By: Su Mien Tee
On March 19, 2013, the House Judiciary Committee’s Subcommittee on Crime, Terrorism, Homeland Security and Investigations held a hearing on ECPA reform. The Department of Justice, in its testimony before the Subcommittee, reversed its long-held stance that a warrant should not be required before government officials can obtain stored information, and in a statement made by Elana Tyrangiel, Acting Assistant Attorney General of the Office of Legal Policy), endorsed a crucial point of reform advocated by policy advocates, public interest groups and privacy experts, that the same protection afforded to letters and phone calls (Ex Parte Jackson, 96 U.S. 727 (1877) and United States v. Katz, 389 U.S. 347 (1967)).
Title II of the Electronic Communications Privacy Act (ECPA, Pub. L. 99-508, 100 Stat. 1848), the Stored Communications Act (SCA, 18 U.S.C. Chapter 121 s 2701 – 2712) addresses voluntary and compelled disclosure of “stored wire and electronic communications and transactional records”. Orin Kerr explains the s 2703 regime in terms of an “upside-down pyramid”:
– A simple subpoena is needed to compel basic subscriber information (s 2703(c)(2)),
– A s 2703(d) order compels all non-content records (s 2703(c)(1)(B)),
– A simple subpoena combined with prior notice compels:
- Basic subscriber information (s 2703(c)(2)),
- Any opened emails or other permanently held files (s 2703(b)), and any contents in temporary ‘electronic storage’ such as unretrieved emails in storage for more than 180 days (s 2703(a));
– A search warrant is needed to compel anything stored in an account (s 2703(a)-(c)) which includes unopened email stored for less than 180 days.
[see Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, (2004) George Washington Law Review, Vol. 72, No. 6]
The DOJ stated that “some of the lines drawn by the SCA that may have made sense in the past have failed to keep up with the development of technology and the ways in which individuals and companies use, and increasingly rely on, electronic and stored communications”, and that there is “no principle basis to treat email less than 180 days old differently from email more than 180 days old”. Currently disclosure of the latter can be compelled with a subpoena and prior notice.
It went on to reject the distinction between opened and unopened emails, that it does not make sense for the SCA to accord lesser protection to opened emails than it gives to emails that are unopened. It also essentially endorsed the application of the probable cause standard for a warrant to compel disclosure of stored email and all similar stored content information, saying that they “appreciate the appeal of this approach and believe that it has considerable merit”.
This warrant standard is also reflected in Google’s official statement (January 28, 2013) on its approach to government requests for user data – requiring a search warrant before handing over users’ emails to law enforcement (which is not required by ECPA currently). The same standard was endorsed by Richard Salgado, Director of Law Enforcement and Information Security of Google Inc, who similarly testified with Tyrangiel before the Subcommittee on March 19, 2013. His written testimony is available here.)
The removal of the 180-day rule is also reflected in the Leahy-Lee Bill (introduced on March 19, 2013 by Senator Patrick Leahy and Senator Mike Lee) to reform ECPA, to require government officials to obtain a warrant in order to require ISPs or other online service providers to disclose the private communications of their users, essentially extending the warrant standard in postal letters to email.
(Leahy-Lee Bill accessible at http://www.leahy.senate.gov/download/ecpa-bill-2013.
Read more about the Leahy-Lee Bill and ECPA reform at http://www.slate.com/blogs/future_tense/2013/03/19/patrick_leahy_introduces_legislation_to_update_ancient_electronic_communications.html )
This approach is very welcome, given that the 180-day rule appears to have little bearing as to the expectation of privacy that Internet users have about their emails. Whether an email is opened or unopened by the intended recipient has very little bearing as to whether or not the content remains private; whether it has been kept for 179 days or 181 days has even less bearing on the extent of the privacy of the contents. People reasonably expect that the contents of their email communications be kept private and not subject to government search and seizures, especially given the central role that an individual’s email account plays in his or her private life, and contains intimate and private information.
Reform of ECPA will have to address the gaps in ECPA that have been opened up by changes in technology, and the Leahy-Lee Bill, if passed, may go a little way in enhancing individuals’ Fourth Amendment rights, which is crucial given the increasingly fine line between content and non-content in today’s world, especially in light of information like URLs and even to and from addresses, which may reveal more than simply addressing information or identity (in the case of email addresses, where email handles may be traced to other similar internet profiles etc).
[Note, however, that the DOJ’s new stance has not been received with too much optimism – skeptics have pointed out that the testimony also raises issues which may weaken current privacy protections, including by “making the standard for non-content records technology-neutral, allowing the government to use subpoenas to compel disclosure of addressing information associated with email and other electronic communications. See criticisms by the Center for Democracy and Technology here.]