Email Privacy: Change is Coming

What’s more valuable: individual privacy or society’s security?  It’s not a new debate, but it’s one that is getting a lot of attention in Washington of late. The battle between the FBI and Apple over accessing a terrorist’s iPhone has highlighted the tension between the oft competing goods of protecting society from harm and protecting the confidentiality of people’s personal information and communications. While the debate over encryption rages, there has been much agreement and progress on a bill to update the law that relates to government access to email and other electronic communications.

CURRENT LAW

The Electronic Communications Privacy Act of 1986 (ECPA) was enacted to modernize the Federal Wiretap Act to include the interception of electronic and digital communications. The law seeks to protect the privacy of personal communication while setting parameters around the collection of evidence for criminal investigations.

Title II of ECPA deals with stored communications — for example emails sitting on a remote server or in the cloud.  The law as currently written treats the same types of communications differently depending on where and how long they are stored.  As a result, the hoops that law enforcement has to jump through to get to your emails that sit on your home computer are more challenging than the hurdles they need to clear to get to old emails that your email provider (e.g., Google, Yahoo, Verizon) may have stored.  If a service provider has stored emails that are over 180 days old, then all that is needed to access them under ECPA is an administrative subpoena. On the other hand, a warrant would be necessary to search your home computer. (A warrant requires judicial approval based on probable cause — think 4th amendment rights).  The lower standard for accessing older, remotely stored communications has been deemed a “loophole” in the law that defies individual expectations of privacy.

REFORM TO RESTORE PRIVACY

Times have certainly changed since 1986, and there’s broad support for updating the ECPA to give individuals more protection and peace of mind. In Congress, the Email Privacy Act (H.R. 699) to reform ECPA has received the support of over 300 cosponsors in the House (well more than half). Still, the bill has lingered because law enforcement and agencies, who are understandably loathe to make their jobs more difficult when conducting investigations, have raised concerns. Last week, the House Judiciary Committee passed the Email Privacy Act after negotiating changes to address some objections.

The version of the legislation supported unanimously by the House Judiciary Committee would create a uniform federal standard for warrants under ECPA.  Government entities will need a warrant to require the disclosure by service providers of the content of their customers’ emails, texts, and the like.  Notably, the bill does not require that the target of the investigation is made aware of the request for their communications. However, the company may inform its customer as long as a court doesn’t ask for a delay in notification. (You may have heard that last week, Microsoft filed suit against the Federal government over “secrecy orders”, where the company cannot inform customers about orders to turn over their emails if there is “reason to believe” that disclosure could endanger life or jeopardize an investigation. In some cases, the time frame for required secrecy is indefinite).  Under the bill, some information may still be obtained by investigators by means other than a warrant, including subscription information and commercial public content.

NEXT STEPS and BEYOND

The unanimous support for the Email Privacy Act in the House Judiciary Committee gives the legislation momentum.  The full House is expected to vote on the bill later this month. The Senate has its own bill, and House action certainly gives it a boost.

More broadly, the ability to move this bill in a bipartisan manner gives hope for progress on other digital privacy bills dealing with issues such as geolocation and data stored overseas.  One may also hold out hope that some bipartisan consensus is possible on the higher profile and more complicated encryption debate.   There seems to be almost daily activity on that topic, including a hearing today in the House Energy and Commerce Committee where law enforcement and the tech industry will testify, to give us more clues as to how a balance may be struck in that debate.