For nearly a year, the issue of NSA surveillance has dominated world headlines and been the topic of Presidential speeches and reform efforts in Congress. Meanwhile, another privacy reform—one that would require non-NSA agencies like the FBI and IRS to get a warrant to access your email—has steadily, if more quietly, gained momentum.
The Electronic Communications Privacy Act, or ECPA, is an outdated statute passed in 1986. It says that law enforcement and regulatory agencies can access without a warrant emails you store online for over 180 days and documents you keep in the cloud. ECPA is entirely ill-suited for today’s digital world, and both Democrats and Republicans agree. In the Senate, an ECPA reform bill introduced by Senators Patrick Leahy (D-VT) and Mike Lee (R-UT) has passed out of the Judiciary Committee, and in the House, Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO) have also introduced reform legislation. Cosponsorship for the House bill has ballooned to 211 Members from both sides of the aisle. With new cosponsors joining every week, the Yoder-Polis bill is sure to reach 218 cosponsors in the very near future. That will be a majority of the House, making passage of ECPA reform very likely if it is brought to a Floor vote.
Support for ECPA reform is widespread and bipartisan. Technology companies—including Google, Microsoft, and Facebook—want to see ECPA updated so they can guarantee their customers that their emails and online communications have the same protections from government snooping as postal mail. Startups want ECPA reform adopted, because they want assurance that their customers’ data is secure when entrusted to cloud services. And advocates from across the political spectrum support it, from the ACLU to Grover Norquist’s Americans for Tax Reform, because they share a vision of individual rights in the digital age.
The obvious question, then, is: If this is such a commonsense fix, why hasn’t a reform bill been enacted already? As anyone who has worked in Washington will tell you, passing any bill, even those with widespread support, can be difficult. All it takes is one snag to slow down the legislative process. In this case, the snag is coming from the regulators at the Securities and Exchange Commission (SEC), who want a special exception that would allow them to access emails with merely a subpoena, which unlike a warrant, doesn’t require a judge’s approval. There are glaring problems with the SEC’s push for warrantless snooping powers. One is that if the SEC were to get this authority, it would open up the doors for all other regulatory agencies, from the IRS to local housing authorities, to get the same power to access your email without a warrant. The second is that the SEC could share the information it gets with law enforcement agencies, effectively allowing them to skirt the warrant requirement. Finally, the SEC already has ample authority to access emails in a way that is much less privacy invasive. Right now, if the SEC needs an email for a civil investigation, it can serve a subpoena directly on the person under investigation, instead of surreptitiously serving a subpoena on the person’s email provider. Serving the subpoena directly on the target ensures that he or she can prevent the government from sweeping in all manner of sensitive personal data not associated with an investigation.
Recently, Obama Administration officials issued a privacy report calling for ECPA reform under the principle of tech neutrality, stating that all data, whether online or off, deserves the same protection from government snooping. Following this to its logical conclusion should mean that, just as the SEC can’t compel the Post Office to turn over your mail with just a subpoena, it shouldn’t be able to force Gmail or Hotmail to turn over your electronic mail.
If we are to fully enjoy the benefits that digital technology has to offer, consumers must be assured that their email has the same protection as their postal mail and the documents they store in the cloud have the same protections as documents they store in their desk drawer. Discriminating against digital data could discourage further innovation in cloud services and undermine the public’s confidence in new technology. Congress should reform ECPA this year, without a special exception for the SEC.
