Cybersecurity & Tech Surveillance & Privacy

Fixing the Stored Communications Act’s Secret Search Problem

Jesse Lieberfeld, Neil Richards
Friday, June 30, 2023, 11:30 AM
How does current digital search practice potentially violate Fourth Amendment protections? And how can the ECPA be mended to uphold essential digital civil liberties?
Google Headquarters in Mountain View, July 27, 2016. (The Pancake of Heaven, https://commons.wikimedia.org/wiki/File:Googleplex_HQ_(cropped).jpg; CC BY-SA 4.0, https://creativecommons.org/licenses/by-sa/4.0/legalcode)

Published by The Lawfare Institute
in Cooperation With
Brookings

If you’re reading this article, you—like many people today—probably have a lot of sensitive information stored in the cloud. You might have data on cloud-based email services like Gmail; on cloud storage services like Dropbox, OneDrive, and iCloud; on one of the many social network platforms like Twitter and Instagram; and possibly on all of the above. Today, 10 years after the Snowden revelations, most people know that the government can access vast quantities of digital information. But fewer realize how much of this acquisition happens in secret, without the target ever realizing it. The amount of information scooped up in this way by law enforcement is staggering. For example, Google alone received over 97,000 government requests for its users’ information in 2021 and disclosed that information over 80 percent of the time. Most of the time, the targets of these searches are never charged with a crime, yet they never learn that their data has been given to the police. You might be wondering how, if at all, this is legal. The answer has to do with a set of arcane and outdated legal rules from the 1980s era of floppy disks and dial-up modems. Quite possibly in violation of the Fourth Amendment, these outdated rules have been interpreted to allow barely fettered secret access to whole swaths of sensitive human information. A handful of scholars have already noted the troubling implications of these increasingly ubiquitous practices for civil liberties: When covert surveillance becomes routine, people are left to assume they are being monitored, a severe detriment to freedom of expression.

In a forthcoming law review article, we make two new arguments about this regrettable state of affairs that implicates essential digital civil liberties. First, we explain why the practice of secret government searches is both bad policy and likely unconstitutional under the Fourth Amendment’s requirement that police need to get a warrant before they engage in a search of digital or physical “papers.” Second, we tell the story of how these practices represent a complete inversion of the ancient traditional rule that people have the right to be notified promptly when government agents access their secrets and rummage through their lives. Typically, legal academics would argue that, having identified a likely illegal problem, someone should file a lawsuit to fix it. Unfortunately, in this case procedural reasons mean that litigation is likely to be a limited solution at best to this widespread but under-the-radar problem. A far better solution would be statutory reform that would fix the archaic legal provisions being used by the government to turn on its head the traditional presumption against secret government searches.

How did this inversion of the traditional rule come to pass? Today, police face few meaningful constraints when conducting this surveillance because the laws and constitutional doctrines designed to check these searches have not kept up with the times. The primary law regulating electronic searches, 18 U.S.C. § 2703, passed as part of the Electronic Communications Privacy Act of 1986 (ECPA), dates to that era of floppy disks and dial-up when cloud storage was shockingly expensive and barely used. As a result, when it passed ECPA, Congress neglected to give strong protection to the cloud. 

Much of the Supreme Court’s case law on Fourth Amendment protections against unannounced searches also predates the era of cloud storage. Since the 1960s, the Supreme Court has gradually wandered away from the ancient rule that law enforcement must always announce searches, allowing police more flexibility to prevent occupants from destroying evidence, escaping, or harming officers. These exceptions might make sense on their own terms, but they simply don’t apply to the cloud: Since suspects cannot occupy digital accounts as they can occupy physical spaces, the traditional rule strictly requiring pre-search announcement is better suited to cases involving digital surveillance. If this rule is constitutionally required (and we think it is), secret searches authorized by Section 2703 would plainly violate the Fourth Amendment. As a result, courts should strike down the ECPA’s secret-surveillance provisions—at least to the extent that they can hear cases challenging them. Better yet, to solve the problem adequately, we believe that Congress must revise the ECPA to comply with people’s constitutional guarantee against unreasonable searches and seizures.

Congress Should Grant Wiretap Act-Type Protections to Stored Communications Searches

Today, the ECPA is poorly suited to protect the public against unannounced searches because it is based on premises about communications technology that are outdated and obsolete. In 1986, with the prospect of the mass adoption of email visible on the horizon, Congress passed the ECPA to regulate two forms of surveillance: real-time wiretaps and searches of stored communications. Today, cloud storage searches generally fall into the latter category, but in the 1980s, wiretaps posed the greater privacy threat as the government’s primary method of surveillance since the invention of the telephone. Congress therefore enacted strong protections for wiretaps, requiring law enforcement officials to intercept the minimum portion of a communication necessary to achieve their objective, and to justify each use and disclosure of its contents (as the Wiretap Act of 1968 had done previously, and as the brilliant television series The Wire illustrated so well). 

However, the other part of the ECPA governing stored records such as files and emails—called the Stored Communications Act (SCA)—gave officers far more leniency. Section 2703(b)(1)(A) lets the government require providers of remote computing services (that is, offsite storage or data processing) to disclose contents of electronic or wire communications “without required notice to the subscriber or customer, if the governmental entity obtains a warrant.” Similarly, Section 2703(a) allows the government to execute warrants without notice for communications stored electronically (that is, on services such as email, cell phones, and social media platforms) for over 180 days. Even if the communication has not been stored for 180 days, Section 2703(a) mandates only that the service provider be informed, not the customer. These provisions allow the government to search most people’s emails, social media messages, and files stored in the cloud without informing them.

Moreover, the SCA did not require government agents to justify each use and disclosure of stored communications, nor to minimize the amount they intercepted. Instead, it allowed government investigators to access entire user accounts and use any number of communications in them with merely “reasonable grounds to believe” that the information sought is “relevant and material to an ongoing criminal investigation,” a far lower evidentiary bar than the requirement for wiretaps. Furthermore, the SCA lacked the Fourth Amendment’s particularity requirement: It did not compel law enforcement to specify which files or records they sought to access. In short, the ECPA maintained and expanded the extensive procedural safeguards surrounding wiretaps but gave law enforcement extensive leeway to search emails, computer files, and other stored communications without notifying their owners. 

At the time, such leniency would have appeared to carry little risk, as stored communications were expensive and rare. But things have changed significantly over the intervening four decades. Today, a vast share of communications falls under these lax rules. In 1985, when a gigabyte of storage cost $40,000, customers generally stored files on remote servers for short intervals until they could transfer them to personal computers. Today, by contrast, storage is practically free—Google Drive provides all of its customers with 15 gigabytes of storage for no monetary cost. Additionally, many businesses today collect substantial revenue from targeted advertising, a practice requiring the preservation and analysis of large volumes of their users’ stored communications. As a result, the share of communications that is stored rather than made in real time (for example, through a phone call) has grown enormously since passage of the ECPA, enabling law enforcement far greater access to people’s most personal information than Congress could have envisioned. While wiretap requests are now relatively uncommon, the largest tech companies regularly receive tens of thousands of search warrants that fall under the SCA in a year, usually with no obligation to notify the person whose data is collected.

This state of affairs is both perverse and the very definition of an unintended consequence, and we believe that Congress should revise the SCA to implement more stringent governance of stored communications searches. Because electronic searches give the police vastly greater surveillance powers than in non-electronic contexts, when Congress passed the old Wiretap Act in 1968, it mandated that law enforcement officials seeking evidence show special need and high-level government approval before searching stored communications. Congress also required that officials minimize unannounced searches of stored communications, justify each use and disclosure of communications they search, and provide to the authorizing judge “a full and complete statement as to whether or not other investigative procedures have been tried and failed or why they reasonably appear to be unlikely to succeed if tried or to be too dangerous.” Congress retained this standard for emails when it updated the Wiretap Act by passing the ECPA in 1986, and we believe that these heightened protections should also apply to the much-needed update for the cloud. 

This standard would preserve the notice requirement’s underlying principles of presumed innocence and intellectual privacy. Making officers prove to a judge that providing notice would be impractical or even dangerous allows secret searches only in exceptional cases and only after rebutting the presumption of innocence. Likewise, requiring that officers minimize unannounced stored communications searches protects the intellectual privacy necessary for meaningful free expression. If police can secretly rummage through citizens’ files, those citizens would not know which of their communications had been searched, or why, and would be forced to assume that all of their communications could be searched, placing an enormous chilling effect on their ability to talk freely with each other.

Courts Should Require Notice for Digital Searches

Like the SCA, U.S. courts’ jurisprudence on unannounced searches has not kept pace with modern technology. Notice used to be an absolute requirement for conducting searches, but the courts have slowly weakened this requirement because of concerns that an occupant might escape, retaliate against officers, or destroy evidence. However, because few if any of these concerns are present in the case of digital searches, and since digital records, unlike physical places, have no “occupant,” this relaxation of the rule should not apply.

The Fourth Amendment doctrine known today as the “knock-and-announce rule” or the “notice requirement” requires police to announce their presence and purpose before they search a property even with a warrant. Though familiar from many police television dramas, the rule’s origins actually date back many centuries, to at least as early as 1275 in England, after which it was universally followed in England, the British North American colonies and then the United States until the 19th century. Over these many centuries, this rule had no exceptions: Law enforcement officials were required to announce themselves no matter what exigent circumstances might cause them to fear that a suspect would escape, retaliate, or destroy evidence upon observing their presence. Creating exceptions for exigent circumstances was thought to undermine the presumption of innocence—police were required to presume that a suspect would peacefully obey their commands upon being informed of their authority. Furthermore, the rule applied even when no warrant was required (such as when police witnessed a felony and pursued the fleeing perpetrator).

The strict notice requirement was part of Fourth Amendment doctrine from the beginning, but U.S. courts came to weaken the rule over time, ultimately creating a wide array of circumstances in which police could search citizens’ property unannounced. During the 19th century, lower courts began recognizing exceptions to the notice requirement in exigent circumstances, such as when “imminent danger to human life” existed or when announcement might give a suspect “notice of his danger and an opportunity of effecting his escape.” The Supreme Court first considered whether the Fourth Amendment’s notice requirement had exceptions in Ker v. California (1963), but no majority opinion emerged. Lower courts therefore continued to be split on the question of whether the notice requirement was absolute until the Supreme Court revisited the issue three decades later. 

Ultimately, in Wilson v. Arkansas (1995) and Richards v. Wisconsin (1997), the Court reframed the knock-and-announce rule as merely one factor in determining whether a warrant was lawfully executed, rather than as an independent requirement. Richards provided the current standard for unannounced searches, holding that “[i]n order to justify a ‘no-knock’ entry, the police must have a reasonable suspicion that knocking and announcing their presence, under the particular circumstances, would be dangerous or futile, or that it would inhibit the effective investigation of the crime by, for example, allowing the destruction of evidence.” The Court determined that this standard struck “the appropriate balance between the legitimate law enforcement concerns at issue in the execution of search warrants and the individual privacy interests affected by no-knock entries” that lower courts had grappled with since the 1820s. 

Once again, though, we can see a legal framework (this time one of common law doctrine) that has not kept up with the times. The relaxation of the announcement rule was designed to combat dangers to officers that might arise when searching physical premises. Yet digital searches do not pose the same risks to officers as searches of physical property—there is no occupant who might harm officers or escape. To be sure, suspects could still attempt to destroy evidence if notified before the investigation begins, though many cloud providers keep backups of data that their customers cannot themselves delete. Thus, there is no reason to prohibit notice to suspects immediately after the evidence from digital searches has been secured. Such a result would actually be consistent with Richards, which did not involve digital searches; it would require only a ruling that during digital searches, the dangers Richards contemplated would not be present. 

Extending such protections to digital searches would also align with a broader—and welcome—trend in Fourth Amendment law taking the dangers of digital searches seriously. In recent cases like United States v. Warshak (2010)Riley v. California (2014), and Carpenter v. United States (2018), the Supreme Court and lower federal courts have become increasingly committed to extending hard-won civil liberties protections against unreasonable searches and seizures into digital contexts. In Riley v. California, for example, the Supreme Court recognized how digital devices and the cloud are qualitatively and quantitatively different from physical searches in declining to extend the search-incident-to-arrest exception to the warrant requirement to searches of mobile phones. In Carpenter, itself an SCA case, the Court explained that it “has never held that the Government may subpoena third parties for records in which the suspect has a reasonable expectation of privacy.” We believe that these cases yield the following conclusions: First, the Fourth Amendment applies strongly to digital contexts, particularly where there are records with close similarities to traditional forms of communication. Second, exceptions to the warrant requirement based on harm to officers or frustration of their purpose do not apply when searching digital data. Because Richards requires that officers executing a warrant either announce themselves or have a reasonable suspicion that they might be harmed or have their purpose frustrated, no warrant for a Section 2703(a) or 2703(b)(1)(A) search is proper without announcement.

Remedies

How, then, should we solve this problem? Fighting the growth of unannounced searches will require action by multiple branches of government. Courts should certainly rule that in criminal prosecutions, the Richards exception to notice is simply inapplicable to digital searches because its rationale is absent. But such a solution would be incomplete. It is difficult to challenge secret searches unless the government brings criminal charges, since suspects are unlikely to otherwise learn of an unannounced search, even though their rights are violated when the search occurs. And as we’ve seen, the targets of secret digital searches are rarely charged with crimes. In addition, after the case of Hudson v. Michigan (2006), the exclusionary rule does not apply to violations of the announcement rule, suggesting that it might not apply to secret digital searches either. And even if a secret search were found to be unconstitutional, the evidence still would likely come in if officers could show good-faith reliance on the order. As we explain in our article, this means that to solve this growing constitutional problem, Congress must also revise the SCA to grant stored communications the full Wiretap Act-style protections described above. Ultimately, statutory reform of the ECPA and the SCA are the only way to fully protect digital civil liberties.

The ECPA governs much data about people’s daily lives and communication. If law enforcement can routinely probe such information secretly, Fourth Amendment protections risk becoming a dead letter. Americans deserve certainty that authorities do not regularly monitor them without their knowledge. Today they lack this certainty. To regain it, policymakers must create a notice regime that reflects both the augmented threat to privacy harms and the diminished threat to officers during digital searches. People’s civil liberties will increasingly depend on such a restoration of their ancient and hard-won rights.


Jesse Lieberfeld is a privacy and cybersecurity attorney. He has worked for University of California Davis and the Cordell Institute for Policy in Medicine and Law. He holds a JD from Washington University in St. Louis School of Law.
Neil Richards is the Koch Distinguished Professor in Law at Washington University in St. Louis, where he directs the Cordell Institute for Policy in Medicine & Law. He is the author of dozens of law review articles and two books, Why Privacy Matters (Oxford 2022) and Intellectual Privacy (Oxford 2015). Professor Richards is a former law clerk to William H. Rehnquist and frequently serves as an expert in privacy cases.

Subscribe to Lawfare