The Public Eye with Eric Chabrow

Legislation , Privacy

Bringing Email Privacy Law Into the 21st Century Congress Mulls Bills to Require Warrants to Gain Access to Old Emails
Bringing Email Privacy Law Into the 21st Century

The law often doesn't keep up with information technology changes. A key example of that is the nearly three-decade old Electronic Communications Privacy Act.

See Also: How to Scale Your Vendor Risk Management Program

Under ECPA, federal agencies can require Internet service providers to turn over the content of individuals' emails that are 180 days old or older without a criminal warrant. All that's required is a subpoena.

"We want these agencies to be effective but they must abide by the same constitutional constraints that apply to everyone else." 

Legislation pending before both chambers of Congress would update ECPA to require authorities to obtain a warrant to access emails older than 180 days. The House Judiciary Committee will hold a hearing Dec. 1 on one of those bills, the Email Privacy Act.

When Congress enacted ECPA in 1986, storage in the pre-broadband, pre-cloud computing era was expensive, so old emails were routinely deleted. Also, the number of emails people received then was miniscule compared with today.

Times have changed, and many users no longer routinely jettison their emails, instead hanging onto thousands of them for years.

Email Memory Lane

ECPA became law before the World Wide Web, when many of us used proprietary services to exchange electronic mail. Remember, CompuServe, Prodigy and the early AOL? We also used email differently in the mid-to-late 1980s. Long chains of electronic correspondence weren't as commonplace then as they are today.

The Email Privacy Act and the Senate's ECPA Amendments Act, both of which have bipartisan support, would require the government to obtain a warrant from a court before requiring providers to disclose the content of such communications, regardless of how long the communication has been held in electronic storage by an electronic communication service or whether the information is sought from an electronic communication service or a remote computing service. Under EPCA, a warrant is required only to retrieve email content that is less than 180 days old.

It's a change a vast majority of American voters seek, according to a new poll conducted by Vox Populi Polling for the Digital 4th Coalition, a bipartisan electronic privacy advocacy group. Some 77 percent of the 1,000-plus registered voters surveyed believe the government should be required to get a warrant from a judge before obtaining access to emails, photos and documents stored online.

Balancing Safety with Privacy

"This simple change to the law - treating searches of an individual's inbox the same way we treat searches of her home - is profoundly important to personal privacy and American business while not unduly interfering with law enforcement's ability to protect public safety," says Chris Calabrese, vice president for policy at the Center for Democracy & Technology, an advocacy group.

Calabrese's take on the law parallels the one voiced by FBI Director James Comey, who earlier this year characterized the ability to obtain email content older than 180 days without a warrant as an "outdated distinction. ... We don't treat it that way. We go get a search warrant from a federal judge no matter how old it is."

Legislation to revise EPCA would codify a 2010 U.S. Sixth Circuit Court of Appeals finding that prevents agencies such as the Federal Trade Commission and Securities and Exchange Commission from gaining custody of old emails without a warrant. The appeals court ruling technically applies only to states within its jurisdiction: Kentucky, Michigan, Ohio and Tennessee. But it sets a precedent to be followed throughout the nation.

Regulators See Harm

SEC Chairwoman Mary Jo White, however, contends changing the law would harm regulatory agencies. "Such a structure essentially would foreclose the commission - a civil federal agency - from gaining access to this information directly from ISPs absent consent of the entity being investigated," White wrote to Sen. Patrick Leahy in 2013, when he chaired the Senate Judiciary Committee.

Regulators echoed White's view in September at a Senate hearing, telling lawmakers that civil law enforcement agencies would be denied the ability to obtain critical evidence. "Depriving the SEC of authority to obtain email content from an ISP would also incentivize subpoena recipients to be less forthcoming in responding to investigatory requests because an individual who knows that the SEC lacks the authority to obtain his emails may thus feel free to destroy or not produce them," testified Andrew Ceresney, SEC's director of enforcement.

Added Dan Salsburg, an FTC Bureau of Consumer protection chief counsel: "The proposals also would prohibit agencies such as the FTC from obtaining content when the customer or subscriber is a scam artist who refuses to produce the content to civil law enforcement. As a result, these proposals appear to prohibit civil law enforcement from compelling the content of electronic communications from an ECPA service provider under all circumstances."

Same Rules for Everyone

Still, Leahy, the Vermont Democrat who is a co-sponsor of the Senate EPCA reform bill, discounts the FTC's and SEC's concerns that the legislation would hamper civil regulatory agencies. "We want these agencies to be effective," he says, "but they must abide by the same constitutional constraints that apply to everyone else."

Are regulators' concerns justified, or is it time to change the law? Share your opinion in the box below.



About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network