What is the Electronic Communications and Privacy Act?
The ECPA is decades old but still impacts your everyday computing life
The Internet was a different place in 1986. TCP/IP was only just rolling out. There were still fewer than 20,000 hosts online. Cisco had only just shipped its first router, and the web wouldn't be a thing for another five years.
Still, Congressional leaders were beginning to address the emerging global network's privacy-changing potential. They passed a groundbreaking piece of legislation called the Electronic Communications Privacy Act, which was one of the first attempts to define online privacy before most people understood what that meant. This article explores ECPA’s background, what it accomplished and how technology surpassed it.
Before the ECPA
Technology presents a constant challenge to lawmakers as they struggle to keep up its new capabilities. Eavesdropping is a good example. In 1934, Congress passed the Federal Communications Act, which expanded a ban on eavesdropping to cover wire communications and private radio messages. That was all very well, but what about law enforcement agents who might need to listen in on a criminal's conversation?
Congress established Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (also known as the Wiretap Act) allowing cops to eavesdrop and wiretap under specific conditions. Lawmakers expanded it 10 years later to cover the gathering of foreign intelligence under the Foreign Intelligence Security Act (FISA).
Real-world situations continued to test the law, though. In 1979, Michael Lee Smith challenged Maryland over its use of pen registers and trap-and-trace devices to track a harassing phone call he made to his alleged victim.
A pen register, also known as a dialled number register (DNR), is a device that logs the numbers called from a telephone. A trap-and-trace device covers the other end, logging the numbers that called a specific device.
Neither of these recorded the content of the call when first developed. Instead, they focused on the metadata (the numbers involved in a call). The police used evidence from a pen register to justify a search of Smith's house. Smith argued collecting this data was illegal, but the Supreme Court disagreed. The phone company already had this data, judges said, so it wasn't private.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Enter the ECPA
These technology arguments were important at the time, but the commercial internet was about to introduce bigger ones. Telephone calls were one thing, but what about email?
In 1986, two years after the launch of the Prodigy online service and three years after AOL's first incarnation as Control Video Corporation, lawmakers bought legislation up to speed with the ECPA.
"It extended tradition protections against unlawful interception of telephone calls to stored emails and emails in transit," explains Marc Rotenberg, president of the Electronic Privacy Information Center. "Privacy protections are crucial to the security and confidentiality of email."
The ECPA came in three parts. The first revised Title III of the 1968 Wiretap Act to include electronic communications alongside aural ones in the list of prohibited eavesdropping targets. It also clarified when government officials could intercept those communications, following a Congressional investigation into illegal wiretapping activities by law enforcement and intelligence agencies during the 1960s.
While Title III covered intercepting live communications, it didn't cover the access of stored communications, which was becoming much more common thanks to the internet. The second part of the ECPA introduced the Stored Communications Act, which banned the unauthorized access to a person's stored communications such as email.
Finally, the ECPA expanded prohibitions on trap-and-trace devices and pen registers in another new piece of legislation called the Pen Register Act. This act made it clear government agencies couldn't use them without a warrant.
The law may be almost 35 years old, but it's still an important part of the modern legal landscape, explains James Mariani, an associate at law firm Frankfurt Kurnit Klein & Selz PC. "The ECPA and especially the Stored Communications Act is the vehicle that law enforcement uses to obtain online communications," he says. "It’s very relevant and at the heart of many long-term investigations for law enforcement agencies across the country."
Shortcomings
Nevertheless, Mariani says that the law is still outdated. How could it not be, when technology moves so quickly? It was a product for its time, but tech moves on. For example, the cloud wasn't around in its current all-encompassing form in 1986. Neither were other technologies like smartphones, explains Sophia Cope, staff attorney at the Electronic Frontier Foundation.
"The ECPA does not uniformly require that the government obtain a probable cause warrant from a judge before accessing personal content stored by cloud providers, nor do court opinions interpreting the Fourth Amendment," she points out. "EFF and others have advocated for an across-the-board warrant requirement for cloud content. We also think ECPA should require a warrant for geolocation information stored by third-party service providers such as cell phone companies."
While it still has its shortcomings, the ECPA hasn't stood still. Several new pieces of legislation in the last quarter-century have evolved the law. These included the FISA Amendments Act 2008, and the Department of Homeland Security Act along with the CLOUD Act, which Mariani says extended subpoenas to cover data held overseas by U.S. companies.
Two important amendments came in the form of the Communications Assistance for Law Enforcement Act of 1994, which required telecommunications companies to build targeted surveillance capabilities into their digital equipment, and the 2001 USA PATRIOT Act.
These were a hindrance to individual privacy rather than a help, argues EPIC's Rotenburg. "The amendments in 1994 and again after 9-11 were a setback. Both diminished important legal safeguards," he says.
That doesn't mean the ECPA isn't relevant, though. "Today, internet intermediaries store exponentially more personal content than when the law was first enacted in 1986," points out the EFF's Cope. "We don't think twice about using cloud services to store our most private emails and documents, just as we store letters and papers in our homes. To the extent that ECPA provides increased privacy protections for this information, it's even more important today than ever before."
The legislation isn't static; it evolves over time as amendments reflect new situations and conditions. The ECPA will probably change again as lawmakers struggle to keep up with the breakneck pace of technology. But for a law that hit the books in the earliest days of the modern internet, long before the first HTML page had been coded, it represented a stake in the ground; a brave attempt to create some clarity for the tumultuous age to come.
Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing.
Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.