Friday Q&A: CDT’s Chris Calabrese
Tech companies and public interest groups have been calling for an update of the 1986 Electronic Communications Privacy Act (ECPA). Technocrat talked with Chris Calabrese, who previously worked at the American Civil Liberties Union lobbying on privacy issues and now is senior policy director the Center for Democracy & Technology, about the details of the law.
He said the 1986 law stemmed from a concern that third parties were beginning to retain increasing amounts of communications and information on individuals and that according to the Supreme Court, it didn’t have Fourth Amendment protection.
In starting to grapple with that in the 1980s, ECPA was their solution, he said.
Q: Okay, and so when you say third parties were starting to hold more communications of individuals, what type of communications are you talking about and who are these third parties?
A: So, in 1986, Congress obviously wasn’t entirely sure what these third parties were gonna look like. In 1986 they fell onto really two broad categories, which are reflected in the law.
One is what the law calls ECSes, electronic communications services. And those are what we think of now as email providers — entities that were allowing people to share electronic communications back and forth….
And then the second category is what the law calls RCSes, or remote computing services. And those were essentially entities like Ross Perot’s [Electronic Data Systems], that basically took the payroll information of big companies, processed it and sent it back, right? So they weren’t communications entity, they were more of a processing service.
And those distinctions turned out to be really important. Because Congress created essentially two categories of legal protection based on those characterizations.
So, ECSes were viewed as sort of high level of communication that would need to be protected, similar to a letter. And so they received full warrant protection under ECPA.
But at the same time, Congress really couldn’t and didn’t conceive of a time when email service providers would hold onto that information for very long, which of course is not the case today when Google and Facebook and Yahoo hold our information for essentially ever.
So what ECPA says is after 180 days, if the company is still holding information, the individual must have abandoned it, and so gives it a much lower level of protection.
Similarly, remote computing services because they were viewed as sort of the processing of business records were also given a lower level of protection. [Because] they were similar to sort of the business record exemption.
So, that leaves us in a state today where we’ve got a law that really only protects email communications back and forth for the first 180 days. And then after that, information that’s still held by third parties has a lower level of protection, and similarly, information that we just share say with the social network but maybe don’t mean to transmit to others, or store in the cloud as part of a cloud computing document also has a lower level of protection.
And that’s one of the reasons that advocates and companies have argued so forcefully to update the law. Because it doesn’t meet either the expectations of consumers or allow companies to offer the same level of protections in their cloud services as they would in the services that are offered in-house.
Q: So for the RCSes you mentioned, how does the law treat these remote computing services in terms of whether there’s a warrant that’s required or some other requirement?
A: Information held by an RCS can typically be can be accessed with a subpoena, which is a very low legal protection. It’s essentially just a letter from a prosecutor saying please give us this information. It’s not reviewed by a judge or approved by a judge.
By the same token, however, this is complicated by the fact that some courts have said that this type of information actually should be protected by the Fourth Amendment. And so some providers, many providers in fact, are looking at that court decision – its’ called U.S. v Warshak – and saying that we want a warrant for all of these records [because] we think a court might come down later and say that actually these are Fourth Amendment-protected. But there’s a great deal of uncertainty because the law is so old.
Q: Can you give me some examples of what are considered remote computing services?
A: The definition of remote computing service is very broad. It’s essentially anyone who takes your data and processes it, which is, you know, of course everything online….
I think a classic example of this is a Google cloud document.
So, it’s something that you’re really only preparing for yourself. It’s not going to anyone else. But it’s stored and held by Google.
Now, what makes this complicated and sort of highlights how the law’s become out of date, is if you choose to share that document with someone else, as people frequently do if they’re editing a joint document, does that suddenly become an electronic communications service? In other words, is it a way that I’m communicating back and forth between two people?
It seems like it does, and that makes for a very confusing rubric for a company or anyone who’s trying to figure out what legal standard they should have to meet.
Written by: Anne Kim