05/31/2010 05:12 am ET | Updated May 25, 2011

Is Your Email Private?

Is your email private? You may think it is, but you may also be surprised how easy it is for law enforcement to access it without a warrant. For instance, any email you write today requires a warrant before the police can take a look at it. But 180 days from now, that same email that you just sent can be accessed without a warrant.

The problem stems from technology moving faster than the legislative process. Much faster. On the order of comparing a cheetah to a snail, in fact. The main law for digital privacy is the Electronic Communications Privacy Act of 1986. Think about that for a moment -- 1986. For those not old enough to remember, at this point in computer history the World Wide Web did not exist (nor did the browsers to access it), email itself was in its infancy, and computer "networks" were (for the most part) local groups of computers tied together (as in a single office). The Macintosh was two years old. The computer of choice in the business world was the IBM PC. Diskettes held around 800 kilobytes, and a hard drive that was 20 megabytes was considered so big it would be hard to fill it up. Today, a single file can top 20 megabytes in size.

And yet the law defining digital privacy remains frozen in this Bronze Age of Computing. The reason the law only specifies emails less than 180 days old was that back then it was hard to conceive of any storage system being big enough to store emails for longer than that. But this is the law which defines the limits of your digital privacy today. And today's world, it should go without saying, is infinitely more complex. Consider "cloud computing" for instance. If you use popular free online email services (such as Yahoo or Gmail), your emails are stored somewhere in a virtual "cloud," and not on your personal machine. Meaning you don't have the same privacy rights over the content. This leads to some serious legal illogic. If you're working on a Google Documents spreadsheet on your computer, for instance, then the cops would need a warrant to see it. But once you save that document, no such warrant requirement exists. This makes no sense whatsoever.

But, as the San Jose Mercury News points out today, there is an industry group pushing Congress to update the 24-year-old law. Industry leaders such as Microsoft, Google, AOL, eBay, Intel, as well as other interested groups such as AT&T and the American Civil Liberties Union, have formed the group Digital Due Process which is urging Congress to revisit the outdated law. From the article:

Digital Due Process ... wants to require police and other government agencies engaged in a criminal investigation to get a court order or search warrant before accessing any personal e-mail or other data stored on an Internet "cloud" service such as Google Documents or Flickr. That also would be required before tracking a person's physical movements through their wireless phone network, monitoring real-time text messages or Instant Message conversations; or making data "bulk requests" such as a list of everyone who visits a particular Web site.

The group's proposals appear certain to get a hearing in Congress. Sen. Patrick Leahy, D-Vermont, chairman of the Senate Judiciary Committee, said Tuesday he would schedule hearings and called an update to the law "much-needed."

The proposals would not affect government investigations involving national security or terrorism, which are guided by a different set of laws.

Which brings up the second story in the news today. A federal judge has ruled that the Bush administration did indeed break these laws in its overzealousness after 9/11. From a breaking story on the Huffington Post comes the following:

A federal judge ruled Wednesday that government investigators illegally wiretapped the phone conversations of an Islamic charity and two American lawyers without a search warrant.

U.S. District Court Judge Vaughn Walker said the plaintiffs have provided enough evidence to show "they were subjected to warrantless electronic surveillance."

The judge ordered more legal arguments before deciding damages. Lawyers were seeking $1 million for each plaintiff plus attorney fees. The ruling also stands as repudiation of the now-defunct Bush administration's Terrorist Surveillance Program.

In both these instances, the legal boundaries are (or were) not adequately defined, leading to confusion both among privacy advocates and the federal government. The basic problem is the same snail/cheetah problem I mentioned earlier -- government just does not move as fast as technology. Laws need to be updated to reflect the world we live in today, and not the world of decades ago. In the case of the national security law, it has been recently updated, but the lawsuit stems from before such updating took place.

Now, defining where the boundaries are in this area is always a struggle between privacy advocates and law enforcement. But that struggle deserves to be played out publicly in Congress, which should draw a bright line between was is allowed and what is not. Even when the lines are well-defined, as today's ruling shows, the government sometimes ignores such boundaries. But that's all the more reason for up-to-date definitions of where privacy rights begin and end in the online world. Because if the rules are laid down for all to see, then when the government oversteps those bounds, it will pay a price for doing so in the courts. The fear of evidence being thrown out by a judge (and criminals walking away scot-free) is what constrains law enforcement and motivates them to get a warrant in the first place.

The Mercury News article ends with:

"1986 was light-years away in Internet terms, and it's now time to update" the law, said Jim Dempsey, vice president for public policy of the Center for Democracy and Technology, a nonprofit Internet civil liberties group leading the push for the change.

. . .

"We think a key element of that is privacy vis-a-vis government access," Mike Hintze, a Microsoft associate general counsel, said in a conference call with reporters Tuesday. "We just want to make sure the standards are clear, and that we can inform users what the standards are."

Dempsey said the companies expect resistance from law enforcement but want to have a dialogue about the proposals.

"We're looking for a compromise," he said, adding that law enforcement agencies would also get a benefit from updating the law. "On some of these issues, (police) are constitutionally vulnerable. They run the risk of losing cases when the courts start ruling on constitutional grounds."

Which is something everyone should consider. There will likely be a struggle between privacy-rights groups and law enforcement as Congress debates how to update the 1986 law, and both sides will doubtlessly get to make their case, assuming Patrick Leahy does hold some hearings on the subject. But the one thing everyone should agree upon is that the law does indeed need updating, and that having rules laid down which make sense in today's world will benefit everyone -- from citizens knowing that their email is private (even when older than six months), to law enforcement knowing exactly what they have to get a warrant for in today's interconnected computer world.

Congress admittedly has a pretty full plate right now, and it is an election year to boot, but this is one item they should put high on their "to do" list. Because -- wherever they ultimately draw the line -- creating a set of updated digital privacy rules is in everyone's best interest.

Chris Weigant blogs at:

Follow Chris on Twitter: @ChrisWeigant