ECPA And The High Cost of Tech Short-Sightedness

A Senate committee voted last Thursday to plug one of the largest gaps in online privacy, some 26 years after it was opened. What took so long?

Back in 1986, the Electronic Communications Privacy Act was supposed to wrap the same legal safeguards around digital and analog communications. But one misguided assumption has long since gutted its protections for many online users.

While this law requires a court warrant before an Internet service could be forced to give up a user’s e-mail records, it waives that requirement for messages stored online by that service for more than 180 days. The idea was that any e-mail parked on a server that long had to count as abandoned.

I’d like to think that you could have presented sufficient evidence to the contrary back then. Bulletin-board-system users had to keep all their data on remote terminals, and by 1985 e-mail developers were already codifying standards to store messages on “always up” servers instead of computers with limited availability.

Nor should it have taken that much imagination to suppose that the constant connectivity already available in government, military and academic labs in the mid-1980s would expand beyond those sites. But any such foresight was offline in Congress in the fall of 1986.

Less than 10 years later, Hotmail began introducing home users to the idea of keeping all of their e-mail online. And by 2006, enough people thought of Web-mail services as plain old e-mail that I had to explain in print how an e-mail client was this thing you ran on your own hard drive.

ECPA’s flaw has stayed unpatched all along.

(Congress doesn’t own all the blame for that. Most tech journalists, myself included, never thought to note this extra risk of storing mail online—-it’s sad that it took a national-security sex scandal to get the topic of e-mail privacy into the headlines.)

The ECPA revision proposed by Sen. Patrick Leahy (D.-Vt.) that passed the Judiciary Committee Thursday (an attempt last year didn’t get that far) would fix that. And if this bill actually makes its way into law by next year, the most likely timetable, Congress can take some credit for shipping a grotesquely overdue bug fix. In the meantime, we have a deeper question to ponder: How can we stop writing legislation that’s so tightly coded to one decade’s technology that it yields counterproductive results in the next?

It would be terrific if the House and the Senate would do better to educate themselves about the issues, even if that means nothing more than inviting a less obvious cast of characters at tech-policy hearings. (Some people around Washington still pine for Congress’s years-gone Office of Technology Assessment, although its presence in 1986 did not avert ECPA’s flaws.) But it may be more realistic to hope for legislation designed to evolve as technology does.

The Digital Millennium Copyright Act is a favorite punching bag of mine, but it does incorporate that principle: Every three years, the DMCA requires that the Librarian of Congress determine whether to grant or renew exemptions to the DMCA’s ban on technology that can undo digital locks on copyrighted content.

These waiver proceedings aren’t exactly coherent, to judge from their inconsistent results, but at least they’ve chiseled out cracks in the DMCA’s “anti-circumvention” wall. And at some point, our lawmakers might even take the hint.