Computers, Privacy & the Constitution

Issues on the Electronic Communications Privacy Act and Possible Solutions

-- By MayaWakamatsu - 12 Mar 2022

1. Introduction

It is said that the Electronic Communications Privacy Act (ECPA) has some issues because of the gap between the current circumstances of information technology and the provisions of ECPA (Orin S. Kerr, The Next Generation Communications Privacy Act, 162 U. PA. L. REV. 373, 384 (2014) https://scholarship.law.upenn.edu/cgi/viewcontent.cgi?article=1546&context=penn_law_review). The distinction between content information and non-content information and the distinction between real-time communications and stored communications under ECPA may not be appropriate for the current situation.

2. Issues on ECPA

Under ECPA, (1) content information/non-content information and (2) real-time communications/stored communications are regulated separately.

2.1.Content Information in Remote Storage

Under ECPA, “a governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant.” (18 U.S.C. § 2703(a)) On the other hand, “a governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days” by a warrant (without required notice to a customer), a subpoena, or a court order (with prior notice to a customer) (18 U.S.C. § 2703(a)(b)).

2.2.Real-time Content Information

A wiretap order is required to obtain real-time content information (18 U.S.C. §2511), and a wiretap order is essentially a search warrant with special additional features unique to wiretaps.

2.3.Non-content Information in Remote Storage

Non-content information is subject to lesser restrictions than actual content (https://epic.org/ecpa/). Under ECPA, non-content information (subscriber records or transactional details about communications) can generally be obtained by “a court order” (18 U.S.C. § 2703(c)). Although the order is issued by a court, the court is not issuing a warrant based upon probable cause. Instead, § 2703(d) requires only that there be “specific and articulable facts showing that there are reasonable grounds to believe” that the records requested are “relevant and material to an ongoing criminal investigation.”

2.4.Real-time Non-content Information

An order is required to obtain real-time non-content information. The order is issued by courts based on a very low standard (18 U.S.C. § 3121). The requesting agent has to verify that information likely to be obtained will be “relevant to an ongoing criminal investigation” (18 U.S.C. § 3123(a)).

3. Possible Solutions

3.1. California Electronic Communications Privacy Act

In contrast to ECPA, California Electronic Communications Privacy Act (CalECPA? ) provides stricter procedures. Under CalECPA? , “a government entity may compel the production of or access to electronic communication information from a service provider, or compel the production of or access to electronic device information from any person or entity other than the authorized possessor of the device only under the following circumstances: (1) Pursuant to a warrant … (2) Pursuant to a wiretap order … (3) Pursuant to an order for electronic reader records pursuant to Section 1798.90 of the Civil Code. (4) Pursuant to a subpoena … provided that the information is not sought for the purpose of investigating or prosecuting a criminal offense… (5) Pursuant to an order for a pen register or trap and trace device, or both …” (California Code, Penal Code – PEN § 1546.1(b)). CalECPA? generally prohibits a government entity from compelling the production of, or access to, electronic communication information or electronic device information without a warrant or a wiretap order in criminal cases, with certain exceptions (e.g., emergency request). In addition, notice must be served upon or delivered to the identified targets of the warrant or emergency request (https://www.lawfareblog.com/so-whats-california-electronic-communications-privacy-act). For example, under CalECPA? , location-based information stored by cell phone companies is treated uniformly as a type of electronic facility information, regardless of whether it is stored in a third party's electronic facility or their personal electronic facility. State government departments must always request disclosure of location-based information stored by cellular phone companies with a warrant. CalECPA? 's regulations are stricter than ECPA’s regulations concerning search on information. I believe that ECPA can fill the gap between the current circumstances of information technology and the provisions of the law by amending provisions to require government agencies to obtain a warrant when they access non-content information or stored information.

3.2. Introducing Personal Servers at Home

I believe that ECPA should be amended as above mentioned, but I would like to think about another way to protect our privacy. Nowadays, many people use services like email, calendar, and SNS which are provided for free by firms like Google, Apple, or Facebook. Their data is collected, stored, and surveilled by the firms. If the government searches on information stored in the firms without a search warrant, our privacy will be threatened. As above mentioned, with the spread of the Internet and low-cost or free storage services, a lot of data is stored on servers, it is difficult to distinguish between content information and non-content information, or between real-time communication and stored communication. If you introduce personal servers at home rather than giving our information to the firms, government agencies need a search warrant to access your data on a personal server at home under the Fourth Amendment, whereas a warrant may not be required under ECPA if your emails are stored in remote storage. You can have a private server (such as FreedomBox? (https://freedombox.org/) or a similar personal server) on your home computer, build a mail server on the personal server, and store your information in the personal and private storage, with the personal server located in your home rather than third party’s remote storage. The system will help to protect your computer network and information with the secure system. In this way, you can protect your privacy from government agencies and private firms.

4. Conclusion

In conclusion, I believe that we can protect our privacy by amending ECPA and introducing personal servers at home.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r3 - 07 May 2022 - 01:03:32 - MayaWakamatsu
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM