Congress has an opportunity to finally put to bed one of the longest running but seemingly least controversial issues in tech policy: what do police need to do to access private communications held by third parties? For years, the de facto state of the law has been clear. When law enforcement wants to read emails, texts, and other communications held by companies like Google and Microsoft, they need to get a search warrant based on probable cause. But the current federal law, the Electronic Communications Privacy Act (ECPA), has never caught up, causing concerns about future technologies and the privacy of our most intimate communications. In fact ECPA has not been substantially updated since 1986.
So what’s going on? Back in 2010, a federal appeals court held in case called U.S. v Warshak that emails were protected by the Fourth Amendment and required a warrant. That ruling has never been challenged by the Department of Justice and since then the major tech companies have treated that as the law of the land. The practical result is that when police seek a suspect’s communications, they get a warrant. This hasn’t proved controversial and investigations have continued over the intervening decade without major complaint from law enforcement.
This is the time for Congress to act on a long overdue update.
However, efforts to formally adopt that standard into federal law through legislation called the Email Privacy Act, haven’t been as successful. In spite of the strongest possible support in the US House of Representatives – unanimous approval of a legislative fix – the Senate has never taken up the legislation. That can and should change this week. The language of the Email Privacy Act has been included in the House (but not the Senate) version of must pass legislation, the National Defense Authorization Act (NDAA). House and Senate leaders are meeting this week to iron out differences between the bills.
The case for amending ECPA to include this fix has never been stronger. It enjoys support from groups across the ideological spectrum and tech companies both large and small. In the recently decided US v Carpenter, a case holding that searches of cell phone records require a warrant, the Supreme Court spoke favorably about the need to protect the content of communications with a warrant as well.
So what is the hold up? Certain members of the Senate and law enforcement have resisted this technical fix by insisting it include unrelated measures like the so called “ECTR fix.” Others have called for radical changes to how ECPA operates, such as allowing law enforcement to bypass the warrant requirement anytime they claim something is an emergency. Supporters of the bill, including CDT, have rightly resisted these changes, noting that it doesn’t make sense for Americans to give up major privacy rights in exchange for protections they already enjoy. Additionally, the Email Privacy Act already makes changes for law enforcement, including granting police a longer period to delay notice of investigations and requiring providers to promptly respond to requests.
The Email Privacy Act provides important legal certainty for everyone who stores communications in the cloud and won’t change current police practices. It also helps global customers who store information in the U.S. but may not be protected by the U.S. constitution. This is the time for Congress to act on a long overdue update.