Many of us are familiar enough with the constitutional protections that prevent the police from walking into your house and going through your things without a warrant. Given these protections from warrantless searches, it may be surprising to learn that the government can force your internet service provider (ISP) to turn over any and all emails that are at least 6 months old, without a warrant.
The Electronic Communications Privacy Act was passed in 1986, long before email communication became a regular part of our daily lives. This acted as an update to the 1968 Federal Wiretap Act. Back in 1986, electronic mail users were mainly limited to the military, university students, and academic professionals. Now, according to one estimate, there are more than 2.5 billion worldwide email users. Lawmakers are finally realizing that this long-outdated approach to email privacy is sorely in need of an update.
The House Judiciary Committee is considering a new bipartisan bill, the Email Privacy Act, which would require government investigators to get a search warrant before they could access an individual's emails. The bill, introduced by Kansas Republican Kevin Yoder, and Colorado Democrat Jared Polis has broad support, with over 300 lawmakers co-sponsoring the measure. Privacy advocates and tech companies are also pushing for passage of an updated email privacy law.
As Democratic Representative Suzan DelBene put it, “When current law affords more protection for a letter in a filing cabinet than an email on a server, it's clear our policies are outdated.” DelBene also noted that “advances in technology and the Internet have dramatically changed the way we communicate, live and work. In this constantly evolving world, Congress must ensure our laws at least keep pace.”
Some case law has already come out in support of email privacy. In United States v. Warshak, a Sixth Circuit Court of Appeals decision, the court found that government agencies violated Fourth Amendment privacy protections with warrantless email searches, finding that they must obtain a proper search warrant before demanding email service providers turn over email messages.
Google's Gmail is the world's largest email service provider with more than 900 million active users, is one supporter of the Email Privacy Act. Richard Salgado, Google's director of law enforcement and information security, has stated the company already follows the email search interpretation put forth in the Warshak decision. “We require a search warrant in all instances when law enforcement seeks to compel us to disclose the contents of Gmail accounts,” said Salgado.
During the House Judiciary Committee hearing, Salgado urged passage of federal legislation for consistent and uniform application of the warrant requirement. “By creating inconsistent privacy protection for users of cloud services and inefficient and confusing compliance hurdles for service providers,” said Salgado, “ECPA has created an unnecessary disincentive to move to a more efficient, more productive method of computing.”
However, not everyone is on-board with codifying updated email privacy measures. The Securities and Exchange Commission (SEC) opposes such measures, because as a civil enforcement agency, they do not have the ability to obtain criminal search warrants. According to the SEC's director of enforcement, Andrew Ceresney, the bill “poses significant risks to the American public by impeding the ability of the SEC and other civil law enforcement agencies to investigate and uncover financial fraud and other unlawful conduct.”
Some lawmakers question the real impact the Email Privacy Act would have on civil enforcement agencies. The SEC can already access emails without a warrant by going through a traditional subpoena process, which a court can enforce if the party refuses to submit proper responses. Additionally, since the Warshak decision, the SEC and other agencies have continued to be able to prosecute their cases.