The Securities and Exchange Commission (SEC) thinks it and other federal agencies should be allowed to compel third party providers of web-based email and other cloud services to disclose personal communications without a warrant. And just to rub salt in the privacy wound, the SEC wants to attach this new power to the widely praised and much needed Electronic Communications Privacy Act (ECPA) Amendments Act (S.607).
First, some background. S. 607, which was introduced by Senators Leahy and Lee and approved by the Judiciary Committee in April, would make it clear that government agencies must obtain a warrant if they want third party service providers to disclose content stored on behalf of their customers. Most large providers, including Google, Microsoft, and Facebook, already require warrants when the government seeks disclosure of communications content because a 2010 Sixth Circuit case, U.S. v. Warshak, found that the Fourth Amendment protects content even if stored with a third party provider. The SEC chair, however, has requested an exception from the warrant requirement.
Currently, to obtain information, the SEC serves a subpoena on the target of an investigation compelling the target to provide relevant materials. The target must then provide all documents that are relevant and non-privileged, whether they are stored in a filing cabinet, on an internal network, or in the cloud. The SEC uses many mechanisms to ensure that targets disclose relevant documents. It can, for example, enforce its subpoena in court against a recalcitrant or shady target.
Now the SEC believes that it should be able to short circuit those court processes and other mechanisms, and obtain all of the target’s documents, including those that are privileged and irrelevant, by going directly to the target’s communications service provider instead of to the target.
The SEC cites a grand total of one actual case, SEC v. Len A. Familant and Paul Greene, to illustrate its need for an exception to the warrant requirement. It argues that a subpoena served to a third party ISP in that case resulted in disclosure of an email that was critically important. However, as is explained in detail in a CDT brief, the email was not as essential as claimed and the SEC had other legal means of obtaining the email that it seems were not even pursued. Moreover, by going after the target’s personal email account, the SEC illustrated the dangers of the proposal that it advances: it probably obtained all manner of personal emails having nothing whatsoever to do with the investigation it was conducting, at great risk to privacy.
S. 607 is a vitally important and long-overdue reform to ECPA. We have witnessed a boom in web-based email and cloud computing services, with U.S. industry leading the innovation curve. S. 607 will provide the level of certainty and privacy assurances necessary to enable even greater growth in these sectors. However, the SEC’s proposed exception would neuter this critical reform.
The SEC is essentially asking Congress to fundamentally alter the U.S. justice system. It is seeking to assert the investigative powers of a criminal justice authority, while simultaneously enjoying the lower burden of proof required in civil proceedings. If it succeeds in carving out this exception, you can be sure that other regulatory agencies, such as the IRS, EPA, FCC, FEC and CFPB, will want their piece of the power pie as well.
CDT, along with other public interest organizations, companies and trade associations, recently sent a letter to Congress expressing our concerns about the SEC’s proposed exception to S. 607. We urge Senators not to allow civil regulatory authorities to bypass warrant protection. It’s time to get S. 607 passed, and to get it passed without carve outs that would erode our fundamental privacy rights.