SEC, DOJ And Law Enforcement Want To Rewrite Email Privacy Law Update… In Their Favor
from the updated-for-government-needs-and-wants dept
The SEC (Securities and Exchange Commission) has been fighting much-needed updates to the ECPA (Electronic Communications Privacy Act) for a few years now, claiming that treating old email like new email would somehow strip it of its power to investigate and punish wrongdoing. For no discernible reason, legislators decided to treat electronic mail like physical mail, designating unopened emails over six months old “abandoned” and accessible by almost anyone using nothing more than a subpoena.
Moving the law towards logic would insert a warrant requirement for old emails, bringing them under the same protection as emails less than 180 days old. But it’s not just the SEC that’s resistant to changing the law. It’s also local law enforcement and the DOJ itself, both of which have greater powers than the SEC when it comes to accessing electronic communications.
The most recent hearing featured testimony from the SEC, DOJ and, for no discernible reason, the Tennessee Bureau of Investigation. The consensus is that the law should be updated, but not that part of it (SEC) and only if it makes it easier for law enforcement to obtain more stuff without warrants (DOJ, TBI).
The SEC’s argument against the introduction of a warrant requirement is that it would prevent the agency from obtaining other user data from ISPs using only a subpoena, glossing over the fact that it likes having warrantless access to tons of email.
When we conduct an investigation, we generally will seek emails and other electronic communications from the key actors via an administrative subpoena – a statutorily authorized mechanism for gathering documents and other evidence in our investigations. In certain instances, the person whose emails are sought will respond to our request. But in other instances, the subpoena recipient may have erased emails, tendered only some emails, asserted damaged hardware, or refused to respond – unsurprisingly, individuals who violate the law are often reluctant to produce to the government evidence of their own misconduct. In still other instances, email account holders cannot be subpoenaed because they are beyond our jurisdiction.
It is at this point in an investigation that we may in some instances, when other mechanisms for obtaining the evidence are unlikely to be successful, need to seek information from the internet service provider (ISP). H.R. 699 would require government entities to procure a criminal warrant when they seek the content of emails and other electronic communications from ISPs. Because the SEC and other civil law enforcement agencies cannot obtain criminal warrants, we would effectively not be able to gather evidence, including communications such as emails, directly from an ISP, regardless of the circumstances.
As is (sort of) admitted in the SEC’s testimony, the current law provides more protection for physical documents than electronic ones. However, SEC Director Andrew Ceresney spins this as an argument against modifying the ECPA.
Some have asserted that providing civil law enforcement with an ability to obtain electronic communications from ISPs in limited circumstances would mean electronic documents enjoy less protection than paper documents. That is not accurate. Indeed, as currently drafted, H.R. 699 would create an unprecedented digital shelter – unavailable for paper materials – that would enable wrongdoers to conceal an entire category of evidence from the SEC and civil law enforcement.
The DOJ and Tennessee Bureau of Investigation also express alarm at the proposed rollback of subpoena powers, but they use the kidnapping of children, rather than financial misconduct, as their starting points.
While the DOJ admits the 180-day cutoff period makes very little sense, it suggests no fixes along those lines. Instead, it suggests warrant exceptions for Pen Register statutes (information about communications) be aligned with those in the Wiretap Act (the communications themselves) so DOJ agencies can acquire the data along with the communications when operating a wiretap. It makes a certain amount of sense, but it’s actually just the DOJ asking for the less-stringent set of exceptions (tied to the Wiretap Act, believe it or not) to be applied across the board.
It also asks for legislators to better define what can be accessed with certain orders to eliminate “inconsistency” in judge behavior.
The Fifth Circuit has interpreted this provision to require a court to issue a 2703(d) order when the government makes the “specific and articulable facts” showing specified by § 2703(d). See In re Application of the United States, 724 F.3d 600 (5th Cir. 2013). However, the Third Circuit has held that because the statute says that a § 2703(d) order “may” be issued if the government makes the necessary showing, judges may choose not to sign an application even if it provides the statutory showing. See In re Application of the United States, 620 F.3d 304 (3d Cir. 2010). The Third Circuit’s approach makes the issuance of § 2703(d) orders unpredictable and potentially inconsistent; some judges may impose additional requirements, while others may not.
(Hey, judicial inconsistency isn’t much fun for defendants, either.)
Once again, the DOJ is looking for a less-stringent standard to be applied, rather than truly looking to bring this law into the 21st century. Its plea for “technologically-neutral” handling of communications data is similarly focused on applying a lower standard to the acquisition of communications, no matter their source.
The Tennessee Bureau of Investigation, on the other hand, argues that an updated ECPA would put too much power in the hands of ISPs and other entities responsive to law enforcement warrants and subpoenas.
H.R. 699 goes far beyond the commonly stated goal of modernizing ECPA by requiring a search warrant for all stored content. In fact, it creates protections for a wider range of stored electronic evidence that could pose a greater hindrance to law enforcement than protections afforded evidence stored on a computer inside a house or office. Searches in response to ECPA process are performed by service providers, not by law enforcement officers, and H.R. 699 extends the notice provisions previously necessary only with lesser levels of process like subpoenas along with the probable cause standard. The end result is that law enforcement has to get a search warrant to access more evidence, and must bear the added burden of notice requirements that were previously limited to lesser process, without the benefit of controlling the execution of the warrant.
Apparently, any increase in difficulty — no matter its relation to the Fourth Amendment — is unacceptable.
Because H.R. 699 in its current form imposes burdens that will make our job harder without offering any relief in other areas, we urge the committee not to pass H.R. 699 without amending the bill to reflect greater sensitivity to the concerns of the state and local law enforcement community. When we have to get a warrant, it should mean something; right now, H.R. 699 turns the compulsory process of a search warrant into a subpoena with a higher proof requirement.
The Bureau’s Richard Littlehale further lays out his argument for lowered requirements by claiming entities being served with legal paperwork have been less than helpful in the past.
In many instances, we are unable to utilize evidence that would be of enormous value in protecting the public because the technologies used to carry and store that information are not accessible to us, no matter what legal process we obtain. That may be because of technological problems, but just as frequently it is because of non-technical barriers to access. The companies that retain these records are often unable or unwilling to respond to law enforcement’s lawful demands in a timely manner, and there are few consequences for an incomplete or inaccurate response. The primary emergency disclosure provision in the section of ECPA that we use to obtain stored content is voluntary for the providers, not mandatory, and even where emergency access is granted to law enforcement, in some instances, there is insufficient service provider compliance staff to process legitimate emergency requests quickly.
Littlehale’s argument appears to be a paraphrasing of Pat Paulsen’s satirical campaign slogan: if we (law enforcement) have to up our standards, up theirs! He apparently feels ISPs, etc. don’t face enough legal penalties for not immediately handing over everything law enforcement demands, whether they have the capability to do so or not. Littlehale wants warrant service under a modified ECPA to more closely resemble warrant service at a residence: where cops announce their presence after they’ve entered and destroyed everything they touch in search of evidence. He can’t handle the fact that private entities maintain control of digital communications sought and that his agency (and others) must approach them (rather than drive up on their lawns and shoot grenades through their windows) with the proper paperwork and wait until responsive information is gathered and turned over.
Much like the DOJ and the SEC, Littlehale doesn’t want an updated law. He wants a law rewritten to treat digital communications like physical communications, bringing the barrier to access and the expectation of privacy down to the lowest level possible. That’s what is really being discussed here. Not a rewrite of an outdated law to reflect the reality of modern communications, but ways to make an already law enforcement-friendly law even friendlier.