2012 in Review: Steps in the Right Direction for Email Privacy
As the year draws to a close, EFF is looking back at the major trends influencing digital rights in 2012 and discussing where we are in the fight for free expression, innovation, fair use, and privacy. Click here to read other blog posts in this series.
After years of complaining that our email privacy laws were hopelessly outdated, 2012 saw a promising beacon of light peek out from the most unlikeliest of places: a sex scandal.
Although email has been the bedrock of Internet communication for decades, its legal protection has long suffered a two-pronged assault.
First, the government has consistently argued that information turned over to third parties – like emails that are stored with companies like Google or Yahoo! – lose their Fourth Amendment protection because it would be unreasonable for a person to expect information given to someone else to remain private. This year, the government used this theory, known as the “third party doctrine,” to justify warrantless access to social media information and cell site location records, too.
Second, the Electronic Communications Privacy Act (“ECPA”), the law Congress passed in 1986 to protect electronic communications stored with service providers, has been undermining electronic privacy as it became woefully out of date. Because of Congress’ failure to update ECPA to reflect the realities of modern life – where years of email correspondence is stored on servers – the Department of Justice believes (PDF) that ECPA allows it to access emails without a search warrant once they are 180 days old, or have been opened and left on the server regardless of age.
But thankfully, this year, we saw cracks on both of these fronts.
Building upon the Sixth Circuit Court of Appeals’ landmark, EFF assisted, 2010 case United States v. Warshak, which ruled people had a reasonable expectation of privacy in their email notwithstanding the fact it is held by a service provider, this year saw two more federal courts adopt Warshak and preserve privacy protection for emails and private Facebook messages (PDF) despite the third-party doctrine.
Similarly, a Senate Judiciary Committee hearing on updating ECPA received an unanticipated boost of national attention because of the scandal surrounding the extra-marital affair of former CIA director David Petraeus.
The affair highlighted how the government had access to an enormous amount of email, and how many of the methods used by Petraeus and Paula Broadwell to cover their tracks, such as accessing emails from hotels and other open Wi-Fi hotspots, and writing and reading messages in the draft folder rather than sending them, failed to keep their electronic correspondence privacy. While it's not clear whether the FBI broke any laws in its handling of the investigation, the case demonstrated the confusion and uncertainty surrounding ECPA.
When the Senate Judiciary Committee met to consider ECPA amendments just weeks after the Petraeus scandal became a national news story, we worked hard with other groups to urge Committee members to update ECPA. The biggest change being considered by the committee was to eliminate the 180-day loophole, and protect all email - regardless of its age or whether it’s opened or unopened – with a search warrant requirement. Needless to say, we were very thankful when the amendment passed out of the committee, bringing us another step closer towards meaningful email privacy protection within ECPA.
So while 2012 turned out to be an eventful year in the fight for email privacy, 2013 is shaping up to be an even bigger one. More courts will be grappling with whether there is a reasonable expectation of privacy in not only email, but also other forms of electronic data like tweets and files stored in the cloud. And the full Congress could well take up ECPA reform, hopefully allowing the positive steps taken to update ECPA by the Senate Judiciary Committee to go forward, without requiring other important privacy rights to be sacrificed instead.
There’s work for you to do in 2013, too. If you care about keeping your email private and ensuring it’s protected by the search warrant requirement, sign our petition urging Congress to update ECPA. If you need to ensure your emails remain truly anonymous, check out our tutorial on how to do it the right way. And for more tips on safeguarding your electronic privacy, make sure you check out our Surveillance Self Defense Guide.