Most Americans assume that their e-mails have always been protected by the Fourth Amendment and that law enforcement agencies would need a warrant to gain access to them. That has been both true and not true at the same time for almost 30 years. For as long as e-mail has been a regular form of communication, Congress has allowed the Fourth Amendment to protect some e-mail, but has also allowed any messages stored on a mail server for 180 days or longer to be seized without a warrant. Now, finally, there is a real chance that could change. And federal bureaucracy is doing all it can to keep that from happening.
When the Electronic Communications Privacy Act (ECPA) was written in 1986, e-mail providers rarely kept e-mails on their servers for more than 60 days. In most cases, they were deleted after 30 days. In many cases they were deleted from the servers immediately after a user downloaded the e-mails to his computer. In the days before multi-gigabyte online storage, most people used e-mail programs, such as Outlook, to retrieve and store e-mail on their computers. While any e-mail stored on a user’s computer was considered private information in his possession — and therefore protected by the Fourth Amendment — e-mail stored on a server was considered to be in the hands of a third party and not protected. ECPA allowed police agencies to obtain any e-mails more than 180 days old without a warrant. All that was needed was a subpoena — which does not require probable cause.
The “reasoning” was that any e-mail left on the server that long was considered abandoned. Never-mind that it was never deleted by the user or that some people used their e-mail provider’s server as an archive for important e-mail they may want to access in the future. Any e-mail on the server for six months or longer was fair game without any probable cause.
Even if such a policy made sense then (and this writer asserts that it did not), it certainly doesn’t make sense now. With nearly everyone using online e-mail services, such as Gmail, most e-mail is never “downloaded” to a computer. Even if it is, e-mail providers do not delete old emails by default anymore. With online storage being both plenteous and free, many e-mail users keep e-mails for much longer than the arbitrary 180 days’ “statute of limitations” ECPA places on the Fourth Amendment’s protection of them. How many e-mails do any of us have that are months — even years — old? Hundreds? Thousands? ECPA allows law enforcement agencies and others to gain access to them without any judicial oversight whatsoever.
There have been attempts to reform and amend ECPA before now. All have failed. Now, there are bipartisan bills in both the House and the Senate that have the support of the White House, the tech industry, and privacy advocates. The bills are not perfect, but they are a huge step in the right direction. The bills would amend ECPA to require a warrant for law enforcement agencies to access all e-mails, regardless of their age, and require the agency which accessed the e-mails to inform the owner of the account that it had done so within 10 days in most cases.
H.R. 699, the Email Privacy Act, is sponsored by Representative Kevin Yoder (R-Kan.) and Representative Jared Polis (D-Colo.). According to the bill’s summary, it:
Requires the government to obtain a warrant from a court before requiring providers to disclose the content of such communications regardless of how long the communication has been held in electronic storage by an electronic communication service or whether the information is sought from an electronic communication service or a remote computing service.
A statement from Representatives Yoder and Polis appears on Yoder’s page on the House website. It says, in part:
Under the Electronic Communications Privacy Act of 1986, government agencies are free to obtain any digital communication sitting on a third-party server for more than 180 days—or six months—without first showing probable cause. Yes, you read that correctly. The law governing our digital privacy protections from government intrusion was written two years after Apple released the first Macintosh computer.
Why? Lawmakers didn’t foresee the evolution of email. They reasoned that if an individual was leaving an email on a server for more than six months, it was akin to that person leaving their paper mail in a garbage can at the end of their driveway. Thus, that individual had no reasonable expectation of privacy for that email under the Fourth Amendment.
As we know all too well in 2015, that theory is entirely wrong. Consumers routinely store emails on third-party servers for months and even years. To argue that these emails, which may include sensitive or confidential personal information, should somehow be exempt from basic privacy protections is preposterous. Yet, the IRS and other government agencies maintain Americans have no expectation of privacy with respect to their old emails and continue to rely on an arcane 1986 law to govern digital privacy protections.
H.R. 699 already has more than 260 cosponsors and is supported by groups as widely diverse as he Heritage Foundation and the American Civil Liberties Union.
The Senate companion bill is S. 356, the Electronic Communications Privacy Act Amendments Act of 2015, sponsored by Senator Mike Lee (R-Utah) and Senator Patrick Leahy (D-Vt.). It is nearly identical to H.R. 699 and has the same widespread, bipartisan support.
So, the House, the Senate, the White House, the tech industry, privacy advocates, and public policy groups on both ends of the political spectrum all like the amendments to ECPA. So what is the problem? Who is against it? Put simply, it’s the bureaucrats. The Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), and the Federal Communications Commission (FCC) claim they would be crippled by the proposals because they do not have the authority to get warrants. They want to see the bills changed to allow them to get court orders to access e-mails. They would not need probable cause and the language they are proposing would eliminate the 180 days they have to wait now before peeking into Americans’ inboxes.
As the Electronic Frontier Foundation wrote:
The SEC and other civil agencies that lack warrant authority oppose the categorical “warrant-for-content” requirement in current legislative proposals: the Electronic Communications Privacy Act Amendments Act (S. 356) and the Email Privacy Act (H.R. 699). The SEC panelist testified that the agency wants to be able to easily access user content stored by third-party service providers, albeit with notice to the accountholder so that he or she may “challenge the request in a judicial proceeding.”
As Chris Calabrese from the Center for Democracy & Technology stated during the hearing, the SEC’s proposal is “a huge power grab by civil agencies.” Because ECPA already requires a warrant for user emails and other communications content stored by third-party service providers that are up to 180 days old, the SEC’s proposal would give it more power than it has today.
Additionally, the SEC is vague about what legal standard its “requests” (also referred to as “court orders” during the hearing) would have to meet. Although notice to the user and court oversight would be good (users do not get to challenge warrants in court before they are issued), Calabrese was right to clarify that a probable cause warrant is more protective of user privacy than a “court order” issued to a third-party service provider that would likely be based on a lower relevance standard.
So, while many are trying to scale back the power of government to invade the privacy of Americans, the SEC, FTC, and FCC want to increase their snooping abilities. As this writer has said before, there is no line of demarcation between digital liberty and any other liberty. These bills may be the best bet America has of regaining some of that liberty. But for that to happen, concerned citizens need to put pressure on Congress to pass the bills without the changes the SEC and other agencies want.
