Testifying before the House Judiciary Committee this week, a representative from the SEC criticized a bill that would require procuring a warrant before requesting emails from companies like Google. Since a civil agency can’t request criminal warrants, the requirement would effectively prevent the SEC from gathering evidence, explained Andrew Ceresney, the director of the agency’s enforcement division, in prepared testimony.
But the SEC can, in fact, access emails without warrants, by relying on the traditional subpoena process. When a civil subpoena is served, the target of the investigation must turn over the requested files—whether they are digital or physical. If the subject refuses, a court can enforce compliance by threatening fines or jail time.
In fact, the SEC has not used ECPA authorities to seek emails from an email provider since 2010, after a landmark court decision effectively imposed a warrant requirement for all email searches. (Ceresney said the decision to back off from using ECPA powers was made “in deference” to ongoing discussions about updating the law.)
Ceresney says subpoenas can present obstacles to an investigation, because there’s a chance a target will delay in responding, or delete or modify digital evidence. Those are the cases in which the SEC wants to be able to compel a company like Google, whose servers house the target’s data, to turn over the information—without getting a subpeona that tips off the target, or a warrant.
It's not clear how much the SEC’s “deferential” reluctance to use ECPA in this way has hindered the agency. Ceresney told lawmakers that he guesses his agency’s five-year-old decision not to use ECPA resulted in some cases falling through the cracks, but that claim is difficult to prove. Indeed, the SEC said in its 2014 annual report that it brought a record number of enforcement actions that year, as was pointed out by Google’s director of law-enforcement issues, another witness on the panel.
Despite the SEC’s objections to the bill, the majority of the bill’s provisions enjoy broad support, even from its critics.
Its basic proposals simply reflect the ways the world has changed during the past 30 years. When email was young, users had to download messages from email servers to their computer in order to read them; email providers would generally delete emails after a month or two to save space. Congress decided then that the few files that a user chose to save past 180 days should be fair game for a warrantless search.
But today, everyone relies on cloud-based email services like Gmail or Outlook to host years and years of data. The old law would allow the government easy access to any server-hosted data that’s more than six months old, which today amounts to a feast of private details. The FBI director James Comey says his agents are required to get a warrant no matter what. “The statute may be outdated, but I think we’re doing it in the right way,” he said in 2014—so the House bill would largely codify accepted practice into law, at least as far as the FBI is concerned.