It’s time for Congress to update a 40-year-old surveillance law

The Electronic Communications Privacy Act (ECPA), the foundational statute governing law enforcement access to data held by U.S. communications providers, turns 40 this year. Signed into law by President Ronald Reagan in 1986, ECPA’s drafters were writing legislation for a time when users “dialed up” and downloaded messages from servers to their personal computers. It was a time well before the advent and ubiquity of cloud storage; a time when smartphones, connected homes and cars, and chatbots were the stuff of science fiction.

The act’s drafters endeavored to write a statute that would accommodate changes in technology yet to be seen but recognized that its ability to predict the future in the face of rapid change meant that the statute would have to be updated. Congress expected roughly a decade of longevity, maybe two, before the statute would need updating. It has now been four decades, and ECPA is sorely in need of an update.

At its most basic level, ECPA provides rules for when U.S. communications providers like Google, Meta, Verizon, and OpenAI can and cannot disclose user information and sets rules government agencies in the U.S. must follow to compel a covered provider to disclose user data. ECPA also creates criminal and civil liability for unlawful interceptions and for unauthorized access to the contents of communications.

These rules appear across three different statutes that were created or updated by ECPA: the Wiretap Act (Title I of ECPA), the Stored Communications Act (SCA; Title II of ECPA), and the Pen Registers and Trap and Trace Devices statute (Pen/Trap; Title III of ECPA). In short, the Wiretap Act provides rules governing law enforcement’s interception of wire, oral, or electronic communications in real time, such as the collection of telephone, text, or email communications. The SCA provides rules governing law enforcement’s ability to compel stored information from covered providers, such as subscriber information, metadata, email, photos, or text messages. The Pen/Trap statute provides rules governing the use of devices to capture non-content information in real time pertaining to outgoing and incoming calls and communications, such as numbers dialed, numbers of incoming calls, and addressing information associated with email.

ECPA’s ability to provide privacy protections along with clear rules for law enforcement and U.S. communications providers depends upon statutory provisions that somewhat keep pace with our modern communications technologies and services and how we use them. When there are significant gaps, the statute eventually becomes counterproductive.

The Fourth Amendment has played an important role in defining the rules governing the government’s use of modern investigative technologies. The Supreme Court has repeatedly applied it to modern technologies, as in Kyllo v. United States (2001), where the Court held that using a thermal imager to obtain information about the interior of a home that could not otherwise have been obtained without physical intrusion was a search within the meaning of the Fourth Amendment. In United States v. Jones (2012), the Court held that attaching a GPS device to a vehicle and using it to monitor the vehicle’s movements was also a Fourth Amendment search because it involved a physical trespass on an “effect.” In Riley v. California (2014), the Court held that police generally may not, without a warrant, search digital information on a cell phone seized from an arrestee. And in Carpenter v. United States (2018), the Court held that accessing at least seven days of historical cell-site location information (CSLI) is a Fourth Amendment search and that the government generally must obtain a warrant supported by probable cause before acquiring such records.

Even with the Court’s attention to Fourth Amendment doctrine in these contemporary contexts, Michael Dreeben, the former deputy solicitor general who argued all of these cases for the government, warns against relying on the Fourth Amendment and the Supreme Court to do all of the lifting. It can take several years for Fourth Amendment questions to reach the Court, at which point the technology or service at issue may already be outdated or significantly changed. In Kyllo, the search was conducted well over nine years before the Supreme Court issued the decision. In Jones it was over six years, Riley was almost five, and Carpenter was more than seven years. This can be an eternity when it comes to rapidly evolving technologies and services in a highly competitive space. Case in point: At the end of April, the Court is set to hear arguments in Chatrie v. United States, a case where the Court will decide whether the execution of a geofence warrant violated the Fourth Amendment. The warrant in that case was obtained in 2019, and in the years it took for the case to work its way through the system, the provider changed the service in a manner that left it unable to respond to geofence warrants as before.

In addition, Dreeben explained that while the Court may announce broad principles drawn from a narrow, specific case focus, a single opinion generally doesn’t provide all the answers needed. Carpenter is a prime example. The Court explicitly declined to express a view on the constitutionality of real-time collection of cell-site location information or tower dumps (where law enforcement compels a telecommunications provider to disclose CSLI for each cell phone that connected to a specific cell tower in a particular time frame).

Moreover, in the context of rapidly changing technology, there are challenges inherent in determining whether a particular action by the government invades a “reasonable expectation of privacy,” the doctrinal test established in Katz v. United States (1967) when the Court held that warrantless wiretapping of a phone booth was an unconstitutional search, or whether such action violates the Fourth Amendment under trespass–based doctrine.

There’s no reason, however, that we need to wait for the Court to opine on what the minimum protections offered by the Fourth Amendment are, or to be limited to those minimum protections. Congress can, and in the past has, provided protections that are not merely codification of constitutional doctrine. In addition, the Fourth Amendment only covers governmental action. Congress can, and has, put in place consumer privacy protections that extend beyond addressing government surveillance.

The bad news is that parts of ECPA have been outpaced by technological change, and those advancements are deeply embedded in our lives and institutions. This is hardly surprising given that ECPA is now 40 years old and untouched in many material ways by Congress in the interim. The good news is that even with monumental advances in technology since 1986, ECPA does not need to be replaced. It needs selective updates to keep pace with changing technologies and how we use them.

One important resource Congress enjoyed when it was considering the need for and design of what ultimately became ECPA was the Office of Technology Assessment (OTA). The OTA served as a crucial adviser to help Congress understand the technology, the law, and what needed to change. Congress defunded the OTA in 1995. As Congress navigates revolutionary technologies that impact privacy and security, it could benefit from that same support now as it had then, whether that’s by building up the Science, Technology Assessment, and Analytics team at the Government Accountability Office or standing up the OTA again.

There have been many promising efforts to update ECPA over the years; indeed at least as early as 2010, and in every Congress for the past 15 years, bills have been introduced to address some of the most out-of-date provisions. These include bills introduced in this Congress that would update parts of ECPA.

Six concrete areas for updating ECPA were recently presented in a set of Lawfare papers published as a series called “Installing Updates to ECPA.” They were then taken up at a one-day convening at Georgetown Law hosted by Lawfare, the Georgetown Law Institute for Technology Law & Policy, and the Center on Privacy and Technology. Together, the papers articulate targeted paths to consider for modernization, including proof-of-concept legislative language and section-by-section summaries.

One paper, authored by the two of us, addresses antiquated rules governing compelled disclosure of content—rules we call “the mullet of surveillance law.” Under certain circumstances, the SCA permits the government to compel stored content with a court order under a reasonable suspicion standard or a subpoena under a mere relevance standard rather than with a warrant based on probable cause. The proposal would replace the SCA’s carve-out-riddled regime with a single warrant requirement for compelled disclosure of content. It also addresses inadequate notice and remedies for users, and an edge case involving criminal defendants seeking exculpatory content held by providers.

Another paper, by David Kris, addresses non-disclosure orders (NDOs) issued under the SCA, secrecy orders that can bar a provider from telling a customer that the government has sought the customer’s data. Kris argues that the routine use of these orders can leave consumers and businesses unable to protect legal interests, including attorney-client privilege, while also discouraging use of cloud storage in ways that can undermine sound cybersecurity practices. His proposed “Data Proxy Act” would let a customer designate a trusted third party to stand in when notice is barred. With court approval, the provider could notify that proxy, who could then act to protect the customer’s interests without notifying the customer directly.

A third, by Aaron Cooper, argues that ECPA operates with a mismatched set of rules, with different legal standards, procedural protections, and remedies applied to surveillance practices that are functionally equivalent. Such statutory incoherence, Cooper sets out, undermines broader public policy interests as providers are challenged to understand their obligations, consumers are challenged to understand the data protections available across different forms of communication services, and law enforcement is unable to investigate crime “with transparent consequences for violating important statutory protections.” Cooper’s proposal would align standards for pen registers and comparable stored data, extend Wiretap Act protections to electronic communications, add suppression for unlawful content disclosures, and expressly allow provider challenges.

A fourth, by Jim Dempesy, offers a comprehensive framework for government acquisition of mobile location information. He explains that following Carpenter, at least one aspect of the SCA is unconstitutional: It permits the disclosure of seven or more days of stored CSLI with a court order issued under a reasonable suspicion standard, while Carpenter would require a warrant. In addition, he notes that Carpenter doesn’t address tower dumps, the compelled disclosure of location data in real time, the use of geofences (where companies are compelled to disclose all phones present within a geographic area during a specified time frame), or the direct collection of location data by the government through the use of cell-site simulators. The result is that there is a mix of approaches in the lower courts, some requiring warrants and others not. Dempsey also argues that while “Carpenter may mean that a warrant would be required to compel disclosure of . . .  location information, . . .  the Fourth Amendment may not regulate government purchase of it or its voluntary disclosure” by the provider. Dempsey’s proposal is to create a new chapter in Title 18, dedicated to mobile device location data, sitting next to the SCA. It would require a warrant for all government acquisitions of mobile location data, including tower dumps, real-time compelled and direct collection, and acquisitions from data brokers. It also proposes a two-stage judicial process for non-individualized searches like geofence searches. In addition, it would provide a statutory suppression rule, emergency exceptions, minimization requirements, and notice provisions.

A fifth, by Paul Ohm, addresses reverse searches, such as geofence and keyword warrants, through which the government compels online providers to search “their massive databases not for information about a known suspect, but to identify unknown individuals based on location, conduct, or search queries.” Ohm argues that reverse searches operate as “digital dragnets,” sweeping through the private data of large numbers of users in search of a few possible suspects. He contends that they “likely violate the Fourth Amendment’s prohibitions on general warrants and overbroad searches,” and probably aren’t authorized under the SCA. Ohm’s proposal would ban reverse searches by default while narrowly permitting specific types, starting with geofence warrants. Focusing specifically on geofence warrants, Ohm would borrow heightened protections from the Wiretap Act, including necessity and serious-crime predication, and would codify and tighten the familiar three-step geofence process by adding judicial oversight and limiting how many users may be unmasked.

A sixth, by Jennifer Daskal, addresses the 2018 CLOUD Act, which allows U.S. law enforcement to compel covered providers to disclose data regardless of where it is stored and creates a framework for certain foreign governments to obtain data directly from U.S. providers under executive agreements. Daskal argues that the law has been both misread and underused: misread as a broad new surveillance authority even though, she says, it changed neither the standards nor the process for compelling data from providers already within U.S. jurisdiction, and underused because its executive-agreement system has produced only two agreements so far. Her proposal would make three targeted changes. First, when the request to a provider is about the use of service by an enterprise (like a company, university, financial institution, or government entity), the proposal would require that the government first go to the enterprise itself. That requirement should only be excused under certain circumstances, such as when the enterprise itself is suspected of nefarious activity. Daskal points out that this is consistent with the current written policy of the Department of Justice. Second, she offers language to encourage and explicitly enable new CLOUD Act executive agreements, including with supranational entities like the EU. Finally, and relatedly, Daskal’s proposal would bar use of those agreements to support foreign decryption mandates or other measures that weaken security.

The need for updates to ECPA is manifest, and there are abundant common sense and bipartisan improvements at the ready.

What is missing is congressional action.