A Response to Law Enforcement Concerns with the Email Privacy Act
Written by Jadzia Butler
The Email Privacy Act, H.R. 699, is finally on its way to markup in the House Judiciary Committee. With over 300 cosponsors, it is the most popular piece of legislation that has yet to receive a vote. It’s no wonder it’s so popular – the commonsense notion that our 30-year-old Electronic Communications Privacy Act (ECPA) should be updated to reflect the technological innovations that have taken place since 1986 is one that even Republicans and Democrats in Congress can agree on. If the Email Privacy Act becomes law, the protections from unreasonable searches and seizures afforded to our private letters, files, and homes in the physical world will finally apply to our digital world, too: law enforcement will be required to obtain a warrant based on probable cause before accessing our private communications such as emails as well as documents, pictures and other information stored in the cloud.
We’re in the home stretch, and we’ve waited long enough. Congress must pass, and the President must sign, the Email Privacy Act. However, some groups continue to express concern that the Act will pose too great a burden to law enforcement. One of those groups is the FBI Agents Association (FBIAA), which recently released a letter voicing their criticism of the Act. Below are CDT’s responses to each of their concerns:
Concern #1: H.R. 699 Creates Obstacles to Law Enforcement
The FBIAA is concerned that the Act’s notification procedures, which require that a target be given a copy of the warrant and a description of the nature of the law enforcement inquiry within 10 days, could hinder investigations, result in administrative and technical errors, and pose a potential threat to public safety. However, the Act’s notice requirements are very similar to those that already exist in the physical world, and the Act preserves the same exceptions to current notice requirements that law enforcement officials rely on today (for example, notice can be delayed if it could lead to the destruction of evidence). Current law already requires that targets be provided with a description of the nature of the law enforcement inquiry in the case of notice that has been delayed; the Email Privacy Act simply applies the same requirement to regular notice, as well. It makes no sense to say when notice need not be delayed because the criteria for doing so aren’t met (because notice would not seriously jeopardize an investigation) that disclosing the nature of the inquiry would somehow be more problematic than at the end of a delayed notice period. In fact, the bill is already more friendly to law enforcement than currently warrant requirements in the physical world. When someone’s home is searched they receive immediate notice. Here notice is delayed for 10 days – allowing law enforcement a second chance to seek a delay of notice if it’s warranted.
In addition, the FBIAA is concerned that limiting delayed notification to 180 days could undermine investigations that take more than 180 days to complete. However, notice can be delayed, in 180-day increments, as many times as needed. In fact, the bill doubles the period during which notice can be delayed, from 90 days under current law (see 18 U.S.C. 2705(a)(1)(A)), to 180 days. This is an improvement for law enforcement. Moreover, unlike current law, the Act requires providers to notify law enforcement of their intent to inform a customer of the existence of a warrant seeking their information before doing so, which should mitigate the risk of administrative and technical errors.
Americans’ digital content often contain the most sensitive, private aspects of their lives – from purchase orders and health information to love letters and political or religious communications – and often dates back years. A covert search of a citizen’s inbox by the government – like a covert search of a person’s home – is one of the most invasive searches possible. It directly contradicts the values at the heart of the Fourth Amendment, and must only be done out of absolute necessity. The Act’s notice provisions are critical to preserving our rights as citizens in the digital world, and should not, as the FBIAA suggests, be removed.
Exceptions to the Warrant Requirement
The FBIAA expressed concern that H.R. 699 does not contain any exceptions to the warrant requirement, which could pose risks to investigations that are uniquely time-sensitive. However, the Act does not need to contain explicit exceptions because such exceptions already exist under current law – and the bill does not remove them. Specifically, the Act preserves all of the exceptions that the FBIAA suggested should be included in the bill:
- Voluntary disclosure by providers in case of an emergency (18 U.S.C. 2702(b)(8));
- Voluntary disclosure by providers with consent (2702(b)(3));
- Publicly available information – there is no warrant requirement for information that is currently publicly available;
- To/From Information – there is no warrant requirement in the bill, or in current law, for to/from information from emails. Such information can be obtained with a court order issued under 2703(d) (which are issued under a lower standard) or with a warrant. If obtained with either, the same exceptions to the warrant requirement apply (2702(c)); and
- Mandatory disclosure of child pornography to the National Center for Missing and Exploited Children under 18 U.S.C. 2258A (as referenced in 2702(b)(6)).
Although the Act introduces a warrant requirement for electronic content (regardless of the age of that content), it still preserves the exceptions to the warrant requirement that currently exists today.
Remote Computing Services
The FBIAA criticized the Act for creating new warrant requirements for information held by Remote Computing Services (RCS’s), which they believe will make it “unnecessarily difficult” for law enforcement to obtain the information they need. However, the warrant requirement must be expanded to reflect the fact that more information is being stored in the cloud than ever before (in 2014, it was estimated that the amount of data stored in the cloud would reach 3.77 zettabytes by this year). Consider the types of information you keep stored in the cloud instead of your devices so that you can free up space and access your data everywhere you go: your Google docs, your photos, your calendars, and your music playlists, for example. Not requiring a warrant for these items because of the way in which they are stored, yet requiring a warrant for email, simply does not make sense.
Some have argued that incidental collection of content such as a person’s name might be swept up into the “RCS” category under the Act, which would render information like airline reservations subject to the warrant requirement. However, this concern mischaracterizes what an RCS is and how they are identified. Whether or not an entity counts as an RCS has always been contingent on their role with respect to handling data (as in, whether they are holding a person’s information as a source of off-site storage). An airline, for example, collects passengers’ information not as a source for storage, but as means for booking airline tickets. Merely collecting such information does not convert an airline into an RCS. This is consistent with guidance from courts and legal scholars such as Orin Kerr (see page 9: “A provider can act as an RCS with respect to some communications, an ECS with respect to other communications, and neither an RCS nor an ECS with respect to other communications.”)
Applying the warrant requirement to RCS’s reflects the reality of this day and age: we are creating more digital content than ever before and wish to access that content on several devices. As a result of the need for additional space and flexibility, the amount of sensitive information stored in the cloud will only continue to grow.
Concern #2: H.R. 699 Should Ensure Access to Electronic Evidence
Law enforcement and “going dark”
Given that Congress rarely acts on electronic privacy issues, the FBIAA argued that updating ECPA would be a good opportunity to solve what they perceive to be a “going dark” problem, and suggested that Congress take steps to “ensure” that technology companies allow for access to electronic data (when lawful). CDT, along with the many privacy and civil liberties advocacy groups, technology companies, and academics, believes that encryption and security go hand-in-hand. A government mandate requiring companies to build a “backdoor” into encryption for surveillance, which the FBI has suggested, would put users at the mercy of hackers, identity thieves, and malicious governments, as well as impose heavy costs on US businesses. Moreover, as a recent study from Harvard’s Berkman Center pointed out, the government is not actually “going dark” at all. Our world is becoming increasingly connected – from our smartphones and iPads to our cars and thermostats. As a result, we are always “on.” We live our lives online, which has made more data about us available and given the government more tools to obtain and analyze that data than ever before. Given our ever-increasing vulnerability to cyber attacks, Congress should be working to strengthen encryption, not weaken it.
Aside from CDT’s strong feelings about the so-called “going dark” issue, there simply is not enough time to resolve this contentious debate in the context of the Email Privacy Act. Nor is anyone saying that we should weaken the standards for accessing communications. In fact, FBI Director Comey said in recent testimony that the FBI seeks warrants for all email (see Comey testimony page 69).
Requiring service provider cooperation
The FBIAA believes that H.R. 699 does not adequately address the need for service providers to cooperate with law enforcement requests by providing timely responses, and they suggest requiring providers to develop internal mechanisms that designate at least one individual to be a 24/7 point of contact for law enforcement. However, providers are already giving extensive assistance to law enforcement in order to help them meet their needs. Some of the larger providers already have public manuals that identify points of contact who may be available 24/7. If their assistance is not timely, law enforcement can bring a provider into court and get a court order compelling their assistance within a set period of time. In fact, courts issuing warrants have the authority – without any change in the law – to require a response from the provider by a specific date. Although “timely” assistance is obviously important, what constitutes “timely” can vary from context to context. As a result, CDT opposes putting a “shot clock” of any kind on all providers regardless of circumstance, because doing so would require them to prioritize less important information just because the “clock” on that information is about to run out.
The FBIAA also suggests that Congress amend § 2709, which governs the issuance of National Security Letters (NSL’s), to require providers to hand over all “electronic communications transaction records” when requested by law enforcement officials. “Electronic communication transaction records” is not a defined term, but based on previous attempts by the FBI to amend ECPA’s NSL provision, we can assume that it includes email to/from information and URL’s of websites visited. These types of information are precisely the kinds of more sensitive information that CDT and many other civil liberties groups have agreed should be available to the FBI only with a court order – not through the NSL process, which does not require judicial authorization. Rather than making sensitive transaction records available through the NSL process, other less-sensitive transaction data could be made available instead, such as records of session times and durations, subscriber number or identity (including temporary IP addresses), and means of payment, such as credit card numbers. Beyond that, such an amendment to § 2709 would mark a radical of expansion in the FBI’s authority to issue National Security Letters and obtain sensitive data without judicial oversight.
The Email Privacy Act would make long-overdue reforms official. It is a good bill that effectively balances the needs of law enforcement with the expectations of privacy that users understandably have about the wealth of information that they now store online as opposed to in a filing cabinet. CDT applauds the House Judiciary Committee for finally taking action, and encourages Members to pass the Act as written – without delay.