By Maya Kushner, Esq.
Privacy is a concern for most, if not all people using social media and other forms of electronic communications. We would like to be able to control who has access to our photos, posts, status updates, tweets, emails, and other data we send and share electronically. While the privacy settings in our social media accounts may give us a sense of security, how robust are the laws protecting our online privacy?
Most people have followed the National Security Agency (NSA) scandal in June of 2013, when whistleblower Edward Snowden leaked the agency’s confidential records of global surveillance, showing that it had indiscriminately collected electronic data from hundreds of millions of email and phone accounts: for example collecting 200 million text messages a day from across the globe. But what most people do not realize is that NSA’s actions were arguably lawful.
The only law that specifically governs the privacy of phone and electronic communications is the Electronic Communications Privacy Act (ECPA), which was passed in October of 1986. The law’s enactment dates back to the when the idea of Facebook had not crossed the mind of two-year-old Mark Zuckerberg, and only 8.2 — 15.0% of U.S. households had a computer (census data was not collected in 1986; 8.2% reflects the number in 1984 and 15.0% reflects the number in 1989). Thus, Congress could only imagine and guess at the type of communications it intended the ECPA to protect.
When it comes to phone communications and wire-tapping, the ECPA has been amended only a few times, for example by the US PATRIOT ACT in 2001, which arguably legalized the future mass data-collection actions of the NSA (courts are still in disagreement about whether NSA exceeded the scope of the Act). However, the Stored Communications Act (SCA) — the portion of the ECPA that regulates the privacy and accessibility of online communications such as emails and tweets — has remained unchanged since 1986.
The good news is that the SCA prohibits an electronic communications service provider (such as Google or Facebook) from voluntarily disclosing customer communications or records. So absent a legal demand, such as a subpoena, the provider may only disclose your communications to intermediaries that help render the service, to the intended recipient, or otherwise with your consent.
A provider is required to disclose information to a U.S. government agent or agency, but only when the agent or agency follows proper procedures, such as obtaining a warrant first.
The bad news is that it is exceedingly easy for the U.S. government agent or agency to obtain the information it wants. For reasons that are not entirely clear, Congress has made a distinction between electronic communications that have been stored for 180 days or less, and communications that have been stored for longer than 180 days. In order to obtain emails and other communications that are 180 days old or newer, the government must first obtain a warrant and notify the owner of the communications that it is seeking the disclosure. However, to obtain communications that have been stored for over 180 days, the government may choose to get an administrative subpoena or a court order instead, both of which are generally easier to obtain than a warrant. Furthermore, if the government decides to go the subpoena or court order rout, it can delay notifying the owner for up to three months, for such vague reasons as: notice may “otherwise seriously [jeopardize] an investigation or unduly [delay] a trial.”
Another problem is that the SCA is woefully outdated compared to the technology it regulates. For example, while the ECPA aims to protect telephone and oral communications both in transit and in storage, the SCA, as written, protects only stored electronic communications. This is because in 1986 Congress knew of electronic storage of information, but could not envision technological advances such as online instant messaging.
This outdated language was the subject of a 2005 case, United States v. Councilman, in the U.S. Court of Appeals for the First Circuit. In that case, a three-judge appeals panel ruled that the SCA protects only stored communications, information that has arrived at its intended destination. However, this same information, while in temporary storage or in transit to its destination is not protected by the SCA, and may be freely intercepted, the court said. Thankfully this decision was reversed on further appeal.
Arguably the worst part of the SCA is that the government holds all the cards. If you are a defendant in a criminal case or either party in a civil case, the SCA can make it nearly impossible to obtain the information you need. For example, Facebook will hand over a user’s basic subscriber information as well as his account content to the government, if the government presents a warrant, subpoena, or court order, as described above. However, Facebook will never disclose account contents to anyone other than the government or the account owner. It may “provide basic subscriber information [but not account content] where the requested information is indispensable to the case, and not within a party’s possession upon personal service of a valid federal, California or California domesticated subpoena and after notice to people affected.” The latter part means that if you are a criminal defendant or either party in a civil case in a state other than California, you may need to hire a lawyer just to file a request for a subpoena (one that is admitted to practice in California), and even then you will only obtain basic subscriber information, not messages, or photos, etc.
Furthermore, the government has at its disposal investigative techniques that are not available to private parties. For example, in a 2012 case United States v. Meregildo, the U.S. District Court for the Southern District of New York ruled that “where Facebook privacy settings allow viewership of postings by ‘friends,’ the Government may access them through a cooperating witness who is a ‘friend’ without violating the Fourth Amendment.” In other words, the government may obtain social media content and communications by having the investigating officer “friend” or “follow” the suspect, or else secure the cooperation of someone who is already “friends” with or “follows” the suspect, thereby bypassing any warrant requirement. Private parties, on the other hand, may not do the same thing. Legal ethics opinions in many states specifically prohibit attorneys from “friending” or directing someone else to “friend” the opposing party or a witness in litigation in order to obtain social media content and communications for use in the case.
For more information on the ECPA, its SCA subsection, and the efforts being made to modernize the law, see this article by the American Civil Liberties Union (ACLU).