Google Transparency Data Shows ECPA Laws Need Urgent Overhaul


Google has just released the latest edition of its annual Transparency Report, which for the first time gives a breakdown of how often US law enforcement agencies request data from the company’s users and how often it complies with those.

Google’s data covers the period from July to December 2012, and shows that requests from the government have increased substantially since the last time it released such figures. However, while that doesn’t come as so much of a surprise, what is alarming is how agencies are requesting such data.

According to Google, agencies made a total of 8,438 requests over the six month period, of which 5,784 were subpoenaed under the Electronic Communications Privacy Act (EPCA). The second most common method was search warrants, again issued under the ECPA, accounting for 22% of all requests. The remaining ten percent of requests were made in the form of court orders “or other processes that are difficult to categorize”, states Google’s legal dog Richard Salgado.

What’s worrying is the amount of subpoena requests that Google is receiving, which highlights the need for EPCA laws to be updated as soon as possible. The problem is that it’s far easier for authorities to get a judge to grant a subpoena on an individual, because the law doesn’t stipulate a need to show “probable cause” as with search warrants. Instead of digging up evidence that very well may not exist, authorities prefer to take advantage of an old ECPA mandate that online communications stored by third-party servers are considered ‘abandoned’ after 180 days, meaning that it can be accessed via subpoena without the need for a warrant.

There is obviously something wrong with a law that states your private communications are no longer ‘private’ after 180 days. Quite simply, this old law, devised in 1986 when we didn’t even have an internet, no longer makes sense in an age when we store more or less our entire lives online on one third party server or another. And don’t just think it’s your emails that can be searched via subpoena – it’s not. The law can be used to look through just about any file that someone has uploaded online, such as six month old instant messages (Skype), Facebook photos, Dropbox files, online calendars – all of these can be accessed via law enforcement and you’ll never even know.

The big question is, will we see any change sometime soon? Ars Technica reports that that’s unlikely, given that the most recent attempt to do so by the US Senate seems to have come to a standstill, which is why it’s good to know that Google is taking a stand (sort of) and protecting Gmail users according to the letter of the law.

Over the last six months, the company complied in part or in full with 88% of all data requests. It’s not clear how many of those requests were subpoenas, but there we can take encouragement from Google’s Chris Gaither, who stated that:

“In order to compel us to produce content in Gmail we require an ECPA search warrant. If they come for registration information, that’s one thing, but if they ask for content of email that’s another thing.”

Google is one of the few tech companies that discloses how many government requests it receives, and it also seems to be one of the few that is taking a stand and demanding that government agencies produce a search warrant to check user’s personal email. In light of any badly needed, modern laws regarding online privacy, we can only be thankful that they are.