ECPA and Privacy – Why YOU Should Care
Some may not be familiar with The Electronics Communications Privacy Act (ECPA). ECPA was enacted in 1986, when we lived in a very different electronic world than today; the “public” Internet did not even exist. The primary purpose for ECPA was to address the then-new communications technologies and services and govern how law enforcement could obtain information about “oral,” “wire” and “electronic” services, which at the time mostly consisted of bulletin boards and walled-garden portals. WebMail as we know it now did not exist and there were no cloud-based storage services.
ECPA addresses three levels of information: “customer information” which involves the customer name, billing address and other information such as length of service and payment method; “transactional information” which deals with communication-specific information like end-points and addresses, time and duration, and then the actual “content” of the communication. ECPA has three parts, addressing the communications market as it existed at the time. The first part addresses “wiretaps” – real-time “interception” of the content of a communication. The second part addresses “trap and trace” and “pen register” information dealing with calling and called numbers for an oral communication. The third part addresses “stored communications” – and (although they did not exist at the time) now cover WebMail and files stored in the “cloud.” Each ECPA part distinguishes between the three categories of information, and provides standards for law enforcement access to each of them, depending on context and the communications type.
There have been a number of amendments to ECPA over the years. Congress also passed the Communications Assistance to Law Enforcement Act (CALEA) (1994), the USA PATRIOT Act (2001), (dealing with the physical means by which law enforcement actually obtains content for interceptions, after judicial or other authorization), the PATRIOT Act (The title of the act is a ten letter bacronym (USA PATRIOT) that stands for Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001; it was recently renewed) and finally the Foreign Intelligence Surveillance Act (FISA), (2008). Congress has tried (and has consistently failed) to keep pace with technology growth, but the results have uniformly and consistently reduced, not protected, individual liberties, privacy or freedom.
A new amendment (S.607) to ECPA (not CALEA, PATRIOT or FISA) is in the works, introduced by Senator Leahy (D-VT). The new amendment seeks to strengthen the law around electronic communications privacy. This bill would fix several long overdue privacy issues. It is not a total panacea, but it is a move in the right direction. Basically, S.607 would require all state and federal law enforcement (but not the CIA or NSA) to obtain a warrant, after a showing “probable cause,” to obtain the “content” of any electronic communication. Texas, having just signed into law an amendment to its own ECPA, now requires a warrant for content. The rest of the country needs to do the same thing.
Golden Frog develops products like VyprVPN to help preserve an open and secure Internet experience while respecting user privacy. VyprVPN is used in more than 215 countries around the globe by people that share our belief that encryption helps protect your online privacy.
Ron Yokubaitis, co-CEO, Golden Frog