The Electronic Communications Privacy Act (ECPA) recently turned 25 years old, but there may not be much to celebrate. The Act, designed to increase the privacy of computer users in 1986, has not aged well and many of its provisions are now a detriment to privacy.
In 1986, email was not stored on servers for any length of time. Users connected to the mail server and downloaded the message to an email client. Once that download completed, the message was erased from the server – it existed only on the user’s computer. ECPA allows that messages left on servers for more than 180 days are ‘abandoned’, and as such are not subject to the same protections as email owned by a user. To access email on a personal computer, law enforcement must obtain a search warrant. To access messages abandoned on a server, the government need only supply a subpoena.
Fast forward to 2011. Many (if not most) of us utilize web based mail services such as Yahoo!, Gmail, Hotmail, etc. Do you delete your messages that are older than 180 days? Nope. Which means, under ECPA, the government can access your old messages without a search warrant – they only need a subpoena. The same may be true for your files stored on services such as Facebook, Dropbox, Box.net, etc. Our current computing model is geared toward long term online storage of files, but our legal privacy protections are not.
There is some movement to rectify this, but nothing concrete has emerged. From a counter-terrorism standpoint, it is easier to conduct surveillance and intelligence gathering on targets using only a subpoena than having to obtain a search warrant. It would not surprise me, given the USA PATRIOT Act, to see terrorism loopholes added to any modification of the ECPA.
Users must be aware of the security and privacy implications of their online activities, as well as how their expectations of privacy compare to the reality.