On Wednesday, the Senate Judiciary Committee held a hearing on reforming the Electronic Communications Privacy Act (ECPA), the federal law that regulates government access to private communications records stored by third parties.
ECPA is outdated and badly in need of reform. The technological advances in communications and computing since the bill’s original passage in 1986 have left both providers and users of remote computing with a baffling and outdated set of rules. To be sure, when ECPA was written in 1986, few Americans owned computers, and even fewer used email, not to mention remote or “cloud” computing which wasn’t a consideration at the time. As highlighted in testimony by CDT’s Chris Calabrese, these changes in technology have “disrupted the fundamental balance created in ECPA between privacy rights, law enforcement interests and the needs of innovators.”
Many courts, including the Sixth Circuit in United States v. Warshak, have already ruled that efforts to obtain the content of email, text messages, or other electronic communications through a court order, rather than a warrant, violates the Fourth Amendment.
The Supreme Court also issued a landmark decision in Riley v. California , where it unanimously held that officers must generally obtain a warrant before searching the contents of a cell phone incident to an arrest. Writing for the Court, Chief Justice Roberts rejected the government’s invitation to create “various fallback options for permitting warrantless cell phone searches under certain circumstances,” noting that a regime with various exceptions and carve-outs “contravenes our general preference to provide clear guidance to law enforcement through categorical rules.” To reinforce the constitutional imperative for clear rules in this area, Chief Justice Roberts concluded his opinion with unambiguous direction to law enforcement:
The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought. Our answer to the question of what police must do before searching a cell phone seized incident to arrest is accordingly simple - get a warrant.
For this reason, legislation to provide simple modifications to ECPA to bring it in line with current technology enjoys tremendous bipartisan, bicameral support. The Electronic Communications Privacy Act Amendments Act (S. 356), championed by Senators Mike Lee (R-UT) and Patrick Leahy (D-VT); and the Email Privacy Act (H.R. 699), championed by Representatives Yoder (R-KS) and Polis (D-CO), enjoy the support of 23 and 292 cosponsors respectively.
This legislation also enjoys broad support among industry, privacy and other interest groups, spanning the ideological spectrum, ranging from the American Civil Liberties Union (ACLU) and the Center for Democracy & Technology (CDT) to Americans for Tax Reform (ATR) and FreedomWorks.
Despite the unanimous agreement about the need to update ECPA and the overwhelming support for the legislation, the Securities and Exchange Commission (SEC) is seeking what is referred to as a “civil agency exception” to the warrant requirement, what amounts to a dramatic expansion of their authority to access anything they deem relevant to an investigation by going to a third party host without possessing a warrant. The Federal Trade Commission also weighed-in with testimony today expressing that “[a]lthough the Commission currently does not seek content of e-mails and other electronic communications covered by ECPA from ECPA service providers, we believe that in the future, as more electronic communication moves to the cloud, the effectiveness of our fraud prevention program may be hampered if proposed legislation is not appropriately modified.“
The testimony goes on to say essentially that the FTC currently does not currently seek access to this content through a subpoena because of the Warshak decision, but they are concerned about legislation clarifying this practice. If this argument doesn’t make sense to you, it’s because it doesn’t make sense at all.
The SEC has continually called for an administrative agency exception as if it reflects the scope of their current subpoena power. But that’s simply not accurate. The old-world analogy for the SEC to provide a subpoena for digital content to a third party provider, would be for them to merely provide a subpoena to a landlord requiring them to enter into a tenant’s apartment to obtain and turn over personal documents stored inside. We wouldn’t stand for that in the physical world, so there’s no reason we should enable this in the digital world.
In a separate statement to the Judiciary Committee, FTC Commissioner Julie Brill expressed her concerns that the privacy costs of a civil agency exception are too high:
The costs – in terms of privacy protections for consumers – of solidifying the Commission’s authority to obtain content through ECPA is real. Fundamentally, I believe that individuals’ privacy interests extend to what they store and send online. I simply am not convinced that a judicial mechanism enabling civil law enforcement agencies to order ECPA-covered providers to turn over content will provide the safeguards against government intrusion to which individuals are entitled.
Testimony by Google highlighted the problem remote “cloud” companies are facing:
Users expect, as they should, that the documents they store online have the same Fourth Amendment protections as they do when the government wants to enter the home to seize documents stored in a desk drawer. There is no compelling policy or legal rationale for this dichotomy, but it is one that ECPA continues to make.
Not only does this present a problem for U.S. citizens and technology providers, but this uneven playing field presents an even larger dilemma worldwide, where it threatens the global competitiveness of our digital services sector. Foreign governments are retaliating to concerns about U.S. government access to data with localization policies to prevent U.S. government access to electronic information--even where disputes exist about the connection between data location and government access.
The proposed legislation will level the playing field for law enforcement access to electronic content, setting a warrant as the consistent standard, regardless of how or where the content is stored.
We urge Congress to support this legislation and reject amendments that would create exceptions whereby Americans will have less protection for information stored remotely "in the cloud," than the information stored in their homes.