Agencies Say They Need Access to Americans’ Emails Without a Warrant

But the FTC and SEC have not used the current subpoena process in five years.

Bas relief at the Federal Trade Commission building in Washington.
Buyenlarge AFP/Getty
Add to Briefcase
Kaveh Waddell
Sept. 16, 2015, 12:37 p.m.

A bi­par­tis­an bid to re­form an elec­tron­ic-pri­vacy law has the sup­port of the tech com­munity and the White House, but fed­er­al law en­force­ment of­fi­cials tell Con­gress the changes would hamper civil pro­sec­u­tion.

Civil law en­force­ment agen­cies like the Fed­er­al Trade Com­mis­sion and the Se­cur­it­ies and Ex­change Com­mis­sion would not be able to ob­tain crit­ic­al in­form­a­tion if the law were changed to re­quire crim­in­al war­rants for ac­cess to data stored on cloud ser­vices, ac­cord­ing to wit­nesses from those agen­cies testi­fy­ing in front of the Sen­ate Ju­di­ciary Com­mit­tee Wed­nes­day.

The law en­force­ment of­fi­cials were re­act­ing to bills from Sens. Mike Lee and Patrick Leahy, and Reps. Kev­in Yo­der and Jared Pol­is, that aim to up­date the Elec­tron­ic Com­mu­nic­a­tions Pri­vacy Act, or ECPA.

In its cur­rent form, ECPA pro­tects emails from gov­ern­ment snoop­ing for 180 days. When the law was ini­tially drawn up in 1986, email pro­viders routinely re­moved emails from their serv­ers a month or two after they were de­livered; users would gen­er­ally down­load the mes­sages they in­ten­ded to keep. Whatever re­mains on an email serv­er after 180 days is fair game for gov­ern­ment to ac­cess, with just a sub­poena—not a war­rant.

Today, ubi­quit­ous cloud-based email sys­tems like Gmail, which of­fer giga­bytes of stor­age for free, al­low the av­er­age user to keep his or her mes­sages—and cal­en­dars, con­tacts, notes, and even loc­a­tion data—on a pro­vider’s serv­ers in­def­in­itely.

The ECPA Amend­ments Act would re­quire law en­force­ment to get a war­rant to ac­cess serv­er-hos­ted in­form­a­tion, no mat­ter how old, and would re­quire the gov­ern­ment to no­ti­fy an in­di­vidu­al that his or her in­form­a­tion was ac­cessed with­in 10 days, with cer­tain ex­cep­tions.

But law en­force­ment of­fi­cials ex­pressed op­pos­i­tion to some of the bill’s pro­posed changes, ar­guing that its re­quire­ment for crim­in­al war­rants could leave civil lit­ig­at­ors without ac­cess to im­port­ant elec­tron­ic in­form­a­tion.

“The bill in its cur­rent form poses sig­ni­fic­ant risk to the Amer­ic­an pub­lic by im­ped­ing the abil­ity of the SEC and oth­er civil law en­force­ment agen­cies to in­vest­ig­ate and un­cov­er fin­an­cial fraud and oth­er un­law­ful con­duct,” said An­drew Ceres­ney, dir­ect­or of en­force­ment at the Se­cur­it­ies and Ex­change Com­mis­sion.

Ceres­ney and Daniel Sals­burg—chief coun­sel for tech­no­logy, re­search, and in­vest­ig­a­tion in the FTC’s con­sumer pro­tec­tion branch—said the SEC and FTC are not look­ing for the au­thor­ity to ob­tain data with just a sub­poena, and in­stead pro­posed a sys­tem where they could ob­tain a court or­der for ac­cess to the data. Such a pro­cess would no­ti­fy the in­di­vidu­al be­ing in­vest­ig­ated and give him or her the chance to make a case in front of the judge be­fore an or­der is gran­ted or denied.

But des­pite their op­pos­i­tion to the pro­posed change to ECPA, neither the SEC nor the FTC has ob­tained emails through an ad­min­is­trat­ive sub­poena in the past five years, Ceres­ney and Sals­burg said Wed­nes­day.

Ceres­ney said the de­cision to avoid sub­poen­as was made “in de­fer­ence” to on­go­ing con­ver­sa­tions about ECPA re­form. A 2010 fed­er­al court or­der also bound the gov­ern­ment’s hands by de­clar­ing ECPA un­con­sti­tu­tion­al—a de­cision the ECPA Amend­ments Act in­tends to co­di­fy in­to law—but Ceres­ney said the SEC does not in­ter­pret the court’s de­cision as an im­ped­i­ment to us­ing sub­poen­as to ob­tain data.

The civil law en­force­ment of­fi­cials’ com­ments about ECPA re­form were met with im­me­di­ate back­lash from the tech com­munity, which has come out in strong sup­port of the changes.

“The FTC claims to be a cham­pi­on of con­sumer pri­vacy, yet the agency wants ac­cess to Amer­ic­ans’ data without a war­rant,” said Ber­in Szoka, pres­id­ent of Tech­Free­dom, a tech­no­logy think tank. “The Com­mis­sion’s testi­mony today con­firms long-stand­ing ru­mors that it will only sup­port ECPA re­form if it gets a carve-out from the bill’s war­rant re­quire­ment.

“This is the is­sue that has stalled ECPA re­form for over five years, des­pite over­whelm­ing bi­par­tis­an sup­port,” Szoka ad­ded. “The FTC’s testi­mony is care­fully craf­ted to sound reas­on­able, but the agency is simply help­ing to ob­struct the ma­jor pri­vacy re­form of our gen­er­a­tion.”

Ju­lie Brill, an FTC com­mis­sion­er, re­leased a state­ment Wed­nes­day in­dic­at­ing she dis­agreed with Sals­burg’s testi­mony. “I am con­cerned that a ju­di­cial mech­an­ism for civil law en­force­ment agen­cies to ob­tain con­tent from ECPA pro­viders could en­trench au­thor­ity that has the po­ten­tial to lead to in­va­sions of in­di­vidu­als’ pri­vacy and, un­der some cir­cum­stances, may be un­con­sti­tu­tion­al in prac­tice,” Brill said.

Google and BSA-The Soft­ware Al­li­ance, a prom­in­ent tech as­so­ci­ation, ap­peared in a sep­ar­ate wit­ness pan­el be­fore the com­mit­tee, call­ing for swift change in or­der to im­prove cus­tom­ers’ pri­vacy and al­le­vi­ate busi­ness pres­sures.

“By cre­at­ing in­con­sist­ent pri­vacy pro­tec­tion for users of cloud ser­vices and in­ef­fi­cient and con­fus­ing com­pli­ance hurdles for ser­vice pro­viders, ECPA has cre­ated an un­ne­ces­sary dis­in­cent­ive to move to a more ef­fi­cient, more pro­duct­ive meth­od of com­put­ing,” said Richard Sal­gado, the dir­ect­or of Google’s law en­force­ment and in­form­a­tion se­cur­ity branch.

This story was up­dated with a state­ment from FTC Com­mis­sion­er Ju­lie Brill.

Why You Should Care About Net Neutrality


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.