Is Your Email Private?

[ Posted Wednesday, March 31st, 2010 – 16:40 UTC ]

Is your email private? You may think it is, but you may also be surprised how easy it is for law enforcement to access it without a warrant. For instance, any email you write today requires a warrant before the police can take a look at it. But 180 days from now, that same email that you just sent can be accessed without a warrant.

The problem stems from technology moving faster than the legislative process. Much faster. On the order of comparing a cheetah to a snail, in fact. The main law for digital privacy is the Electronic Communications Privacy Act of 1986. Think about that for a moment -- 1986. For those not old enough to remember, at this point in computer history the World Wide Web did not exist (nor did the browsers to access it), email itself was in its infancy, and computer "networks" were (for the most part) local groups of computers tied together (as in a single office). The Macintosh was two years old. The computer of choice in the business world was the IBM PC. Diskettes held around 800 kilobytes, and a hard drive that was 20 megabytes was considered so big it would be hard to fill it up. Today, a single file can top 20 megabytes in size.

And yet the law defining digital privacy remains frozen in this Bronze Age of Computing. The reason the law only specifies emails less than 180 days old was that back then it was hard to conceive of any storage system being big enough to store emails for longer than that. But this is the law which defines the limits of your digital privacy today. And today's world, it should go without saying, is infinitely more complex. Consider "cloud computing" for instance. If you use popular free online email services (such as Yahoo or Gmail), your emails are stored somewhere in a virtual "cloud," and not on your personal machine. Meaning you don't have the same privacy rights over the content. This leads to some serious legal illogic. If you're working on a Google Documents spreadsheet on your computer, for instance, then the cops would need a warrant to see it. But once you save that document, no such warrant requirement exists. This makes no sense whatsoever.

But, as the San Jose Mercury News points out today, there is an industry group pushing Congress to update the 24-year-old law. Industry leaders such as Microsoft, Google, AOL, eBay, Intel, as well as other interested groups such as AT&T and the American Civil Liberties Union, have formed the group Digital Due Process which is urging Congress to revisit the outdated law. From the article:

Digital Due Process ... wants to require police and other government agencies engaged in a criminal investigation to get a court order or search warrant before accessing any personal e-mail or other data stored on an Internet "cloud" service such as Google Documents or Flickr. That also would be required before tracking a person's physical movements through their wireless phone network, monitoring real-time text messages or Instant Message conversations; or making data "bulk requests" such as a list of everyone who visits a particular Web site.

The group's proposals appear certain to get a hearing in Congress. Sen. Patrick Leahy, D-Vermont, chairman of the Senate Judiciary Committee, said Tuesday he would schedule hearings and called an update to the law "much-needed."

The proposals would not affect government investigations involving national security or terrorism, which are guided by a different set of laws.

Which brings up the second story in the news today. A federal judge has ruled that the Bush administration did indeed break these laws in its overzealousness after 9/11. From a breaking story on the Huffington Post comes the following:

A federal judge ruled Wednesday that government investigators illegally wiretapped the phone conversations of an Islamic charity and two American lawyers without a search warrant.

U.S. District Court Judge Vaughn Walker said the plaintiffs have provided enough evidence to show "they were subjected to warrantless electronic surveillance."

The judge ordered more legal arguments before deciding damages. Lawyers were seeking $1 million for each plaintiff plus attorney fees. The ruling also stands as repudiation of the now-defunct Bush administration's Terrorist Surveillance Program.

In both these instances, the legal boundaries are (or were) not adequately defined, leading to confusion both among privacy advocates and the federal government. The basic problem is the same snail/cheetah problem I mentioned earlier -- government just does not move as fast as technology. Laws need to be updated to reflect the world we live in today, and not the world of decades ago. In the case of the national security law, it has been recently updated, but the lawsuit stems from before such updating took place.

Now, defining where the boundaries are in this area is always a struggle between privacy advocates and law enforcement. But that struggle deserves to be played out publicly in Congress, which should draw a bright line between was is allowed and what is not. Even when the lines are well-defined, as today's ruling shows, the government sometimes ignores such boundaries. But that's all the more reason for up-to-date definitions of where privacy rights begin and end in the online world. Because if the rules are laid down for all to see, then when the government oversteps those bounds, it will pay a price for doing so in the courts. The fear of evidence being thrown out by a judge (and criminals walking away scot-free) is what constrains law enforcement and motivates them to get a warrant in the first place.

The Mercury News article ends with:

"1986 was light-years away in Internet terms, and it's now time to update" the law, said Jim Dempsey, vice president for public policy of the Center for Democracy and Technology, a nonprofit Internet civil liberties group leading the push for the change.

. . .

"We think a key element of that is privacy vis-a-vis government access," Mike Hintze, a Microsoft associate general counsel, said in a conference call with reporters Tuesday. "We just want to make sure the standards are clear, and that we can inform users what the standards are."

Dempsey said the companies expect resistance from law enforcement but want to have a dialogue about the proposals.

"We're looking for a compromise," he said, adding that law enforcement agencies would also get a benefit from updating the law. "On some of these issues, (police) are constitutionally vulnerable. They run the risk of losing cases when the courts start ruling on constitutional grounds."

Which is something everyone should consider. There will likely be a struggle between privacy-rights groups and law enforcement as Congress debates how to update the 1986 law, and both sides will doubtlessly get to make their case, assuming Patrick Leahy does hold some hearings on the subject. But the one thing everyone should agree upon is that the law does indeed need updating, and that having rules laid down which make sense in today's world will benefit everyone -- from citizens knowing that their email is private (even when older than six months), to law enforcement knowing exactly what they have to get a warrant for in today's interconnected computer world.

Congress admittedly has a pretty full plate right now, and it is an election year to boot, but this is one item they should put high on their "to do" list. Because -- wherever they ultimately draw the line -- creating a set of updated digital privacy rules is in everyone's best interest.


Cross-posted at The Huffington Post

Follow Chris on Twitter: @ChrisWeigant


-- Chris Weigant


2 Comments on “Is Your Email Private?”

  1. [1] 
    LewDan wrote:

    The state of technology had nothing to do with the acts limitations. The Bank of America instituted the first general-purpose national credit card using electronic communications in the 1960's. It was well known to Congress that private and confidential electronic communications would be retained for years, if for no other reason than that in many cases IRS regulations required it. You also ignore the rather obvious point that there is no reason to sunset privacy protections other than to circumvent them.

    The real issue, as the founding fathers were well aware, is that our government, like all governments, is inherently untrustworthy and reluctantly relinquishes power only when and while forced to.

    The courts, the congress, and the president are not going to protect us. They never have. The courts, the congress, and the presidency are the tools we've been given to try to protect ourselves.

    The reason the act needs to be revisited is not because of technological advancements, its because enough of us now feel vulnerable and are sufficiently concerned to finally demand that our rights be respected. And the government, as always, will acquiesce no more than it absolutely has to and only as long as we're really paying attention.

  2. [2] 
    Michale wrote:

    While I agree that our laws need to be updated, I really don't have a problem with the government reading our emails for counter terrorism reasons..

    Personally, I think it is the epitome of selfishness and arrogance to think that MY personal privacy is worth more than a hundred innocent people's lives.. Or a thousand.... Or a million... Or just one...


Comments for this article are closed.