The Electronic Communications Privacy Act of 1986 (ECPA)
The Electronic Communications Privacy Act of 1986 (ECPA) is a landmark piece of legislation in the history of internet privacy. In the fast-moving information age, it has quickly become outdated, but certain aspects of the law are still relevant today.
Most importantly, it protects our email communications and our internet phone calls.
The law states that any such communication made on a public channel cannot be intercepted or read by any entity without a warrant.
This is an essential provision, but unfortunately, it is far from perfect. The law only protects communications made on public servers, so if you email via a private server owned by an employer then those emails won’t be protected. Furthermore, the law states that any email that is held on a server for more than 180 days has thus been “abandoned,” meaning a subpoena is enough to access those emails.
The US Patriot Act
The Patriot Act was passed less than two months after the September 11 terrorist attacks, during a time of enormous political upheaval in the United States.
The Patriot Act was enacted to monitor terrorist activity, and thus the law allows for law enforcement agencies, most notably the FBI, to obtain information about our online (and offline) communications. These officials now don’t need a warrant to access information about our connections, such as the email addresses we’ve communicated with, the phone numbers we’ve called, or the websites we’ve visited. Between 2003 and 2006, 192,499 such information requests were made.
The act was updated and extended in 2015 under the US Freedom Act. It was claimed that many of the potential abuses of the Patriot Act had been reigned in, but most observers are skeptical of such claims.
The Recent Internet Privacy Rollback
So let’s get to the recent repeal made by Congress in March. The law that was repealed, which never actually went into effect, was going to set some pretty essential and comprehensive rules for the way ISPs handle our data. The fundamental changes would have been the following:
ISPs would have to be completely transparent about the way they handle our data
If consumer data were going to be given or sold to a third party, that consumer would have to opt-in first
ISPs would have to take specific measures to protect their customers’ privacy and notify their customers if there were to be a massive security breach
ISPs wouldn’t be allowed to offer different prices for different tiers of internet security
These concerns weren’t an issue until 2015 because until then, ISPs were regulated by the Federal Trade Commission (FTC) and the FTC took great care in preventing such abuses. But in 2015, the Federal Communications Commission (FCC) claimed jurisdiction over ISPs, and since then these regulations haven’t been enforced. The law passed last year was supposed to patch up this legislative grey area.
To be continued
Only time will tell how this story shakes out, but, until then, all the rights listed above are at risk. In the meantime, please note that you can call your ISP to explicitly tell them that you would like to opt out of any and all data collection, and you can also use a Virtual Private Network (VPN) as a means of protecting your data from your ISP.