The U.S. Congress recently passed H.R. 387 known as the Email Privacy Act. The law updates the 30-year-old Electronic Communications Privacy Act of 1986 (ECPA) and no longer allows surveillance of emails over 180 days old found on third-party servers. If you consider what the Internet and the world looked like 30 years ago in 1986, these updates make sense.
This was the year IBM.com came online and when IBM’s PC division released their first laptop computer weighing in at 18 pounds. It was the height of the Cold War, but Reagan and Gorbachev agreed to have open talks in Reykjavik. When the ECPA was passed, email volumes were a fraction of what they are today—back then no one anticipated email’s pervasive nature across business and consumer sectors. In 1971, when Ray Thomlinson sent the first email, the founders of ARPANET never imagined they’d need email encryption to improve the trustworthiness of messages sent across the wire.
When the ECPA was passed, it assumed that emails older than 180 days were “abandoned” (storage and backup wasn’t what it is today). In 1986, tape backups were still in vogue, there was no Carbonite or Google cloud backup. The law assumed that old emails were basically a kind of public domain. Stop and consider for a moment what you have stored in your inbox and how far back those emails go. If you do that, you start to see why it’s important to plug this gap in the 1986 ECPA law.
The dark resonance of list building
The right to privacy is considered a basic human right in Europe and as a result, it has incredibly strict privacy laws that cover the use of electronic communication mechanisms, opt-in, data storage, and processing. European laws were born out of a terrible event. These laws rose out of the lists put together by Nazis to catalog and transport Europe’s Jews to labor camps and gas chambers across the continent.
In the United States, we believe that privacy rights are sectorial, there is no umbrella that assumes a right to privacy. Every sector in the United States economy enacts laws to varying degrees of effectiveness where privacy is concerned.
The passing of the new ECPA bill closes the loophole of warrantless surveillance of emails older than 180 days on 3rd party servers.
This should come as welcome news to all consumers concerned with data privacy while ensuring that lists, like those the Nazis built, can never be built given how much data is now available on every single person–especially in their inbox.
Why regulating email is important
Today more than 205 Billion emails a day are sent between individuals and businesses making it a stunningly massive repository of human generated information. The use of email in the consumer sector to close the loop on purchases and shipping confirmations is a documentation of behaviors. Email is employed across every sector as a means of collaboration, ideation, and business. So it stands to reason that in today’s world, email should be afforded the same protections that our medical records, electronic or paper, enjoy under HIPAA because we’ve entrusted our most sensitive life and business secrets to the channel and medium.
Protecting the content of our inboxes is part of the ongoing trend of securing email communication. Technologies such as Transport Layer Security (TLS) or Opportunistic TLS refer to the ability of communicating mail servers to encrypt email in flight to prevent eavesdropping. The fact that companies such as Google and Twitter have launched transparency reports documenting how much email is encrypted in flight highlights the importance of email and its contents. The new law goes a long way to bring the laws regulating our inboxes into the 21st century.
Wondering what the future or email has in store for 2017? I surveyed email experts and SendGrid customers to get their thoughts. Check out the results.