Storage Wars: Greater Protection for Messages in Memory
The laws governing stored communication privacy—enacted almost thirty years ago—may finally be updated to reflect contemporary needs, at least in part. The Email Privacy Act,1 proposed by Representatives Kevin Yoder (R-Kan.), Tom Graves (R-Ga.), and Jared Polis (D-Colo.), would afford greater privacy protections for stored emails, in particular by requiring a warrant for any searches of emails stored for more than 180 days. This represents a small step towards strengthening the meager restrictions on law enforcement’s access to stored communications. Stored communications, as discussed in this Essay, are communications acquired by the government after they have been transmitted, as opposed to communications intercepted while in transit. Currently, stored communications are afforded far less privacy protection than communications in transit—a distinction that fails to comport with modern technological reality.
Under current law, stored communications—as opposed to communications in transit—fall “outside the Berger, Katz, and Wiretap Act core of highest protection.”2 These classic protections—preventing the government from “infring[ing] upon a reasonable expectation of privacy without prior judicial authorization based on a showing of probable cause”—don’t apply.3 Government acquisition of stored communications is in some cases limited by the Stored Communications Act (SCA), but in many circumstances, including “e-mail [accounts] provided by private employers, such as companies and universities,” there is “absolutely no protection from government demands.”4 Even where the SCA does apply, a warrant is not required to obtain communications held in storage for more than 180 days,5 and requirements for prior notice can be postponed repeatedly in 90-day blocks as needed.6 This Essay argues that many of these weaker protections for stored communications are not justified. It examines some of the ways that law enforcement acquisition of stored communications uniquely threatens privacy and suggests that there should be stronger safeguards against this type of intrusion.
Moore’s Law predicted in 1965 that processing power would double approximately every two years.7 This prediction has proved remarkably accurate,8 and the growth of computing power seems unlikely to slow in the future.9 Improvements to search algorithms and data analytics, pursued by the government10 as well as private entities,11 also occur at a rapid pace.
As a result of these technological developments, communications data in storage for only a few years can become subject to a level of analysis that may have been inconceivable at the time it was created.Government use of stored communications thus threatens to violate reasonable expectations of privacy by undermining notice. It is fair to say that individuals are on notice that their data are subject to scrutiny from whatever level of technology is contemporaneously available, and that their reasonable expectation of privacy is shaped by that knowledge.12 It strains credulity, however, to say that individuals are on notice that future technology—yet unknown and undeveloped—will be retroactively applied to them, and that the prospect of such retroactive application actually factors into their reasonable expectations of privacy.
In particular, advances in technology may cause information that was once considered non-content—i.e., “envelope” information such as recipient, sender, and time—nevertheless to reveal a great deal of information content about a person. For example, innovations in pattern-based data mining might allow the government to draw very accurate and detailed conclusions about an individual’s activities despite looking only at the times, places, and recipients of their communications.13 To the extent that the law seeks to distinguish content and non-content information in terms of communications privacy protection,14 the government should not be able to circumvent this distinction by using cutting-edge technology on old communications.
From the federal government’s perspective, stored communications—which have usually already been collected by a private entity—are much more cheaply obtained than intercepting communications in transit. Acquiring communications in transit—whether by pen registers, wiretaps, or bugging—requiresthe government to expend manpower and money. On the other hand, acquiring stored communications is as simple as requesting a copy. Hence, a lack of protections on stored communications significantly reduces resource constraints on police activity and leaves these communications especially prone to police abuse.
The effects are twofold. First, investigators have reduced incentives to be precise in their searches. With in-transit communications, surveillance over a longer time period or from multiple sources means expending more resources, so that in addition to being constrained by the letter of the law,15 police have cost incentives to exercise proper discretion. With stored communications, this incentive for self-restraint disappears, leading to deeper and broader surveillance overall. Second, our laws—built on the assumption that police forces have limited resources—factor in the probability that offenders will be caught when determining the length and severity of punishments, in order to ensure sufficient levels of deterrence.16 If law enforcement has largely unrestricted access to the vast quantity of communications in storage, and there is no commensurate rebalancing of punishment, then the result will be enforcement significantly over the level required for adequate deterrence.
Finally, technological advances have begun to strain the very distinction between communications in storage and communications in transit, if not to render the distinction completely obsolete. Three key ambiguities have already emerged, and will likely multiply in the near future. First, communications are increasingly accessed by front-end clients, obfuscating the issue of when a communication has actually reached its destination. For example, with IMAP or POP protocols, an email client like Microsoft Outlook or Apple Mail downloads a copy of an email from a service provider’s storage and either leaves the original (IMAP) or deletes it (POP).17 If a user never directly accesses the service provider’s storage, are his or her communications still in transit until opened via client?
Second, communications are increasingly handled by automated scripts, raising questions of who—or really “what”—can truly be considered the recipient of a communication. For instance, many email and text clients support auto-forwarding triggered by keywords or filters. Does a communication enter storage when it reaches an entirely automated middleman recipient, when the script actually scans it, or when it is forwarded along to a human reader?
Third, more and more data exists in a constant state of motion, with truly static storage taking place only for instants of time. For example, with cloud computing, many networked computers may each contain distributed pieces of a single communication, sending them to each other and receiving them as memory is needed or available on each machine. Does a communication cease to be in transit as soon as it reaches the network, when it is read for the first time, or when (if ever) it actually ceases to be in motion?
All of these questions highlight the extent to which advances in technology blur the distinction between stored and in-transit communications. As line-drawing becomes impracticable, users begin to treat both forms of communication similarly, and their privacy expectations for stored communications begin to match those of in-transit communications. As a result, the privacy protections afforded to stored communications should match those afforded to communications in transit.18
When the government acquires stored communications, it is able to apply current analysis techniques to data created under outdated expectations, it does so at a dangerously low cost, and it does so by relying on a distinction between stored and in-transit communications that is increasingly impracticable and unrealistic. Greater protections for stored communications are therefore necessary to prevent a significant erosion of privacy rights over the coming years. The Email Privacy Act, while limited in scope, represents a step in the right direction—and evidence of the growing need for stronger privacy protections.
Matthew Sipe is a member of the Yale Law School J.D. Class of 2015. He would like to thank Professor Christine Jolls for her insightful comments and for inspiring an interest in privacy law, as well as the editors of the Yale Law Journal for their feedback and editorial acumen.
Preferred Citation: Matthew Sipe, Storage Wars: Greater Protection for Messages in Memory, 124 Yale L.J. F. 29 (2014), http://www.yalelawjournal.org/forum/storage-wars-greater-protection-for-messages-in-memory.