Agencies Say They Need Access to Americans' Emails Without a Warrant

A bi­par­tis­an bid to re­form an elec­tron­ic-pri­vacy law has the sup­port of the tech com­munity and the White House, but fed­er­al law en­force­ment of­fi­cials tell Con­gress the changes would hamper civil pro­sec­u­tion.

Civil law en­force­ment agen­cies like the Fed­er­al Trade Com­mis­sion and the Se­cur­it­ies and Ex­change Com­mis­sion would not be able to ob­tain crit­ic­al in­form­a­tion if the law were changed to re­quire crim­in­al war­rants for ac­cess to data stored on cloud ser­vices, ac­cord­ing to wit­nesses from those agen­cies testi­fy­ing in front of the Sen­ate Ju­di­ciary Com­mit­tee Wed­nes­day.

The law en­force­ment of­fi­cials were re­act­ing to bills from Sens. Mike Lee and Patrick Leahy, and Reps. Kev­in Yo­der and Jared Pol­is, that aim to up­date the Elec­tron­ic Com­mu­nic­a­tions Pri­vacy Act, or ECPA.

In its cur­rent form, ECPA pro­tects emails from gov­ern­ment snoop­ing for 180 days. When the law was ini­tially drawn up in 1986, email pro­viders routinely re­moved emails from their serv­ers a month or two after they were de­livered; users would gen­er­ally down­load the mes­sages they in­ten­ded to keep. Whatever re­mains on an email serv­er after 180 days is fair game for gov­ern­ment to ac­cess, with just a sub­poena—not a war­rant.

Today, ubi­quit­ous cloud-based email sys­tems like Gmail, which of­fer giga­bytes of stor­age for free, al­low the av­er­age user to keep his or her mes­sages—and cal­en­dars, con­tacts, notes, and even loc­a­tion data—on a pro­vider’s serv­ers in­def­in­itely.

The ECPA Amend­ments Act would re­quire law en­force­ment to get a war­rant to ac­cess serv­er-hos­ted in­form­a­tion, no mat­ter how old, and would re­quire the gov­ern­ment to no­ti­fy an in­di­vidu­al that his or her in­form­a­tion was ac­cessed with­in 10 days, with cer­tain ex­cep­tions.

But law en­force­ment of­fi­cials ex­pressed op­pos­i­tion to some of the bill’s pro­posed changes, ar­guing that its re­quire­ment for crim­in­al war­rants could leave civil lit­ig­at­ors without ac­cess to im­port­ant elec­tron­ic in­form­a­tion.

“The bill in its cur­rent form poses sig­ni­fic­ant risk to the Amer­ic­an pub­lic by im­ped­ing the abil­ity of the SEC and oth­er civil law en­force­ment agen­cies to in­vest­ig­ate and un­cov­er fin­an­cial fraud and oth­er un­law­ful con­duct,” said An­drew Ceres­ney, dir­ect­or of en­force­ment at the Se­cur­it­ies and Ex­change Com­mis­sion.

Ceres­ney and Daniel Sals­burg—chief coun­sel for tech­no­logy, re­search, and in­vest­ig­a­tion in the FTC’s con­sumer pro­tec­tion branch—said the SEC and FTC are not look­ing for the au­thor­ity to ob­tain data with just a sub­poena, and in­stead pro­posed a sys­tem where they could ob­tain a court or­der for ac­cess to the data. Such a pro­cess would no­ti­fy the in­di­vidu­al be­ing in­vest­ig­ated and give him or her the chance to make a case in front of the judge be­fore an or­der is gran­ted or denied.

But des­pite their op­pos­i­tion to the pro­posed change to ECPA, neither the SEC nor the FTC has ob­tained emails through an ad­min­is­trat­ive sub­poena in the past five years, Ceres­ney and Sals­burg said Wed­nes­day.

Ceres­ney said the de­cision to avoid sub­poen­as was made “in de­fer­ence” to on­go­ing con­ver­sa­tions about ECPA re­form. A 2010 fed­er­al court or­der also bound the gov­ern­ment’s hands by de­clar­ing ECPA un­con­sti­tu­tion­al—a de­cision the ECPA Amend­ments Act in­tends to co­di­fy in­to law—but Ceres­ney said the SEC does not in­ter­pret the court’s de­cision as an im­ped­i­ment to us­ing sub­poen­as to ob­tain data.

The civil law en­force­ment of­fi­cials’ com­ments about ECPA re­form were met with im­me­di­ate back­lash from the tech com­munity, which has come out in strong sup­port of the changes.

“The FTC claims to be a cham­pi­on of con­sumer pri­vacy, yet the agency wants ac­cess to Amer­ic­ans’ data without a war­rant,” said Ber­in Szoka, pres­id­ent of Tech­Free­dom, a tech­no­logy think tank. “The Com­mis­sion’s testi­mony today con­firms long-stand­ing ru­mors that it will only sup­port ECPA re­form if it gets a carve-out from the bill’s war­rant re­quire­ment.

“This is the is­sue that has stalled ECPA re­form for over five years, des­pite over­whelm­ing bi­par­tis­an sup­port,” Szoka ad­ded. “The FTC’s testi­mony is care­fully craf­ted to sound reas­on­able, but the agency is simply help­ing to ob­struct the ma­jor pri­vacy re­form of our gen­er­a­tion.”

Ju­lie Brill, an FTC com­mis­sion­er, re­leased a state­ment Wed­nes­day in­dic­at­ing she dis­agreed with Sals­burg’s testi­mony. “I am con­cerned that a ju­di­cial mech­an­ism for civil law en­force­ment agen­cies to ob­tain con­tent from ECPA pro­viders could en­trench au­thor­ity that has the po­ten­tial to lead to in­va­sions of in­di­vidu­als’ pri­vacy and, un­der some cir­cum­stances, may be un­con­sti­tu­tion­al in prac­tice,” Brill said.

Google and BSA-The Soft­ware Al­li­ance, a prom­in­ent tech as­so­ci­ation, ap­peared in a sep­ar­ate wit­ness pan­el be­fore the com­mit­tee, call­ing for swift change in or­der to im­prove cus­tom­ers’ pri­vacy and al­le­vi­ate busi­ness pres­sures.

“By cre­at­ing in­con­sist­ent pri­vacy pro­tec­tion for users of cloud ser­vices and in­ef­fi­cient and con­fus­ing com­pli­ance hurdles for ser­vice pro­viders, ECPA has cre­ated an un­ne­ces­sary dis­in­cent­ive to move to a more ef­fi­cient, more pro­duct­ive meth­od of com­put­ing,” said Richard Sal­gado, the dir­ect­or of Google’s law en­force­ment and in­form­a­tion se­cur­ity branch.

This story was up­dated with a state­ment from FTC Com­mis­sion­er Ju­lie Brill.

(Image via Felix Lipov / Shutterstock.com)