057 accounts in the previous six months. The US numbers again dwarfed those of any other country named in the report, with Google reporting that 93% of those requests were "fully or partially complied with."

Twitter reported similar stats, with the United States accounting for 80% of the total requests for user data between January and June of this year. And last month, major carriers including AT&T, T-mobile, Verizon, and Sprint reported that US law enforcement issued a jaw-dropping 1.3 million requests for cellphone subscriber data in the past year alone.

And those are just the ones we know about. Under the USA Patriot Act, the FBI has been evading privacy laws altogether, sending hundreds of thousands of secret subpoenas that not only demand the data of American citizens, but come with with gag orders preventing services providers from informing the customers who are being targeted.

"There is consensus in the business community and amongst privacy rights groups that the status quo is unacceptable."

"There is consensus in the business community and amongst privacy rights groups that the status quo is unacceptable and our proposed standard for access to the content of electronic communications is a recommended best practice for law enforcement," Rep. Nadler said in a statement to The Verge. "We have to educate our colleagues about the problems with existing law and why our solution strikes the right balance."

Other prominent figures in government agree. In concurrence to a landmark Supreme Court decision earlier this year which declared warrantless GPS tracking illegal, Justice Sonya Sotomayor said that exceptions for protections on data held by third parties were "ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks."

Last year, a similar bill was killed before it even reached committee

The crusade won't be the first attempt to bring privacy laws into the 21st century, however. Last year, a similar bill headed up by Sen. Patrick Leahy of Vermont was killed before it even reached committee. Hanni Fakhoury, a staff attorney for the Electronic Frontier Foundation, expects that the new bill will hit similar road bumps, if it makes it to the House floor at all.

"Law enforcement will oppose [the bill] because they want the easy access to this content they get under current law," Fakhoury said in an email. And while many service providers probably don't care whether or not requests come with a warrant, he suspects they will put up a fight if the law requires that they report on the requests, rather than law enforcement. In April, a similar California bill that would require warrants for police to obtain cell site location data had its reporting requirements dropped due to pressure from CTIA, a powerful lobbying group for the US wireless industry.

Without an updated set of legal protections, rulings on individual privacy rights will remain inconsistent at best. But with Congress' continued unwillingness to pass such legislation — and its demonstrated zeal in passing anything which benefits big copyright owners at the expense of civil liberties — the chances of enacting progressive privacy laws like those proposed by Nadler and Conyers remain slim.