An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

SPEECH | Nov. 1, 2018

Keynote Address by Glenn S. Gerstell, General Counsel NSA to the American Bar Association 28th Annual Review of the Field of National Security Law Conference

Keynote Address by


Glenn S. Gerstell

General Counsel

National Security Agency


to the

 American Bar Association

28th Annual Review of the Field of National Security Law Conference


Starting my remarks with a short quotation from a hearing before the U.S. Senate seems fitting given that we’re at a legal conference in Washington:


Computers are changing our lives faster than any other invention in our history.  Our society is becoming increasingly dependent on information technologies, which are changing at an amazing rate.  Combine this rapid explosion in computing power with the fact that information systems are being connected together around the world without regard to geographic boundaries.  This ... offers both opportunities and challenges ... [among them] vulnerabilities which represent severe security flaws and risks to our nation’s security, public safety, and personal privacy.[1]


That quotation sounds like it might have come from a hearing earlier this year.  But it was said by Senator Fred Thompson more than twenty years ago, well before the invention of the iPhone or YouTube, and just at the dawn of email. 


The hearing, actually the first ever Congressional hearing on cybersecurity,[2] featured some hackers who gave the Senators a clear and simple message: our computers, networks, and software are dangerously insecure.[3]  Despite this, it would take decades for our nation to appreciate the cyber threat, during which time we would see a steady accretion of malicious cyber activity.


Inflection points often go unnoticed, and in retrospect, it’s really not that surprising that the hackers’ testimony wasn’t appreciated for the dire warning that it represented. Looking back at the 1990s, we can now realize that, as the Internet was taking off, perhaps we missed an opportunity to chart a different course as to our cybersecurity.


I bring this up today because we stand in an analogous moment in history. If twenty years ago represented a tipping point of sorts for the Internet, then perhaps we are now at, or indeed even past, a comparable tipping point as to the broader digital revolution.  The so-called “fourth industrial revolution” is upon us. As commentator Kevin Drum recently put it well in Foreign Affairs, the world sits at the dawn of a new age, and technological advances are set to make traditional forces of change no more than “mere footnotes … when we – or our robot descendants – write the history of [this] digital revolution.”[4]


Maybe it’s no surprise that we are missing this tipping point too. Both the statistics – such as 20 billion connected devices – and the very concepts of profound change that we hear from futurists and technologists – are mind-numbing. 


Of course, we aren’t doomed to watch this wave of profound change wash over us without some consideration.  Are we missing another opportunity here?  Challenging though it may be, we can examine and prepare for some aspects of this digital revolution that will have as fundamental implications for us as the industrial revolution did for 19th century Western society. 

That revolution will have one particular consequence that will impact every one of us in personal and far-reaching ways, and it’s one that has special meaning for us as lawyers – I’m speaking of the effect on our privacy.


Although we continue to forge ahead in the adoption of new technologies, we simply haven’t confronted, as a U.S. society, what privacy means in a digital age.  If you look at the advent of other novel technologies – from the automobile to electricity – regulations inevitably lagged, but we didn’t let technology get too far out in advance before our laws and societal norms caught up.  


But not so today. Has there ever been a time where technological change has been this rapid, this ubiquitous, and this impactful? It’s no wonder that our societal norms and legal structures, especially in the area of privacy, have failed to keep pace.  It’s worth examining those gaps so we can see where additional thinking and action will be required.


Given my vantage point and this occasion, I will focus on how the federal government affects the privacy rights, or at least the expectations, of the public.  I’ll start by looking at the approach taken by the judiciary in fashioning the scope of our privacy interests and then turn to examples in the legislative arena.  I will move on to implications for the private sector and then conclude by suggesting what are our responsibilities as lawyers in this critical area.[5]


So let’s start our examination with an overview of how our judicial system has constructed our privacy regime, at least relative to the federal government.  Privacy in the U.S. is a notion that has traditionally been rooted in the Fourth Amendment.  Perhaps that comes as no surprise given how our country was formed, and how one of the enduring debates throughout our history has been the scope of the government’s involvement in our society.  In any event, you may recall that the text of the Fourth Amendment makes no mention of the word “privacy,”[6] and nowhere else in the Constitution or the Bill of Rights is a general right to privacy expressed.  This is understandable, though, when you consider both the rudimentary state of technology at the time and the fact that the Fourth Amendment grew out of the experiences of the colonists, who resented the British Crown’s use of writs of assistance to force entry into their homes.[7]  The Fourth Amendment didn’t mention privacy, then, because protecting one’s physical property from unreasonable searches and seizures was sufficient.[8]  This also explains why, if you had reviewed the first hundred years’ worth of the Supreme Court’s many occasions to examine the Fourth Amendment, you would have found cases focusing on physical intrusion and property rights, but not a word about a privacy interests as such. Nor was there a decision, when the requisite technology later developed, that electronic surveillance itself qualified as a search or seizure for purposes of that amendment.[9]


The clearest expression of the need for a change in legal approach appears in the prescient writings of Justice Louis Brandeis, who typically said where the law ought to, and usually did, go.  In his seminal law review article with Samuel Warren entitled “The Right to Privacy” and in his famous and farsighted dissent in the 1928 Supreme Court case of Olmstead v. United States, Brandeis proposed to separate the concept of privacy from other legal principles, and recognize it as something entirely distinct. But you would have had to wait until 1967 for the Supreme Court, in Katz v. United States, to adopt that concept and overturn the almost four-decades old ruling in Olmstead.  Writing for the majority, Justice Potter Stewart held that the Fourth Amendment protects people, not places, and in his concurrence, Justice Harlan fleshed out a test for identifying a “reasonable expectation of privacy.”[10] This test was then further defined throughout the 1970s in United States v. Miller and Smith v. Maryland, where the Court held that there is no reasonable expectation of privacy for information (such as bank records or telephone numbers) that is voluntarily given to others (such as bank employees or the telephone company).[11]


In the years that followed, our Fourth Amendment jurisprudence continued to develop in this manner, with courts largely focusing on the type and location of the surveillance taking place, based upon the facts of each particular case, to determine whether a protected privacy interest was implicated.  I might add as an aside that almost nowhere in the case law is the real focus on the substance of the communication, except insofar as you get to consider that by reason of where the communication occurred.


As if we needed any further evidence of this very case-specific approach to the development of our privacy and surveillance legal regime, the Supreme Court just a few months ago gave us what the Court itself branded as a “narrow” decision.[12]  I am of course referring to United States v. Carpenter, which addressed whether the Fourth Amendment could be violated by a warrantless search and seizure of historical cell phone records that reveal the location and movement of the user.[13]  The Court held that the government’s acquisition of such records – or at least seven days or more of them – constituted a search under the Fourth Amendment, which required a warrant, because it violated a person’s “legitimate expectation of privacy in the record of his physical movements.”[14] In coming to that conclusion, the Court noted that apart from disconnecting a phone from a network entirely, there is almost no way of avoiding leaving behind an electronic trail of location data. To the Court, then, the location information was “an entirely different species” of record than, say, bank records or phone numbers, and in no meaningful sense could it be said that the user voluntarily assumed the risk of turning over a “comprehensive dossier of his physical movements.”[15]


As we stand here today, it’s too early to be able to discern the full ramifications of Carpenter. But one point is clear – the Carpenter case serves to highlight one of the major challenges in applying our Fourth Amendment jurisprudence in this digital age. By the very nature of our judicial system, which does not allow for advisory opinions, our courts are necessarily confined to deciding cases based on the specific facts (or the technologies) with which they are presented.  These decisions are therefore inherently backward-looking, which feels like the wrong approach when addressing rapidly developing technology.  By contrast, tort law principles can be extended to facts beyond the case at issue because concepts of negligence can be intuitively applied to a wide variety of facts and situations.  Not so where the very legal principle is rooted in, and indeed expressed in, terms of the precise technology in the case.


I am not in any way being critical of our judiciary.  Rather, I am simply pointing out that the limitations of our “case or controversy” scheme can result in a patchwork quilt of legal precedent that takes into account only the particular technology directly before the court in each case, which in turn leads to decisions that are sometimes hard to reconcile or are distinguishable only by factors that seem of dubious significance. It also yields a set of legal determinations in this area that are, at best, of uneven value in predictive utility.  Indeed, the very fact that the nine justices generated five distinct opinions in Carpenter itself makes clear that even the best legal minds are divided over the right approach.  And this was in  a relatively straightforward case involving fairly well-established technology, where there was already ample Supreme Court precedent about the government’s access to other types of cell phone information and its use of technology to track a person’s physical movements.[16] 


Our experience tells us that if we want to be forward-looking to embrace future technologies and have more predictive legal principles, the legislative branch also has an important role to play, which I’d like to turn to now.  While the courts have established the outer bounds of the Fourth Amendment, within those limits, it has been Congress that has enacted relatively strong privacy protection, but only in specific areas.[17]


The fact that Congress has chosen to act in an important but limited way is also no surprise, for all of the obvious reasons.  As I have just said, courts have been very active in this area, so Congress has in some respects had the luxury of simply deferring to their lead.  These issues can be dauntingly technical in nature, and there are contentious political debates around privacy as well, which Congress, like any institution, would seek to avoid wading into if at all possible.   So, as a result, in instances where Congress has chosen to act, it has often been to address only specific problems about which there was widespread consensus.  We all know that political accord can be difficult to achieve, and thus in many cases, given the pace of technology, we have been left with either aging laws or no laws at all.


Take, for example, the Electronic Communications Privacy Act, commonly known as “ECPA.” Ironically enough, Congress passed ECPA in 1986 in an effort, in the words of the Committee Report, “to update and clarify Federal privacy protections and standards in light of dramatic changes in new computer and telecommunications technologies.”[18] The state of the law at the time focused, in large part, on privacy protections related to telephone calls, and it was said to be “hopelessly out of date” in terms of addressing new means of communications.[19] Of particular concern to Congress at the time was the Supreme Court’s decision in Miller and the increasing adoption of both email and computerized recordkeeping systems.  Because this information had been voluntarily conveyed to a third party, this suggested under prevailing doctrine that it was entitled to little or no constitutional protection.


To address this, ECPA established a new framework that provided varying requirements for law enforcement to compel disclosure of the content of electronic communications depending, in part, on how long they had been in storage.  For those communications that have been in storage for less than 180 days, a search warrant based on probable cause is required;[20] in contrast, for those that have been in storage for more than 180 days, only a court order showing relevance to an investigation is needed.[21]  The rationale for this distinction was the state of technology at the time – in 1986, most electronic communications systems (including email services) did not retain electronic records for longer than six months.[22]  As a result, Congress concluded that “[t]o the extent that the record is kept beyond that point, it is closer to a regular business record maintained by a third party and, therefore, deserving of a different standard of protection.”[23]


Regardless of how you feel about where Congress drew this line, there can be no debate that, due to subsequent developments in technology and commerce, the environment in which this framework was adopted differs markedly from today’s.  Almost universally, we now conduct most of our affairs online, and we have access to virtually limitless, inexpensive electronic storage. Most of us store our most sensitive information there – from our emails, to our pictures, to our financial records – and thus, as many have pointed out, the fact that we choose to keep key electronic records longer suggests that they are deserving of more protection, not less.[24]  It also raises the larger question whether this regime still makes sense given these new realities.[25]


The Department of Justice has addressed some of the issues related to ECPA, at least to some extent, through policy changes in recent years.[26]  For its part, Congress has also considered legislative updates to the statute, and it successfully passed the CLOUD Act earlier this year to address a different, pressing ECPA-related issue involving law enforcement access to electronic communications stored abroad.[27]  As I mentioned earlier, though, much like other times when Congress has acted in the privacy arena, the CLOUD Act served to resolve only a very specific problem about which there was significant consensus.  In my view, no matter how highly we think of Congress’s efforts, one-off, hand-crafted solutions like the CLOUD Act are simply too time- and labor-intensive to meet our needs in this age of rapidly developing technology.


The situation isn’t all that different with respect to privacy in the context of our national security laws, most notably, the Foreign Intelligence Surveillance Act, or “FISA.” As many of you are well familiar, FISA was originally enacted in 1978 to provide the Executive Branch with a court-authorized process for conducting electronic surveillance against foreign powers or their agents operating inside the U.S.  In creating such a system, Congress sought to carefully balance and protect both our national security and the privacy and civil liberties of all Americans.  And, indeed, the statute has done so admirably for more than four decades now.


Much like ECPA, however, FISA’s structure, which is largely rooted in a four-part definition of “electronic surveillance,” has remained basically unchanged even as technology has zoomed ahead.  Again, to give credit where due, Congress did address this to a significant extent through the enactment of Section 702 as part of the FISA Amendments Act of 2008, which is one of our most important foreign intelligence surveillance authorities.  But taking a step back, we should recognize that that this Section represents only a small part of the larger FISA framework and, again, addresses only a discrete technological problem.  The rest of FISA is still based on its original definitions, with the result that we have wound up with a complex, multi-agency statutory scheme that hinges in part on the type of collection and the location of collection, as well as the purpose and use of the collection, and that doesn’t specifically address issues such as ubiquitous encryption, web-based communications applications, the possibility of intelligence information becoming available through new technologies, and the global dispersion of computer servers and data storage.


Again, to be crystal clear, I mention ECPA and FISA and some of their deficiencies today not because I am calling for any particular set of changes or improvements.  Rather, I believe that they are emblematic of how technological changes can drive the need to update statutory frameworks, and they demonstrate the shortcomings of how we have attempted to address these issues legislatively in the past.


These shortcomings become even more noticeable when you consider how our privacy laws regulate the private sector.  As I noted earlier, the legal restrictions we put in place to ensure our notions of privacy in America are mostly focused on curtailing government.  By contrast, we have largely let market forces – which is to say, no regulation – establish whatever individual rights we may have in this area relative to corporations and other businesses. True, the private sector’s collection and use of our personal data are in some areas subject to a complex assortment of federal and state statutes, but many of these statutes apply to only particular sectors or types of data (for example, your financial or health information) about which there is a deep consensus on a heightened need for privacy.  The rest provide only broad consumer protections and are really not focused on privacy rights per se.  Admittedly, there are benefits to this approach, which allows wide latitude for states to legislate and reduces the risk that there will be the sorts of unintended consequences that often accompany broad, comprehensive legal regimes. 


Compare, just for a minute, the U.S. regime to how privacy is regulated in Europe. There, the concept of privacy focuses on the dignity of the person and very much extends to private sector activity of all types.  This approach has traditionally resulted in laxer regulation of government surveillance, but much stricter and comprehensive laws about, for example, data protection, credit reporting, and workplace privacy.  The General Data Protection Regulation, or GDPR, which came into effect earlier this year throughout the EU, is a perfect example.  GDPR instituted a new set of wide-ranging and significant privacy protections and applies broadly to all EU organizations and companies around the globe holding or processing the personal data of people in the EU.


Europe is far from being alone in passing comprehensive privacy laws. In recent years, Japan, India, Brazil, and many other countries, including some of our largest trading partners, have all enacted new privacy regimes relating to how companies may handle personal information.  According to one estimate, more than l00 countries now have some form of privacy laws, and some 40 other countries have pending legislation or initiatives in the works.[28]


That is not to say that there haven’t been attempts here in the U.S. to strengthen and standardize our privacy laws. In part as a result of the federal government’s failure to adopt such proposals as a consumer privacy bill of rights, California recently enacted its own Consumer Privacy Act, which extends a broad range of new consumer privacy rights and data security protections.


While many have cheered California’s approach, there are also many who fear that it will serve only to further complicate the already muddled or excessive regulatory landscape in the U.S.

The various approaches have been the subject of widely-publicized hearings before the U.S. Senate and the Federal Trade Commission in recent months.  The National Institute for Standards and Technology has also begun looking at the issue, with the goal of issuing a “privacy framework” in the same vein as its widely-heralded cybersecurity framework.


No matter how you view these efforts – and as you would expect, I’m not taking a position on them – it is clear that many in our society feel that the approach that we have taken to date with respect to regulating the private sector is increasingly problematic.  The recent level of public and Congressional attention to the Facebook/Cambridge Analytica issue is illustrative of that feeling.  With the international community pushing ever more aggressive laws and the global nature of our digital society, the choice regarding how we go about addressing privacy here in the U.S. might soon be out of our hands. Companies operating internationally are being forced to adapt to regulations implemented in foreign countries.  If we want to play a role in shaping those policies to suit our own notions of privacy, we need to get engaged.  At the same time, we also need to recognize that the more that states seek to occupy this space, the more likely that we will end up with additional complexity and inconsistencies.  In short, we no longer have the option of addressing this issue in an ad hoc fashion.


This will require the public and private sectors to take a holistic approach to addressing privacy concerns associated with our increasing reliance on digital technologies.  Perhaps, as in Europe, we need new comprehensive requirements to regulate how our personal information can be used, shared, or disseminated online. Or perhaps we don’t need any additional government regulation, as simply updating our current laws to reflect the state of technology today might be sufficient.  Alternatively, voluntary industry-generated approaches might also meet our needs.  I’m not here to advocate any of these or other potential approaches, but rather, my point is simply that we must have a societal dialogue about how we want to confront the problem.  


Even more broadly, though, we also need to be asking ourselves the more fundamental question of what privacy really means to us here in the U.S., both as it relates to our interactions with the government and with the private sector.  Under our current legal framework, the same piece of electronic information may be protected from interception or disclosure to the government, but it could be disseminated, sold, or used by a private company with few, if any, restrictions.  Have we genuinely reflected on whether that is the actually the best approach when we consider the forthcoming digital revolution?  Moreover, the confluence of the Internet of Things and increased monitoring for cybersecurity purposes imply an almost inconceivable level of potential knowledge about an individual.  Will we feel comfortable that a machine will see, aggregate and analyze this data, knowing that there’s always the possibility that a human could extract the resulting knowledge?  Some advocates have asserted that a violation of privacy occurs when the government’s computers simply scan citizens’ emails looking for a terrorist’s email even though it’s all done without human intervention, but at the same time, my private email provider already reads all my emails looking for spam. How do we reconcile this?


To be sure, a social media company or a data broker can’t put you on trial or in jail, but consider how much information those companies actually know about you – everything from the relatively mundane like your contact information to some of your most personal, intimate, and potentially even unconscious, interests and habits.  Isn’t it fascinating that we’ve reached a point where, arguably, the private sector now has even greater impact on our privacy than the government?  Have we paused to consider how to appropriately account for that?  Or, perhaps, have we reached the point where we have come to accept this status quo because – to quote Ben Wittes of Brookings – “our concept of privacy is so muddled, so situational, and so in flux that we are not quite sure any more what it is or how much of it we really want.”[29]


I would submit that a natural and appropriate place to begin these conversations would be to reexamine the Supreme Court’s 1967 formulation of our privacy interests.[30]  In lieu of evaluating the “reasonable expectation of privacy” as a threshold and ultimately dispositive question, maybe we could implement it instead by means of a functional approach.  This would place the focus more on the type of the information at issue, its intimacy and sensitivity, and how it is protected (including considering whether one truly and voluntarily shared the information with any third parties), while deemphasizing factors like the type of communication collected, the means by which it was collected, or the location of its collection. It might also result, for example, in stricter controls on information such as medical records, and lesser protection for information such as the time, date, duration, and identities of a telephone conversation.  Please note that I am not specifically advocating for this approach, but I do find it to be a logical alternative worth considering.  And just to be clear, I am not seeking any diminution of our privacy to facilitate surveillance powers.  Actually, I think a cogent approach to this topic could strengthen our sense of privacy in many respects.


I would also caution that, in having these sorts of discussions, we must avoid the temptation to view things in absolutes and to reflexively label ideas as anti-privacy, anti-security, or even unconstitutional just because we might think that they should be.  This will be particularly important when addressing politically- and emotionally-charged topics like encryption, which undoubtedly will continue to be a significant part of the privacy conversation in the years to come.  Rather than simply asserting that any potentially weakening of privacy protections (legal, technical, or otherwise) is inherently bad and thus off the table for discussion, we need to be intellectually honest about what interests that we are trying to protect, what harms genuinely may occur, and how should we balance these against other potential benefits such as increased safety or convenience.  Lapsing into jargon and retreating into our traditional corners will serve only to stall this important debate.  We should instead be working to find consensus and principles that we agree upon.


It is undeniable that these are extremely complicated issues with no clear or correct answers.  Throughout our nation’s history, lawyers have been the leaders in helping our society wrestle with those types of issues and forge a consensus on what is best for our country.  So through our very work as lawyers in the national security realm, we are in the vanguard in thinking about privacy in this digital age, and that is why we have a responsibility to use our knowledge and skills to help lead a constructive dialogue about how to better shape our legal framework for the years to come.  Let’s not miss this opportunity; let’s not let this inflection point pass us by.  I hope that, through my remarks today, I have contributed in a small part to that process, and I thank you for attention this afternoon.


[1] Weak Computer Security in Government: Is the Public at Risk?, Hearing Before the S. Comm. on Gov’t Affairs (1998) (statement of Sen. Fred Thompson, Chairman, S. Comm. on Gov’t Affairs) available at


[2] Derek Hawkins, The Cybersecurity 202: These hackers warned Congress the internet was not secure. 20 years later, their message is the same, Wash. Post, May 23, 2018, available at


[3] Craig Timberg, A disaster foretold – and ignored, LOpht's warnings about the Internet drew notice but little action, Wash. Post, June 22, 2015, available at


[4] Kevin Drum, Tech World: Welcome to the Digital Revolution, Foreign Affairs, June 14, 2018, available at


[5] My thoughts in these areas draw in part upon themes that have been expressed by several legal scholars who have written extensively about privacy and technology in recent years.  While I am not necessarily endorsing any of them, various analyses and perspectives are available in such works as: Susan Landau, Listening In: Cybersecurity in an Insecure Age (2017); Daniel J. Solove, Nothing to Hide: The False Tradeoff between Privacy and Security (2013); and Benjamin Wittes, Databuse: Digital Privacy and the Mosaic, Governance Studies at Brookings (April 1, 2011) at 5, available at


[6] See U.S. Const. amend. IV (“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”).


[7] James Otis, a political activist at the time of the American Revolution, famously stated that writs of assistance were the “the worst instrument of arbitrary power, the most destructive of English liberty and the fundamental principles of law.” James Otis, Speech at the Superior Court in Boston: In Opposition to the Writs of Assistance (Feb., 1761), in 8 The World’s Famous Orations 27, 28 (William Jennings Bryan, ed., Funk & Wagnalls Co. 1906), available at  John Adams would later characterize Otis's words as the moment when “American independence was born,” id. at 27 n.1, and he would go on draft a provision in the Massachusetts Constitution that served as the basis for the Fourth Amendment.  Mass. Const., pt. I, Art. XIV (1780); see also Michael W. Price, Rethinking Privacy: Fourth Amendment “Papers” and the Third-Party Doctrine, 8 J. of Nat’l Security L. & Pol’y 247, 256 (2016).


[8] See Wittes, supra note 5, at 5.


[9] For example, in Olmstead v. United States, the Court held that wiretapping a telephone conversation didn't amount to a search or seizure, since the evidence in that case was obtained simply by “hearing.”  277 U.S. 438, 464 (1928).


[10] 389 U.S. 347, 361 (1967) (Harlan, J., concurring).


[11] Miller, 425 U.S. 435, 440-443 (1976); Smith, 442 U.S. 735, 742-46 (1979).


[12] Carpenter v. U.S., 138 S.Ct. 2206, 2220 (2018).


[13] Id. at 2211.


[14] Id. at 2220-21.


[15] Id. at 2220, 2222.


[16] See e.g., Riley v. California, 134 S.Ct. 2473 (2014) (holding that the police generally may not, without a warrant, search digital information on a cell phone seized from an individual who has been arrested); U.S. v. Jones, 565 U.S. 400 (2012) (holding that the attachment of a Global Positioning System (GPS) tracking device to a vehicle, and subsequent use of that device to monitor movements on public streets, was a search within the Fourth Amendment).


[17] See Orin S. Kerr, Internet Surveillance Law after the USA Patriot Act: The Big Brother that Isn't, 97 Nw. U. L. Rev. 607, 627 (2003) (“In the case of Internet privacy law, however, the real action tends to be in the legislature, not the courts. … While many questions remain, the existing cases appear to have left Congress with relative liberty to create the set of rules it thinks best. … Congress has responded to this constitutional vacuum with a series of laws that offer relatively strong (although hardly perfect) legislative privacy protections.”).


[18] S. Rep. No. 99-541, at 1 (1986).


[19] Id. at 2 (quoting 132 Cong. Rec. 14608 (1986) (statement of Sen. Patrick Leahy)).


[20] 18 U.S.C. § 2703(a) (2017).


[21] Id. §§ 2703(b), (d).


[22] H.R. Rep. No. 99-647, at 68, 72 (1986).


[23] Id. at 68.


[24] See ECPA Part 1: Lawful Access to Stored Content, Hearing before the Subcomm. on Crime, Terrorism, Homeland Sec., and Investigations of the H. Comm. on Judiciary, Subcommittee (2013) (statement by Orin S. Kerr) available at (“The government can compel contents held for more than 180 days with a mere subpoena. This is a strange result because most people use their e-mail accounts as a permanent storage site akin to a virtual home online. … I find that aspect of the statute impossible to justify. It is a puzzling result that makes no sense for today’s Internet and today’s Internet users.”); Viet D. Dinh & Jeffrey M. Harris, Toward a Modern Statutory Framework for Law Enforcement Access to Electronic Communications (2015) available at (“That 180-day rule was questionable even when it was first enacted, but it makes no sense at all today. Consumers now have access to massive amounts of electronic storage at little or no cost, and the fact that an individual has retained an email for longer than 180 days hardly suggests that the communication should be entitled to a lesser degree of privacy protection. If anything, the fact that a consumer has retained an email rather than deleting it should indicate that it is more deserving of protection.”).


[25] See Reforming the Electronic Communications Privacy Act, Hearing before the S. Comm. on Judiciary (2015) (statement of Elana Tyrangiel, Principal Deputy Assistant Att’y Gen., United States Department of Justice) available at (“Many have noted—and we agree—that some of the lines drawn by the [Stored Communications Act] that may have made sense in the past have failed to keep up with the development of technology, and the ways in which individuals and companies use, and increasingly rely on, electronic and stored communications. We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old.”).


[26] See e.g. H.R. Rep. No. 114-528 (2016) at 9 (explaining that following United States v. Warshak, 631 F. 3d 266 (6th Cir. 2010), the U.S. Department of Justice began using warrants for email in all criminal cases, and it adopted that practice as policy in 2013); U.S. Dep’t of Justice, Policy Regarding Applications for Protective Orders Pursuant to 18 U.S.C. § 2705(b) (2017).


[27] See Consolidated Appropriations Act, 2018, P.L. 115-141, Div. V, 132 Stat 348, 1213-1225 (2018).


[28] David Banisar, National Comprehensive Data Protection/Privacy Laws and Bills 2018, September 4, 2018, available at


[29] Wittes, supra note 5, at 1.


[30] Indeed, in Carpenter, Justice Gorsuch similarly called for the Supreme Court to “look to a more traditional Fourth Amendment approach” that focuses on property rights rather than one that depends on an “appeal to a judge’s personal sensibilities about the ‘reasonableness’ of your expectations or privacy.”  Supra note 11 at 2267 (Gorsuch, J., dissenting).