In the post-Edward Snowden world of uncertainty and mistrust surrounding electronic surveillance, one reform stands out both for its sensibility and the broad political support it has engendered: updating the 1986 Electronic Communications Privacy Act, or ECPA. Electronic communications have significantly evolved over the past 25 years, and the laws regulating government access to them should be updated.
This common-sense reform already enjoys overwhelming bipartisan support in Congress. It is time for the Obama administration to get behind this win-win legislation and begin to restore Americans’ confidence that their privacy will be protected in the global information age.
When ECPA was enacted, cloud computing did not exist and electronic mail was only in its infancy. Data storage was expensive and email service providers often routinely deleted messages after as little as 30 days. As such, the law treated emails that are more than 180 days old as abandoned property that the government could obtain from Internet service providers, or ISPs, with only an administrative subpoena—a lower standard than a warrant that comes with judicial oversight. The prevalence of cloud storage now means the opposite is true of current email, and ISPs now have the capacity to routinely keep emails well beyond 180 days.
A bill introduced by Sens. Patrick Leahy (D-VT) and Mike Lee (R-UT)—the Electronic Communications Privacy Act Amendments Act of 2013—would update ECPA to eliminate the 180-day rule. This common-sense legislation sailed through the Senate Judiciary Committee on a voice vote earlier this year and is now awaiting floor action.
This bill would bring the statute in line with a 6th Circuit Court ruling from 2010 in United States v. Warshak that held that it was unconstitutional for the government to obtain emails greater than 180 days old without a warrant. That decision—which is only controlling in the jurisdiction of the 6th Circuit—prompted many ISPs to determine that they cannot provide emails to the government without a warrant regardless of their age. But some federal prosecutors, criminal investigators, and regulatory agencies, particularly the Securities and Exchange Commission, or SEC, want to preserve the ability to obtain these emails with only an administrative subpoena outside of judicial supervision.
The crux of the SEC’s argument against the reform is that requiring a warrant to obtain such emails from an ISP also requires alerting the target of an investigation that such a search has taken place, potentially allowing them to destroy data that would be responsive to the warrant or even cease unlawful activity that could bolster the government’s case. The Leahy-Lee bill would require that the target be notified that a warrant had been served, but only within 10 days, which would give investigators some time to review the information and possibly even seek more data. In addition, the investigating agency can also request that the ISP preserve all the target’s data—protecting against any action by the target to delete responsive information—prior to the warrant being served and well in advance of the notification requirement deadline.
The potential harm to criminal or civil investigations is extremely low and not unlike the judgments that investigators must routinely make regarding when to alert a target of a probe into their activities. And given the realities of modern technology, it is absurd to argue that an American’s expectation of privacy for a stored email should be different whether it is 181 days old or 179 days old.
This is a simple change in the law that would not unduly interfere with the executive branch’s ability to investigate criminal and civil violations of the law. It is a logical extension of the protections of Americans’ privacy that reflects our current technological capabilities. It deserves the Obama administration’s support.
Ken Gude is a Senior Fellow at the Center for American Progress.