Everyone’s got a shoebox under the bed. At one time, it was actually nestled below your mattress, collecting dust, protecting sentimental photos, yellowed love letters, and other private scraps. Now, that shoebox likely lives on a rack of water-cooled servers in Iowa—perhaps in a series of emails filed into a Gmail folder marked “Keep.”
When the police come knocking, there’s a huge difference between these two shoeboxes. If you’re old school and keep your secrets on ink and paper, the Constitution forbids the government from snooping without a warrant. But that server in Council Bluffs? Not so simple.
For nearly 30 years, a now-obsolete data-privacy law has determined how and when law enforcement can read your emails behind your back. In certain cases, the government can ask your Internet service provider to turn over your data without a warrant.
Now, that law—the Electronic Communications Privacy Act—is getting closer to a receiving a long-overdue update. But as Congress considers how to drag ECPA into the 21st century, some federal agencies are lining up to request a carve-out, in order to access Americans’ emails without first obtaining a criminal warrant.
The Federal Trade Commission and the Securities and Exchange Commission say that the updated law would hinder agents investigating fraud or insider trading, leaving critical evidence out of their reach.
Testifying before the House Judiciary Committee this week, a representative from the SEC criticized a bill that would require procuring a warrant before requesting emails from companies like Google. Since a civil agency can’t request criminal warrants, the requirement would effectively prevent the SEC from gathering evidence, explained Andrew Ceresney, the director of the agency’s enforcement division, in prepared testimony.
But the SEC can, in fact, access emails without warrants, by relying on the traditional subpoena process. When a civil subpoena is served, the target of the investigation must turn over the requested files—whether they are digital or physical. If the subject refuses, a court can enforce compliance by threatening fines or jail time.
In fact, the SEC has not used ECPA authorities to seek emails from an email provider since 2010, after a landmark court decision effectively imposed a warrant requirement for all email searches. (Ceresney said the decision to back off from using ECPA powers was made “in deference” to ongoing discussions about updating the law.)
Ceresney says subpoenas can present obstacles to an investigation, because there’s a chance a target will delay in responding, or delete or modify digital evidence. Those are the cases in which the SEC wants to be able to compel a company like Google, whose servers house the target’s data, to turn over the information—without getting a subpeona that tips off the target, or a warrant.
It's not clear how much the SEC’s “deferential” reluctance to use ECPA in this way has hindered the agency. Ceresney told lawmakers that he guesses his agency’s five-year-old decision not to use ECPA resulted in some cases falling through the cracks, but that claim is difficult to prove. Indeed, the SEC said in its 2014 annual report that it brought a record number of enforcement actions that year, as was pointed out by Google’s director of law-enforcement issues, another witness on the panel.
Despite the SEC’s objections to the bill, the majority of the bill’s provisions enjoy broad support, even from its critics.
Its basic proposals simply reflect the ways the world has changed during the past 30 years. When email was young, users had to download messages from email servers to their computer in order to read them; email providers would generally delete emails after a month or two to save space. Congress decided then that the few files that a user chose to save past 180 days should be fair game for a warrantless search.
But today, everyone relies on cloud-based email services like Gmail or Outlook to host years and years of data. The old law would allow the government easy access to any server-hosted data that’s more than six months old, which today amounts to a feast of private details. The FBI director James Comey says his agents are required to get a warrant no matter what. “The statute may be outdated, but I think we’re doing it in the right way,” he said in 2014—so the House bill would largely codify accepted practice into law, at least as far as the FBI is concerned.
The bill is backed by the overwhelming majority of House members, with more than 300 co-sponsors—more than any other bill under consideration. And a recent poll from Vox Populi found that 86 percent of voters want Congress to update ECPA. (The poll was commissioned by Digital 4th, a coalition of pro-privacy advocacy groups.)
The chairman of the House Judiciary Committee, Bob Goodlatte, said earlier this week that he supports the “core” provisions of the bill, but pushed for changes that would allow the government to access electronic data without a warrant in cases of emergency—changes that would bring privacy protections for digital files and documents in line with protections for physical paper.
As it deliberates the final points of the proposal, Congress can look west for a model: In October, California passed a law that put in place warrant standards that are even more stringent than the proposed federal law, extending to location data, metadata, and device-stored data. Texas, Utah, and Virginia already have similar (but less comprehensive) data-privacy laws in place.
After a pair of hearings in the House and Senate, and with increasingly broad support for reform, Congress may finally have the momentum it needs to push through long-awaited changes to email-privacy law. Soon, your digital shoebox might enjoy the same protections as the one in your bedroom.