A bipartisan bid to reform an electronic-privacy law has the support of the tech community and the White House, but federal law enforcement officials tell Congress the changes would hamper civil prosecution.
Civil law enforcement agencies like the Federal Trade Commission and the Securities and Exchange Commission would not be able to obtain critical information if the law were changed to require criminal warrants for access to data stored on cloud services, according to witnesses from those agencies testifying in front of the Senate Judiciary Committee Wednesday.
The law enforcement officials were reacting to bills from Sens. Mike Lee and Patrick Leahy, and Reps. Kevin Yoder and Jared Polis, that aim to update the Electronic Communications Privacy Act, or ECPA.
In its current form, ECPA protects emails from government snooping for 180 days. When the law was initially drawn up in 1986, email providers routinely removed emails from their servers a month or two after they were delivered; users would generally download the messages they intended to keep. Whatever remains on an email server after 180 days is fair game for government to access, with just a subpoena—not a warrant.
Today, ubiquitous cloud-based email systems like Gmail, which offer gigabytes of storage for free, allow the average user to keep his or her messages—and calendars, contacts, notes, and even location data—on a provider's servers indefinitely.
The ECPA Amendments Act would require law enforcement to get a warrant to access server-hosted information, no matter how old, and would require the government to notify an individual that his or her information was accessed within 10 days, with certain exceptions.
But law enforcement officials expressed opposition to some of the bill's proposed changes, arguing that its requirement for criminal warrants could leave civil litigators without access to important electronic information.
"The bill in its current form poses significant risk to the American public by impeding the ability of the SEC and other civil law enforcement agencies to investigate and uncover financial fraud and other unlawful conduct," said Andrew Ceresney, director of enforcement at the Securities and Exchange Commission.
Ceresney and Daniel Salsburg—chief counsel for technology, research, and investigation in the FTC's consumer protection branch—said the SEC and FTC are not looking for the authority to obtain data with just a subpoena, and instead proposed a system where they could obtain a court order for access to the data. Such a process would notify the individual being investigated and give him or her the chance to make a case in front of the judge before an order is granted or denied.
But despite their opposition to the proposed change to ECPA, neither the SEC nor the FTC has obtained emails through an administrative subpoena in the past five years, Ceresney and Salsburg said Wednesday.
Ceresney said the decision to avoid subpoenas was made "in deference" to ongoing conversations about ECPA reform. A 2010 federal court order also bound the government's hands by declaring ECPA unconstitutional—a decision the ECPA Amendments Act intends to codify into law—but Ceresney said the SEC does not interpret the court's decision as an impediment to using subpoenas to obtain data.
The civil law enforcement officials' comments about ECPA reform were met with immediate backlash from the tech community, which has come out in strong support of the changes.
"The FTC claims to be a champion of consumer privacy, yet the agency wants access to Americans’ data without a warrant," said Berin Szoka, president of TechFreedom, a technology think tank. "The Commission’s testimony today confirms long-standing rumors that it will only support ECPA reform if it gets a carve-out from the bill’s warrant requirement.
“This is the issue that has stalled ECPA reform for over five years, despite overwhelming bipartisan support,” Szoka added. “The FTC’s testimony is carefully crafted to sound reasonable, but the agency is simply helping to obstruct the major privacy reform of our generation."
Julie Brill, an FTC commissioner, released a statement Wednesday indicating she disagreed with Salsburg's testimony. "I am concerned that a judicial mechanism for civil law enforcement agencies to obtain content from ECPA providers could entrench authority that has the potential to lead to invasions of individuals’ privacy and, under some circumstances, may be unconstitutional in practice," Brill said.
Google and BSA-The Software Alliance, a prominent tech association, appeared in a separate witness panel before the committee, calling for swift change in order to improve customers' privacy and alleviate business pressures.
"By creating inconsistent privacy protection for users of cloud services and inefficient and confusing compliance hurdles for service providers, ECPA has created an unnecessary disincentive to move to a more efficient, more productive method of computing," said Richard Salgado, the director of Google's law enforcement and information security branch.
This story was updated with a statement from FTC Commissioner Julie Brill.