September 17, 2010

Memorandum

To:SJC Minority Staff Subject:“The Electronic Communications Privacy Act:Promoting Security and Protecting Privacy in theDigital Age”

On Wednesday, September 22, 2010, at 10:00 a.m. in Dirksen 226, Chairman Leahy hasscheduled a hearing entitled, “The Electronic Communications Privacy Act: Promoting Securityand Protecting Privacy in the Digital Age.” This is likely intended to be a follow-up to a Househearing earlier this year, where so-called privacy advocates such as the ACLU argued for theimposition of a search warrant standard in the Electronic Communications Privacy Act (hereafter“ECPA”) for obtaining certain key classes of electronic information. House Republicansgenerally contended that the imposition of such a draconian standard was not justified by ademonstrated need, such as a record of ECPA abuses, and would negatively impact lawenforcement efforts to detect and apprehend serious criminals that use the internet.We anticipate that this hearing has been called by the Chairman as a driver for potentiallegislation to reform ECPA in an ACLU-endorsed manner. The first panel will feature twogovernment witnesses. In the second panel, a representative from the Center for Democracy &Technology (“CDT”) and Microsoft’s general counsel will testify for such ECPA reform; aminority witness will testify to discuss the ways the proposed reforms will negatively impact lawenforcement. During the second panel, your Member may want to direct your questions to theminority witness, focusing on the issue of the ways in which the changes proposed by the ACLUwould negatively impact law enforcement and indirectly benefit child pornographers and otherswho use the internet as a means of committing serious crimes.Below you will find descriptions of some of the issues that may arise at Wednesday’s hearing,and brief summaries of the three hearings that took place in the recent past.

I.BACKGROUND

A.ECPA: A carefully-balanced political compromise

Congress initially responded to the emergence of wireless communication services and thedigital era by enacting ECPA in 1986.

The federal wiretap statute had been limited to voicecommunications. ECPA extended the wiretap provisions to include wireless voicecommunications and electronic communications such as email or other computer-to-computertransmissions.

See Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified in varioussections of Title 18 including 2510-21, 2701-10, and 3121-26).

Under the Fourth Amendment, an individual generally has no reasonable expectation of privacyin information that he had already furnished to a third party.

Courts have now extended thisanalysis to network accounts, holding that individuals retain no Fourth Amendment privacyinterest in subscriber information and transactional records.

Therefore, as a general rule, ECPA’s current provisions (set forth below) go far beyond those required by the Fourth Amendment to protect the privacy interests of users of telecommunications services

, a pointwhich is rarely acknowledged by supporters of ECPA “reforms.”ECPA was intended to reestablish the balance between privacy and law enforcement, whichCongress found had been upset to the detriment of privacy by the development ofcommunications and computer technology and changes in the structure of thetelecommunications industry. Among the developments noted by Congress were “large-scaleelectronic mail operations, cellular and cordless phones, paging devices, miniaturizedtransmitters for radio surveillance, and a dazzling array of digitized networks.”

Privacy,Congress concluded, was in danger of being gradually eroded as technology advanced.

ECPA’s provisions, taken as a whole, can at first glance seem confusing and byzantine.However, as the years have gone by, courts have been able to apply ECPA’s provisions toevolving technological advances to the point that ECPA’s standards are generally clear andsettled. In a nutshell, under ECPA, so-called “public providers”

(almost all major Internet andcommunications service providers) cannot give customer information to the government exceptunder certain exceptions or through being served proper legal process.In order for the government to obtain unread email less than 180 days old, the government mustobtain a search warrant under a probable cause standard.

For it to obtain any other content(including read email and unread email older than 180 days), it must either (1) obtain a searchwarrant or (2) a court order authorized by 18 U.S.C. § 2703(d), which requires the showing that“specific and articulable facts showing that there are reasonable grounds to believe that thecontents of a wire or electronic communication … are relevant and material to an ongoing

See United States v. Miller, 425 U.S. 435 (1976) (holding that individual’s rights were not violated when his banktransmitted information that he had entrusted them with to the government); Smith v. Maryland, 442 U.S. 735(1979) (holding that the installation and use of the pen register was not a ‘search’ within the meaning of the FourthAmendment, and hence no warrant was required, because telephone users know that they must convey phonenumbers to the telephone company and that the company has facilities for recording this information and does infact record it for various legitimate business purposes).

See United States v. Perrine, 518 F.3d 1196, 1204 (10th Cir. 2008) (“Every federal court to address this issue hasheld that subscriber information provided to an internet provider is not protected by the Fourth Amendment'sprivacy expectation.”); United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008) (email and Internet users haveno reasonable expectation of privacy in source or destination addresses of email or the IP addresses of websitesvisited); Guest v. Leis, 255 F.3d 325, 336 (6th Cir. 2001) (finding no Fourth Amendment protection for networkaccount holders’ subscriber information obtained from communication service provider).

H.R. Rep. No. 99-647, at 18 (1986).

S. Rep. No. 99-541, at 2-3, 5 (1986); H.R. Rep. No. 99-647, at 16-19 (1986). See also H.R. Rep. No. 99-647, at 18(stating that “[l]egal protection against the unreasonable use of newer surveillance techniques has not kept pace withtechnology. “).

These are providers those who make “remote computing services” available “to the public,” even if for a fee.See18 U.S.C. § 2510(14).

See 18 U.S.C. § 2703(a).

criminal investigation,” accompanied by notice to the user.

The government can obtain mostnon-content transactional records (including historical cell phone location records

) the sameway, except that it does not need to provide notice to the user if it goes the 2703(d) route.

Finally, basic subscriber information, akin to that found in all sorts of other business records, canbe obtained via grand jury subpoena without court involvement.

The idea that ECPA is a thoughtless mess of rules and standards ignores the fact that thestructure of the law reflects a series of classifications that indicate the drafters’ judgments aboutwhat kinds of information implicate greater or lesser privacy interests. For example, the drafterssaw greater privacy interests in the content of stored emails and content than in subscriberaccount information. Similarly, the drafters believed that computing services available “to thepublic” required more strict regulation than services not available to the public. Even the much-derided “180 day” standard was serious contemplated: Congress believed that the storage ofemail past 180 days is more akin to that of business records maintained by a third party,

whichare accorded less protection under decades of court precedent.ECPA was designed to provide rules for government surveillance in the modern age. However,technology has evolved in unanticipated ways. The interactive nature of the Internet, nowincluding elements such as home banking and telecommuting, has produced an environment inwhich many people may spend hours each day “online.” That said, not only have courtsgenerally kept up in interpreting ECPA to evolving technologies, but the argument that thelanguage of ECPA needs updating does nothing to advance the second part of the privacygroups’ agenda: ratcheting-up the underlying standards (“probable cause,” “specific andarticulable facts”) at the heart of ECPA that were agreed to back in 1986 after significantpolitical compromise on both sides.

B.The CDT/ACLU/EFF proposals

The Center for Democracy & Technology bills itself as “a non-profit public interest organizationworking to keep the Internet open, innovative, and free.”

It is, by any fair reading, a liberaladvocacy group; for example, it has lobbied heavily for weakening the PATRIOT Act, aligningitself with organizations such as the ACLU, Electronic Frontier Foundation (“EFF”), HumanRights Watch, the National Association of Criminal Defense Lawyers, and People For the

See 18 U.S.C. § 2703(b).

Courts are divided as to whether the government needs a search warrant or a 2703(d) order to obtain

prospective

cell phone location data, as discussed below. But courts are nearly unanimous that the 2703(d) standard is all thatapplies for retrospective data. See, e.g., In RE U.S., 622 F. Supp. 2d 411 (S.D. Tex. 2007); In RE Applications ofU.S. for Orders Pursuant to Title 18, U.S. Code Sec. 2703(d), 509 F. Supp. 2d 76 (D. Mass. 2007); In REApplication of U.S. for an Order for Prospective Cell Site Location Information on a Certain Cellular Telephone,460 F. Supp. 2d 448 (S.D. N.Y. Oct. 23, 2006); In RE Application of U.S. for an Order for Disclosure of Telecomm.Records and Authorizing the Use of a Pen Register, 405 F. Supp. 2d 435 (S.D. N.Y. Dec. 20, 2005); In RE U.S. foran Order Authorizing Monitoring of Geolocation and Cell Site Data for a Sprint Spectrum Cell Phone Number, 2006WL 6217584 (D. D.C. Aug. 25, 2006).

See 18 U.S.C. § 2703(c)(1)(B).

See 18 U.S.C. § 2703(c)(1)(E) and (c)(2).

See H.R. Rep. No. 99-647, at 68 (1986).

See “About” (webpage), Center for Democracy and Technology, available at http://www.cdt.org/about (accessedSept. 14, 2010).