An Obscure Case with Big Implications for Privacy
By Kimberly Fong, CDT Intern
*Update: Late last night, a key committee in the House of Representatives passed a measure to curb the SEC’s efforts to use a subpoena to access the content of an American’s email. In an amendment offered by Congressman Yoder (who has also championed the Email Privacy Act, the House’s broader efforts to reform the law) the House Appropriations Committee passed a funding limitation that bars agencies under its jurisdiction (including the SEC) from demanding the content of communication from email providers unless they have a warrant. While this measure still has to be passed by the full House and the Senate, this is an important step toward curbing this agency power grab until real reform of ECPA can be enacted. ( from Chris Calabrese on July 14, 2017)
The government has just fired its latest salvo in a long running effort to circumvent privacy protections for electronic communications. An obscure case of civil fraud may have dramatic implications for when and how the government can access your emails, texts, and photos held online. CDT jointly filed a brief in the case, Securities and Exchange Commission v. North Star Finance LLC, opposing government efforts to obtain email content in a civil case with just a subpoena to an email service provider.
In February of this year, the Securities and Exchange Commission (SEC) sought to obtain email content from Yahoo stored in an account owned by a defendant in a securities fraud case. Under current legal precedent, that material should only be accessible with a search warrant. A 2010 Sixth Circuit decision, United States v. Warshak, established that internet users have a reasonable expectation of privacy in their email content and that the government must obtain a warrant to access that content. A warrant is considered the “gold standard” for privacy protection in the U.S. because it requires that the government specifically describe the place it intends to search and the persons or things it intends to seize.
Instead of obtaining a warrant, however, the SEC is relying on the fact that the rules governing access to these types of communications are extremely out of date, and is attempting to use an administrative subpoena to force Yahoo to produce the emails. Unlike a warrant based upon probable cause, a subpoena only needs to establish that the requested documents are “relevant” to an investigation. The “relevance” standard is incredibly broad—it is, after all, a standard used in discovery when a party does not know exactly what evidence exists—and expands with the reach of an agency’s investigative scope; “relevance” is both difficult to challenge and easy to direct at not just the subject of an investigation but also any witnesses or parties holding “relevant” information. Consequently, a subpoena falls far short of providing the privacy protections embedded in a warrant, and allowing the government to access email content with a simple subpoena would give the government unprecedented access to the sensitive contents of users’ inboxes. The SEC has long argued that they should have this type of access – regardless of the privacy implications.
Compelling Yahoo to produce a user’s emails would violate the user’s constitutionally protected expectation of privacy in the content of her emails.
Yahoo did not comply with the SEC’s subpoena, prompting the SEC to file an application for a court order compelling Yahoo to hand over the emails. On June 16, the CDT joined the Electronic Frontier Foundation (EFF) in requesting leave to file an amicus brief in Securities and Exchange Commission v. North Star Finance LLC. The brief urges the court to reject the SEC’s attempt to get around well-established precedent regarding the Fourth Amendment protections afforded to email content stored by a third party.
As CDT and EFF’s brief explains, compelling Yahoo to produce a user’s emails would violate the user’s constitutionally protected expectation of privacy in the content of her emails. A subpoena, even when coupled with the opportunity to oppose it in an adversarial proceeding, clearly does not satisfy the Fourth Amendment because the “relevance” standard provides very little protection against government intrusions into private communications. In fact because many government agencies like the Department of Justice have both criminal and civil authority, it would likely quickly become a backdoor loophole where an agency could use its civil authority to gain access in criminal investigations.
One of the most frustrating things about this case is not just that it’s so invasive but also so unnecessary. Civil federal agencies like the SEC are not rendered toothless by Warshak’s holding. The government can still seek information directly from a user herself or from a service provider after obtaining a user’s consent to disclosure. Alternatively, the government can request the information from another party to the communication. By simply following the civil litigation process, the government can even compel a user or service provider to respond to a validly issued subpoena if she or it refuses to comply. In addition, the government can still seek information that is not protected by a user’s reasonable expectation of privacy.
The SEC’s recent attempt to get around the Fourth Amendment demonstrates the urgent need for serious reform of the Electronic Communications Privacy Act (ECPA), which establishes the standards governing government access to electronic communications, such as email.