Law-enforcement officials and federal investigators argued Tuesday that Congress should tread carefully in amending a 1986 electronic privacy law that lets the government demand emails and other online records.
The House Judiciary Committee’s hearing on updating the Electronic Communications Privacy Act (ECPA) pitted officials from the Securities and Exchange Commission (SEC), the National Association of Assistant United States Attorneys, and the Tennessee Bureau of Investigation against representatives from Google and the Center for Democracy and Technology. The major point of contention: how far ECPA reform should go in requiring the government to get a warrant to demand electronic records.
ECPA allows law-enforcement agencies to demand records older than 180 days using a subpoena instead of a criminal warrant, and a large bipartisan coalition of lawmakers in both chambers of Congress wants to change that. But civil agencies like the SEC, which cannot issue criminal search warrants, worry that eliminating the subpoena option would make their investigations much harder.
“Courts have routinely held that subpoenas satisfy the reasonableness requirement of the Fourth Amendment.”
The House’s ECPA reform bill is H.R. 699, the Email Privacy Act. In September, the Senate Judiciary Committee held a hearing—featuring many of the same witnesses—to discuss its companion bill, the ECPA Amendments Act of 2015. Both bills have long lists of Republican and Democratic cosponsors. Past ECPA reform bills also received vast bipartisan support, but warrant concerns from the SEC, the Federal Trade Commission, and other civil agencies have stymied their progress.
Rep. Bob Goodlatte (R-Va.), the Judiciary Committee chairman, sympathized with those concerns. “Congress should … continue to ensure that civil investigative agencies are able to obtain electronic communication information for civil violations of federal law,” Goodlatte said in his opening remarks. “Courts have routinely held that subpoenas satisfy the reasonableness requirement of the Fourth Amendment.”
But in his prepared testimony, Richard Salgado, Google’s director for law enforcement and information security, argued that such an exemption for civil agencies made no sense.
“The power to compel [Internet service] providers to disclose the content of users’ communications should be reserved for criminal cases,” he said. “Congress should be deeply skeptical of efforts to draft around the Fourth Amendment, which is what some governmental entities are asking it to do.”
Federal agencies don’t have to start by subpoenaing the target’s Internet service provider, Salgado said; they can first subpoena the target. “This is, of course, how civil litigation routinely works,” he said. “There is no reason to radically alter our civil litigation system simply because of the advent of cloud computing, which enables litigants to theoretically obtain the same data from service providers like Google.”
If the target doesn’t turn over the requested records, Salgado pointed out, the SEC and other agencies have a wide range of options, including getting a judge to financially penalize the target.
Internet companies like Google, under new pressure to protect their customers’ privacy following Edward Snowden‘s revelations about NSA surveillance, have strongly resisted what they consider attempts to water down ECPA reform.
Steven Cook, president of the National Association of Assistant United States Attorneys, objected to the Email Privacy Act’s exclusion of certain common exceptions to the warrant requirement. The bill does not allow federal agencies to forgo warrants in “exigent circumstances,” a fact that Cook said would create “an unprecedented and unnecessary barrier to law enforcement access.”
“It is well settled that a warrantless search may be conducted of a person’s most private place—his or her home— if exigent circumstances exist,” Cook told the committee, according to his prepared testimony. “There is simply no reason to provide email communications with more protection than that afforded to a person’s home.”
But ECPA does allow federal agencies to request records without a warrant in exigent circumstances; Internet companies simply don’t have to comply. Requiring compliance, said Chris Calabrese, vice president for policy at the Center for Democracy and Technology, would “raise significant privacy and security problems.”
As Tuesday’s ECPA hearing approached, supporters of reform mobilized to highlight the broad public support for change. The Digital 4th Coalition, a pro-reform group, released a poll showing that 86 percent of Americans wanted ECPA reform, with 77 percent saying that a warrant should be necessary no matter how old the targeted records are. In separate statements, CompTIA, TechNet, and the Consumer Technology Association, three powerful tech trade groups, urged Congress to update the law.
Illustration by Jason Reed