Last year, we published a white paper calling for a fundamental realignment of laws governing how governments access digital communications. This effort is urgent in light of the central role of the Internet in today’s world, growing security threats that transcend borders, and expectations of privacy that Internet users have in their online communications.
In March, the U.S. Congress took the first step toward this realignment in enacting the Clarifying Lawful Overseas Use of Data (CLOUD) Act. The CLOUD Act creates a legal framework that clarifies the scope of search warrants under the Electronic Communications Privacy Act (ECPA) executed by U.S. governmental entities. It also creates a mechanism for foreign governments to request communications content directly from U.S. companies, provided that those governments meet baseline privacy, due process, and human rights standards.
The CLOUD Act represents the first significant update to ECPA since it was enacted in 1986, but it is only a first step. In the past eight years, we’ve testified five times in support of legislation that would require governmental entities to obtain a search warrant in order to compel service providers to disclose the content of users’ communications. The House of Representatives has passed legislation that would accomplish this objective—the Email Privacy Act—three times since 2016. The Senate still needs to act. Passage of the bill would be a landmark achievement, and it would reinforce a recent Supreme Court decision that underscores the importance of Fourth Amendment privacy protections in the digital age.
In June, the U.S. Supreme Court held in Carpenter v. United States that the long-term tracking of cell-site location information is a search that requires the government to obtain a warrant under the Fourth Amendment to the U.S. Constitution. Google, along with other technology companies, submitted an amicus brief in that case. We argued that storing data with a third-party service provider should not extinguish privacy protections under the Fourth Amendment. The U.S. Supreme Court agreed, rejecting the proposition that citizens deserve less privacy protection merely because they store data with third-party service providers.
The Supreme Court’s decision in Carpenter, however, does not answer important policy questions about the standards governments should meet before they can compel the production of sensitive user data. While courts will continue to grapple with these issues, legislatures can and should update government access statutes to align the law with the legitimate and reasonable expectations of privacy that users have when they use third-party services. Legislatures, for example, should be revisiting government access laws to protect location information. Legislatures should also be delving more deeply into the burgeoning Internet of Things marketplace, where the application of existing government access laws is unclear and the growing use of Internet-connected devices (particularly in the home) raises important privacy questions.
Policymakers shouldn’t wait to address these important questions, or leave it to courts to interpret outdated laws, but should update privacy protections in light of how people use services in the digital era. Government access laws should reflect evolving expectations of privacy and the increasing importance of online services to our daily lives. We urge legislatures to begin that work now.