In a rare win for privacy, the House of Representatives voted unanimously today to close a loophole in an existing law that allows the government to access emails stored in the cloud without a warrant. The vote sets up a fight in the Senate that may presage other battles over the proper limits on surveillance to come later in the year.
The new legislation reforms a thirty-year-old statute called the Electronic Communications Privacy Act (ECPA). Under ECPA, if an email has been stored for at least 180 days, the government can access that message with no more than a subpoena or court order. That means, if for some reason the FBI wanted to read the email you sent your mother on her birthday in August, they could do so without probable cause.
The “180-day rule” is a relic. ECPA passed in 1986, three years before Tim Berners-Lee invented the World Wide Web. Email was done in terminals at big research universities. The first commercial email services, MCI Mail (’88) and Compuserve (’89), were still years away. Electronic storage was prohibitively expensive. Email providers rarely held on to messages for more than a few months. Emails over 180 days old, to the extent they existed, were considered “abandoned property.” Congress didn’t contemplate a future in which our email inboxes stretched back years. Today, people store hundreds of thousands of emails in the cloud, amounting to an intimately detailed portrait of a person’s life and thoughts. And under ECPA, the vast majority of them are fair game.
Emails over 180 days old, to the extent they existed, were considered “abandoned property.”
The Email Privacy Act (H.R. 387) accounts for this revolution in electronic communication and cloud storage, doing away with the baseless and outdated “180-day rule” and requiring law enforcement to seek a search warrant to access email content—regardless of its age. In effect, this ratifies the Sixth Circuit’s 2010 decision in United States v. Warshak that there is a “reasonable expectation of privacy” in the content of emails stored on third-party servers and that email content is protected by the Fourth Amendment. As of late, the FBI has been requiring law enforcement officials to obtain a search warrant for email content, and most service providers will not give up their users’ messages without one. In other words, the Email Privacy Act codifies existing procedure and gives it the force of law.
Despite the House’s near unanimity, the bill faces an uncertain future in the Senate, where a largely pro-law enforcement Judiciary Committee has control over whether the bill advances. Similar legislation passed the House unanimously last session, but fell apart in the Senate over a series of amendments proposed by members of the Judiciary Committee.
One, introduced by Jeff Sessions, would have created an “emergency” exception to the warrant requirement—mandating that companies comply with a warrantless request for data if federal, state, or local law enforcement deem it an “emergency.” Under existing law, companies are permitted, but not required, to comply with emergency requests. (They usually do.) Under the Sessions amendment, compliance is mandatory, and law enforcement determinations of “emergency” conditions would not be subject to post-hoc judicial review (as is required under the Wire Tap Act and the Foreign Intelligence Surveillance Act). In effect, the amendment would have significantly expanded the unaccountable search powers of the state.
Another amendment, introduced by John Cornyn (R-TX) and heavily favored by the FBI, would have allowed the bureau to obtain users’ browsing history—excluding content, like search terms, but including how long you spend on a given site—via National Security Letter (NSL), a form of administrative subpoena. Like other NSLs, subpoenas for browsing data would have come with a gag order prohibiting companies from disclosing that they’ve received the subpoenas.
Finally, at the behest of the Securities and Exchange Commission, Senator Dianne Feinstein (D-CA) pushed for a “carve out” in an updated ECPA for civil agencies, who rely on the subpoena power in their investigations.
Last year, these amendments amounted to a poison pill for the coalition of privacy advocates and tech companies pushing the bill. The Senate bill never left committee. Although Sessions is gone, the power dynamics of the Senate Judiciary Committee remains largely the same. Ditto the pressures from law enforcement and civil agencies. If and when the Senate takes up a companion bill to the Email Privacy Act, the same morass of competing interests is likely to stymie reform efforts once again.
The Trump Factor
There is also, of course, the Trump factor. The Email Privacy Act could provide a telling litmus test for whether the administration’s hardline stance on national security extends to pro-privacy legislation with broad bipartisan support. It will be interesting to see whether Senate Republicans who supported ECPA reform last session respond to the administration’s ratcheted up anti-terror rhetoric by backing away from the measure now. And if the administration signals disapproval of the measure, it remains to be seen whether that galvanizes the Democratic base, which has recently become reinvigorated around civil liberties issues.
Perhaps most compellingly, the debate over the Email Privacy Act, if one ensues in the Senate, will provide a useful preview for the higher stakes fight to come later in the year, when a set of key surveillance provisions are set to expire. The impending sunset of Section 702 of the Foreign Intelligence Surveillance Act (FISA)—which authorizes the National Security Agency’s PRISM program—has already prompted a reform effort from privacy advocates and will reignite the debate over the proper limits of the NSA’s spy powers.
Generally speaking, the political terrain for civil liberties advocates in the Trump era is bleak. Trump’s apparent disinterest in constitutional constraints and hostility toward the judiciary does not bode well. Nor do his promises to surveil mosques, create a Muslim registry, bring back torture, and reinstate stop-and-frisk. The prospects for pro-privacy reform, from ECPA to FISA, will depend on the willingness of pro-liberty Republicans to stand with ACLU Democrats against the Trump White House—as they did on occasion under Obama. I’m not holding my breath.