HOW STATE LEGISLATURES ARE CHANGING THE BALANCE OF PUBLIC SAFETY AND PRIVACY
On Oct. 8, 2015 the California state government enacted the California Electronic Communications Privacy Act (CalECPA). The new law, which takes effect January 1, 2016, significantly changes the obligations of communication service providers to disclose subscriber records in law enforcement investigations. Like similar laws passed recently in Maine, Virginia and Texas, CalECPA sets a higher standard of due process for law enforcement to collect communications content, metadata, and geo-location information.
The Federal Standard of Due Process
Until now, when most states adopted statutes governing law enforcement access to communication subscriber records, the laws mimicked a federal statute called the Electronic Communications Privacy Act, or “ECPA.” Here’s how ECPA works.
Let’s suppose a police department needs to investigate a criminal suspect’s communications billing records, or “metadata,” such as the phone numbers of people called by the suspect, and the dates, times, and durations of those calls. ECPA would typically require the officer to send the service provider a subpoena signifying the call evidence is “relevant” to the investigation. Relevance is the lowest standard of criminal due process.
Next, let’s assume the metadata evidence incriminates the suspect. The investigating agent may then need to gather more private communications information, such as the geo-location of the suspect’s smart phone over the last few weeks. For that type of inquiry an agent would show a judge how the collected metadata demonstrates “specific and articulable facts” to qualify for a court order authorizing the gathering of the location data. The specific facts requirement is the “intermediate” standard of due process.
Now let’s say the geo-location inquiry further incriminates the suspect. The agent may use the location data as part of a “probable cause” showing to the judge to justify an even more intrusive investigative technique, such as listening in on the suspect’s calls (i.e. a wiretap) or reading the suspect’s emails. Probable cause is the top-level standard of due process. It requires the officer to show that accessing the targeted information will probably lead to further evidence of culpability.
Notice how ECPA is structured to let law enforcement engage in mild privacy intrusions based on a low-level of due process justification and conduct more probing privacy intrusions based on higher-level justifications. The progression of due process standards from relevance to specific facts to probable cause is known as the “sliding scale of due process.” It gives law enforcement the discretion it needs to collect basic communications evidence at the start of an investigation, when the criminal’s identity is typically unknown. With basic evidence, the agent has an opportunity to justify a “specific facts” inquiry, and based on the findings of the specific facts inquiry it has a chance to gain enough evidence to show probable cause to access the suspect’s communications content.
The New California Standard of Due Process
CalECPA upsets the sliding scale of due process. Instead of letting law enforcement use the low relevance standard to gather communications metadata, it requires agents to meet the high probable cause standard to gather that data. As a result, California puts cops in a Catch-22: they are effectively crippled in their ability to show probable cause if they cannot gather metadata; and they are legally prohibited from gathering metadata if they cannot show probable cause.
The Catch-22 will force agents to become more dependent on non-communications sources, such as physical evidence and confidential informants, to further criminal investigations. Whether CalECPA lets criminals get away with more crime is impossible to predict. But it tips the legal balance of public safety and privacy in the direction of privacy.
The Impact on Service Providers
For communication service providers CalECPA is good news. To the extent the statute limits the ability of law enforcement agencies to investigate criminally-suspect communications the agencies will be less likely to serve subpoenas, court orders, and other instruments of due process on service providers. The communications industry is already inundated with a growing volume of due process requests. Any measure that limits the volume frees industry to mind its core business.
CalECPA will also reduce industry’s legal risk. The lower the volume of due process requests presented to service providers, the less often a provider will make a mistake of over-disclosure or under-disclosure when responding to the requests.
In short, CalECPA is potentially problematic for public safety but beneficial to the communications industry.