Email privacy

The Electronic Communications Privacy Act was written 29 years ago.  Before Google.  Before Facebook.  Even before AOL.

The rules that ECPA set up were based on how we worked 29 years ago.  While there have been many attempts to change ECPA, including the Electronic Communications Privacy Act Amendments Act of 2015 (ECPAA), none, so far, has passed.

The big issue, from a privacy standpoint, is that ECPA assumes that if you leave something in the cloud for more than 180 days, it is basically abandoned and therefore, your assumption of it being private is nullified.

Of course, anyone who uses GMail or Facebook Mail or whatever mail leaves all of the IMPORTANT stuff in the cloud for more than 180 days. It’s the junk that gets deleted.  The stuff that you save may not be private to you, but it may be.

ECPA says that if you leave your email in the cloud for more than 180 days, law enforcement can get a copy of whatever is there without having to convince a judge to give them a warrant.  All they need to do is send Google or Microsoft or Facebook a letter saying that they want it and that it is relevant to an investigation.

This is ANY law enforcement person from the local sheriff in a two person department to the FBI.  Anyone.

I am not sure that applies to other stuff stored in the cloud for more than 180 days but I will ask some folks and see what the answer is.

The only way you can mitigate this is if your email is encrypted.  The encryption that Google or Facebook does is irrelevant because they have the keys.  The only encryption that will affect this is end to end encryption where you control the keys (like PGP and it’s off shoots).  If it is encrypted it does not mean that the NSA cannot hack it, but it will definitely reduce random snooping.

For most of us, we live boring lives and there is not much of interest in our email.

Still, we frequently read where medical personnel are fired for snooping on friends, not so friends (ex-spouses) and celebrities medical records because of curiosity.  We hear about that because institutions are required to monitor and report on unauthorized access to medical records.  That does not mean that all institutions do monitor access, but they are supposed to.  It is much more likely to be detected at larger institutions where they have more sophisticated IT groups.

There is no such rule for law enforcement snooping, so we have no clue how much curiosity snooping occurs in this realm.  Google and Facebook report aggregate data at a very high level (For example, Google said that they received 3 requests for information from Estonia in the first half of 2014 and in 67% of those cases, they provided some information.  In that same period, they received 12,000+ requests in the U.S. and in 84% of the cases, they provided some data).  See Google Transparency Report for more information.

Govtrack says there is about a 1% that ECPAA will pass this year.

Leave a Reply

Your email address will not be published. Required fields are marked *