As we anticipated, the Senate Judiciary Committee's recent hearing on reforming the Electronic Communications Privacy Act focused on creating a loophole for civil law enforcement agencies like the Securities and Exchange Commission (SEC) to access personal content stored by third-party service providers without a warrant, rather than on the need to raise the standard for government access to email and other stored content across the board.
The SEC and other civil agencies that lack warrant authority oppose the categorical “warrant-for-content” requirement in current legislative proposals: the Electronic Communications Privacy Act Amendments Act (S. 356) and the Email Privacy Act (H.R. 699). The SEC panelist testified that the agency wants to be able to easily access user content stored by third-party service providers, albeit with notice to the accountholder so that he or she may “challenge the request in a judicial proceeding.”
As Chris Calabrese from the Center for Democracy & Technology stated during the hearing, the SEC’s proposal is “a huge power grab by civil agencies.” Because ECPA already requires a warrant for user emails and other communications content stored by third-party service providers that are up to 180 days old, the SEC’s proposal would give it more power than it has today.
Additionally, the SEC is vague about what legal standard its “requests” (also referred to as “court orders” during the hearing) would have to meet. Although notice to the user and court oversight would be good (users do not get to challenge warrants in court before they are issued), Calabrese was right to clarify that a probable cause warrant is more protective of user privacy than a “court order” issued to a third-party service provider that would likely be based on a lower relevance standard.
Warrants must be based on probable cause that the user’s emails or other content contain evidence of a crime; and the government must present specific facts under oath before a judge supporting the assertion of probable cause. Whereas, whatever legal standard the SEC envisions for its “requests” or “court orders” is surely lower than probable cause. It is probably relevance, which is the extremely low and hugely broad legal standard used for subpoenas.
Given the vast amount of highly personal information now stored in the “cloud,” it is unacceptable that such information would have so little protection because it is stored digitally—compared to being stored in someone’s home or office, where the Fourth Amendment clearly applies.
Moreover, we are skeptical that civil law enforcement agencies have a problem at all. In April, the SEC chairwoman testified that the agency does not use existing “administrative” (i.e., investigative) subpoena authority to obtain user content from third-party service providers. The panelist from the Federal Trade Commission, another civil law enforcement agency, admitted the same thing during this week’s hearing. And while the SEC panelist implied that the agency sometimes uses administrative subpoenas consistent with ECPA to obtain (presumably older) emails, it is not clear how or why this has changed since April.
Sen. Mike Lee (R-Utah), an original sponsor of S. 356, mentioned another risk of carving out such expansive authority for civil law enforcement agencies: criminal law enforcement agencies will use civil agencies as proxies to get around the warrant requirement—meaning that a civil law enforcement agency could use the lower legal standard to obtain user content from third-party service providers and then share that content with criminal investigators.
We urge you to contact your senators and representatives and demand that they pass a “clean” ECPA reform bill that protects personal content stored in the “cloud” the same way the Fourth Amendment clearly protects personal content stored in a home or office—with a probable cause warrant.