ECPA Reform Takes a Giant Leap Forward
Written by Greg Nojeim
The Senate Judiciary Committee took an historic step today when it approved on a bipartisan voice vote the Leahy-Lee ECPA Amendments Act, S. 607. The bill would require law enforcement agents to obtain a warrant in order to gain access to the contents of email and of documents, pictures and other information stored in the cloud. The change has been sought for years by Digital Due Process, a broad-based coalition of technology companies, privacy NGOs, and academics. The bill would update the woefully out-of-date Electronic Communications Privacy Act (ECPA), a law passed in 1986 that governs the privacy of digital communications. If the Leahy-Lee bill becomes law, it will facilitate the growth of the cloud computing industry, give law enforcement more certainty in investigations that involve electronic evidence, and ensure consumers more privacy in the vast oceans of data that they store on social networks and with cloud-based providers. Like ECPA itself, the ECPA Amendments Act would provide the policy framework for continued vitality of the Internet, an engine of economic growth in the U.S. and abroad.
Under current law, documents that a person stores in the cloud are unprotected by the warrant requirement. Law enforcement can access this information without judicial authorization and without a high level of suspicion of crime. The same rule applies to email more than 180 days old and, according to the Department of Justice, to all opened email regardless of its age. The ECPA Amendments Act would establish a uniform warrant requirement for all of this content, regardless of its age and regardless of whether it has been opened. It would codify the 2010 Sixth Circuit decision in U.S. v. Warshak, in which the court determined that the Fourth Amendment protects email no matter its age, and that ECPA is unconstitutional to the extent that it allows law enforcement to access email content without a warrant.
The Judiciary Committee adopted two amendments that did not change the substance of the bill. The first, a manager’s amendment by Chairman Patrick Leahy (D-VT), clarified that the warrant requirement that the bill imposes for content in criminal cases has no effect on the standards in the Foreign Intelligence Surveillance Act, the Wiretap Act, and the pen register/trap and trace law.
The second, by Senator Grassley, would require the Government Accountability Office to issue a report on law enforcement’s use of ECPA. The report would reveal: (i) the number of times in the last five years that law enforcement officers obtained communications content, transactional information and subscriber information under ECPA, (ii) the average length of time it takes for providers to respond to law enforcement demands as well as the number of times a judge required a provider to appear and explain any failure to comply with a warrant, (iii) the number of times in the last five years law enforcement officers requested delayed notification to a subscriber or customer; and (iv) whether requiring a warrant for content triggers an increase in emergency disclosures to law enforcement that providers have discretion to make. This report will shed light on law enforcement’s use of the authority it has under ECPA and will help the public understand the extent of government surveillance of stored communications.
Senators Grassley, Feinstein, Sessions and Whitehouse noted some continuing concerns, citing letters that the Securities and Exchange Commission and the FBI Agents Association sent to members of the Committee the day before the mark up. The FBIAA objected to the warrant for content rule in its entirety and CDT responded to those objections. The SEC asked the Committee to create an entirely new warrant that the IRS, SEC, EPA, FTC, and every other regulatory agency could use in civil cases to compel communication service providers to disclose communications content. This would cause a sea change in the way civil investigations are conducted.
Currently, investigators demand documentary evidence from the targets of their investigations. The lawyers for the target select from the target’s files the documents that are responsive and that are not privileged and the target turns those documents over to the investigators. If there is a dispute, the investigative agency can compel disclosure through court proceedings. The SEC wants to bypass that process. It seeks authority to obtain the documents directly from the company that provides cloud computing services to the target. That cloud provider is in no position to make assessments of relevance and privilege. The provider turns over everything in the account – a windfall for the IRS, EPA, SEC, FTC or other agency conducting the investigation, but a huge proprietary information problem for the target, and a privacy problem for its employees, whose personal emails are oftentimes intermingled with corporate records.
If Congress wishes to consider this dramatic expansion of civil investigative authority, it should do so agency by agency. If the Internal Revenue Service or the Environmental Protection Agency seeks new warrant authority, its congressional overseers should decide whether to extend it and how to circumscribe it. ECPA reform should not be a one-stop shop for such an expansion of government power.
Despite this bump in the road, and some other concerns voiced about disclosures in emergencies (the bill preserves ECPA’s existing emergency exceptions), the bill emerged with strong bipartisan support, and strong support from companies and privacy organizations, the civil rights community, and former FBI Director William Sessions. This bodes well for the historic legislation as it moves forward in the Senate.