Google recently released its latest biannual Transparency Report, detailing government and court requests it received for user data and its compliance rates with those requests. Unsurprisingly, the United States was far ahead of the pack with 8,438 requests, more than tripling India, which came in second with 2,431 requests. As a new feature of this report, Google provided further details on the types of legal requests it received. Of particular interest are the 22% of requests that were unaccompanied by a warrant. Google acknowledged a distinction between its treatment of requests for simple registration information and content of communications. Yahoo has also come forward with the announcement that they too require warrants for certain types of requests, but Google is arguably upping the ante for enhancement of the protections of the Electronic Communications Privacy Act (ECPA) with its release of specific information regarding the requests it receives and how it handles them.

The ECPA was passed in 1986, and has been interpreted as not requiring a warrant for access to data more than 180 days old, at which point the data is considered abandoned and thus worthy of less protection under the Fourth Amendment. Privacy advocacy groups have been pressing for an update to the law for quite some time, but perhaps the publicity following Google’s revelation of both the high number of requests and the support provided to back the requests will elicit more public interest and will better support action in Congress. This interest has also been piqued by the General Petraeus scandal, which was developed in part from access to an email account.

Legislation supported by Senate Judiciary Committee Chairman Patrick Leahy would update the ECPA to require the government to obtain a warrant before accessing messages, even if the messages are more than 180 days old. Of course, Google and others claim that they already make such demands before granting the government’s requests, reaching beyond the technical  requirements of the ECPA. In making such demands, the companies have at least in part relied on the Sixth Circuit’s United States v. Warshak, where, in some tension with precedent, the Sixth Circuit acknowledged a heightened protection for email messages. The Supreme Court has not weighed in on the issue. In contrast, those wary of updating the ECPA tend to cite a desire not to hamper criminal investigations to support their position.

The result is an uncertain world where some companies provide more privacy protection than is unambiguously supported by current law.  Arguably, users of services provided by companies with less ability or willingness to go to bat for privacy rights will not be able to benefit from the privacy protection provided to those using services provided by companies such as Google. Will Google’s provision of new information related to these practices provide enough pressure to force an update to ECPA by Congress? Will lower courts continue to advance varying requirements? Will the Supreme Court step in to clean up the conflicting precedent? If so, would the Supreme Court have any defensible options to enhance privacy without legislative action?

Emma Stephens

Image Source

Tagged with:

Comments are closed.