Congress Cybersecurity & Tech Surveillance & Privacy

Installing a Content Patch in the Stored Communications Act

Stephanie Pell, Richard Salgado
Friday, March 6, 2026, 6:00 AM

Replacing the SCA’s patchwork of carve-outs with a single warrant rule would better protect privacy and clarify the law.

Cloud computing. (https://www.srsnetworks.net/it-services/cloud-computing-services-california/cloud-it-solutions/; CC BY-NC 4.0, https://creativecommons.org/licenses/by-nc/4.0/).
Meet The Authors
Subscribe to Lawfare

The 1980s-era scheme in the Stored Communications Act that allows the government to compel service providers to disclose user content without a warrant is the mullet of surveillance law. It is time to lose it. The forty-year-old rules are frozen in time, reflecting antiquated assumptions about technology and its adoption. Under some interpretations of these pre-cloud statutory rules, the warrant requirement is excused for vast swaths of user content, including content already accessed by the user and content more than 180 days old. These carve-outs do not fit modern dependence on provider-hosted communications and computing services, and they are even less appropriate for artificial intelligence and other technologies on the horizon. The rules undermine both constitutional privacy interests and the statute’s own aims.

This report offers a proof-of-concept patch. It replaces the carve-out-riddled regime with a single warrant requirement for compelled disclosure of content and harmonizes the interlocking blocking provisions to clarify that key disclosure exceptions are permissive rather than mandatory. It also defines “processing services” to reflect modern architectures and prepare the statute for the future. It improves defect detection through user notice and a clearer provider role in raising objections, adds a suppression remedy for Fourth Amendment and specified statutory violations, and addresses a narrow edge case involving criminal defendants seeking access to exculpatory content held by providers.

This paper was published as part of a series marking the 40th anniversary of the Electronic Communications Privacy Act. View the paper series here.

You can read this paper here or below:

 


Topics:
Congress Cybersecurity & Tech Surveillance & Privacy
Back to Top
Stephanie Pell

Stephanie Pell

StephanieKPell
Read More
Stephanie Pell is a Fellow in Governance Studies at the Brookings Institution and a Senior Editor at Lawfare. Prior to joining Brookings, she was an Associate Professor and Cyber Ethics Fellow at West Point’s Army Cyber Institute, with a joint appointment to the Department of English and Philosophy. Prior to joining West Point’s faculty, Stephanie served as a Majority Counsel to the House Judiciary Committee. She was also a federal prosecutor for over fourteen years, working as a Senior Counsel to the Deputy Attorney General, as a Counsel to the Assistant Attorney General of the National Security Division, and as an Assistant U.S. Attorney in the U.S. Attorney’s Office for the Southern District of Florida.
Richard Salgado

Richard Salgado

Read More
Richard Salgado teaches at Stanford and Harvard Law Schools. He also serves as an Advisory Board Member of American University Washington College of Law’s Tech Law and Security Program, a Visiting Fellow on Security and Surveillance with the Cross-Border Data Forum, and a Senior Associate (Non-resident) with the Center for Strategic and International Studies. Richard founded a consultancy to provide guidance to organizations navigating cybersecurity and surveillance challenges. Richard has over 35 years of experience across the private sector, government and academia, including as Google’s Director of Law Enforcement & Information Security for 13 years, and as a prosecutor with the Computer Crime and Intellectual Property Section of the Justice Department.
}

More Articles 

Subscribe to Lawfare