It's Time to Update the 30-Year-Old Electronic Communications Privacy Act

Karen S. Evans is a partner at KE&T Partners and the national director for the U.S. Cyber Challenge. She retired after nearly 28 years of federal government service with responsibilities ranging from a GS-2 to presidential appointee as the administrator for E-Government and Information Technology at the Office of Management and Budget.

Last week, the U.S. Court of Appeals for the Second Circuit announced its long-awaited decision in the dispute between Microsoft and the United States. In a landmark appeal decision, the court overturned the lower court’s ruling and permitted Microsoft to refuse to hand over its customer’s emails stored on its servers in another country.  

Many Americans may not understand why this decision is relevant to their daily lives: The federal government asserted tech companies own individuals’ personal information such as emails and photographs, and not the individuals themselves.  

This would give your personal information less privacy protection than the family notes you place in your dresser drawer at home. Multiple branches of government have important responsibilities in remedying this problem. The Court of Appeals has acted. Now, it’s time for Congress to modernize an outdated law.  

Over the last 30 years, Congress, law enforcement agencies and tech companies have created the complicated circumstances surrounding this legal case. Congress passed the Electronic Communications Privacy Act in 1986, long before the advent of email, text messages, or cloud computing.

Under the statute, law enforcement agencies are required to obtain warrants before accessing electronic messages transmitted by computer. But Congress hasn’t updated this law in three decades to reflect changes in modern technology.  

And in 2013, Microsoft refused to comply with a search warrant served by federal law enforcement. The warrant required Microsoft to turn over email messages belonging to of its customers -- a target of a law enforcement investigation -- stored on a computer located in Ireland.  

Last September, Microsoft asked the Second Circuit Court of Appeals to overturn a previous decision by the district court that would force Microsoft to hand over the emails to the government. In oral arguments, Microsoft asserted the power of a warrant only applies to a company’s own documents, not materials it houses for customers.

Conversely, the government argued it can make Microsoft hand over international emails because your emails should be categorized as a tech company’s business records rather than your private communications.

The gulf between the current law governing warrants and the reality of present-day technology has created this ambiguity. However, now that the Court of Appeals has ruled in favor of privacy, our government must take further actions to clarify the confusion. Congress should pass an update to the outdated ECPA. The Law Enforcement Access to Data Stored Abroad Act is a bipartisan opportunity to reform ECPA and improve international data sharing among law enforcement, while protecting the privacy of individuals.

The legislation clarifies that U.S. law enforcement warrants do not apply to emails of non-U.S. citizens stored in other countries. To date, companion bills with co-sponsors from both parties have been introduced in both the House and Senate.

Both sides of this debate are correct: the security and privacy of data should both be improved. Law enforcement benefits from expanded access to intelligence that may help prevent and combat terrorist threats. And individuals deserve enhanced privacy of their personal information.  

The good news is the government can take specific steps to address the confusion. Only when Congress takes action will the security and privacy of our nation and its people be truly protected.