House lawmakers on Tuesday grilled representatives from federal agencies, law enforcement and prosecutors over their request for “carve-outs” to a bill aimed at reforming a 30-year-old law giving the government access to Americans’ 6-month-old emails.
The House Judiciary Committee convened Tuesday to hear testimony from public agencies and private companies on the Email Privacy Act — legislation to update the 1986 Electronic Communications Privacy Act (ECPA)’s provision allowing law enforcement to subpoena Americans’ emails after they’re 180-days old.
A bipartisan supermajority of more than 300 House members support the legislation, introduced two years ago by Kansas Republican Rep. Kevin Yoder, over measures requiring agencies to establish a probable cause and obtain a criminal warrant to access emails, as well as notify a subscriber they’re the subject of an investigation.
Regulators, investigators and attorneys say those reforms will diminish a valuable tool and make it significantly more difficult to obtain evidence and keep the subjects of investigations off guard, and testified to lawmakers on the need for exceptions to the new rules, especially in emergency cases.
Several committee members, including Wisconsin Republican and USA Freedom Act author Rep. Jim Sensenbrenner made it clear he believed the government isn’t entitled to anymore “carve-outs” in regard to Americans’ Fourth Amendment privacy protections.
“Even under ECPA as it was written almost 30 years ago the SEC could only subpoena email content after it was older than 180 days,” Sensenbrenner told Andrew Ceresney, enforcement director at the Securities and Exchange Commission — one of the agencies seeking exceptions to the bill.
“Aren’t you asking this committee to expand a legal authority that was found unconstitutional in the more limited form?” Sensenbrenner asked in reference to a 2010 Sixth Circuit Court ruling, United States v. Warshak, when the court found warrantless government demands to Internet service providers for consumer emails in violation of the Fourth Amendment.
“We are not,” Ceresney said before Sensenbrenner jumped in.
“Why aren’t you? Because you would like to be able to issue subpoenas on email content that’s less than 180-days old.”
“We would defer if Congress decided,” Ceresney started before the Wisconsin representative cut him off.
“No, no, no, no, the thing is I think the court has decided, and you’re not happy with the court’s decision, and what you’re testimony says is that you’d like to expand something that’s already been held unconstitutional,” Sensenbrenner said.
The Wisconsin Republican went on to ask Ceresney if it was truthful to testify the SEC would lose enforcement power as a result of the Email Privacy Act since his agency admitted to not using the authority after the 2010 Warshak ruling.
“I think this is a slam dunk for Congress to make a determination,” Sensenbrenner continued. “Because we already have something that everybody seems to think is OK except a few people who would like to expand the dragnet.”
Georgia Republican Rep. Doug Collins took issue with a claim by Tennessee Bureau of Investigation Special Agent Richard Littlehale that certain ISPs never provide records without a legal process no matter the circumstance, countering the narrative by Google and others that they voluntarily share information when they identify a potential threat.
“Can you identify the service providers that have a policy of categorically rejecting emergency requests in the absence of compulsory legal process?” Collins asked.
“I’ve made a decision not to identify in the examples that I give specific providers because I don’t want to highlight a vulnerability in a public forum,” Littlehale said.
“You can submit that in a non-public forum, but I’m really concerned here we’re making a categorical statement without categorical proof,” Collins continued.
“You said in your testimony, ‘Providers make a decision never to provide records in the absence of legal process no matter the circumstance.’ That’s a very direct statement against the business practices of Internet providers. Is it true? Is it not true? Do you have evidence? Or do you not have evidence?”
“I have been told that by providers, yes,” Littlehale maintained.
“Well I was told that there was a Santa Claus but I found out real quickly there wasn’t,” Collins said.
The Center for Democracy and Technology’s vice president of policy, Chris Calbrese, said lowering the standard for a subpoena to a civil, rather than criminal standard, as requested by investigators, would invite more access into Americans’ private data, stored in greater abundance in the digital realm rather than the physical today.
“We’re talking about a much lower standard, a much greater number of ways we can access information,” Calabrese said. “That means that we’re potentially opening up the cloud to much greater invasion by civil agencies, even than we would by criminal agencies, and I think that’s exactly backwards.”
Texas Republican and author of several pieces of anti-surveillance legislation Rep. Ted Poe likened the issue to mailing a letter, and said emails and ISPs shouldn’t be subject to any less protection than a letter traveling via the Post Office.
“It makes no sense to me that the right of privacy is protected for six months, but it’s not protected more than six months,” Poe said. “And when we enter the digital age, I don’t buy the argument, ‘Well, we’re in the digital age, you’ve got to give up some of your constitutional rights,’ so we can have government investigate things, whether its civil investigation, whether its criminal investigation.”
The issues of encryption — thrust back into the spotlight in the wake of the Paris attacks — and storing data overseas also came up, with Paul Rosenzweig of Red Branch Consulting, a homeland security consulting group, and Richard Salgado, director of law enforcement and information security at Google, agreeing carve-outs like those proposed Tuesday would push more people to adopt encryption and move data outside the U.S., making communications even more difficult for investigators to obtain.
“To the extent this Congress does not take steps to protect that privacy by law, encryption is essentially citizens engaging in self-help,” Rosenzweig said. “Encryption is an idea, it’s a mathematical truth, it’s not suppressible, so if we do not regularize access through things like the proposal before you that will provide comfort to citizens, they’re going to engage even more, I think, in self-help.”
“I think that’s a natural consequence of the misimpression that U.S. government has such easy access to the data of providers,” Salgado added. “It’s not true, and this bill will help make it clear, and help prevent the fleeing of users to other services based on this misperception.”