Senate panel mulls update to email access rules


Law enforcement access to email communications is covered by the nearly three-decade old law that applies different standards for emails stored on user computers or stored remotely, to emails that are older than 180-days, or remain unopened.

Many of the provisions of the Electronic Communications Privacy Act were rendered inoperable by a federal court ruling in 2010, and there is widespread support to update the 1986 law to create a level playing field for communications stored in the cloud. Per the law, an agency can collect the content of older, previously opened, or remotely stored emails from a provider without a search warrant issued by a judge on the basis of probable cause. In practice, after some of ECPA's provisions were unconstitutional, the FBI and federal law enforcement in general has been adhering to the stricter warrant standard.

Still, the legislation itself remains on the books, like a bit of legacy code that can't be expunged.

Sen. Mike Lee (R-Utah), a lead sponsor of legislation that would update ECPA, has been backing a modernization since arriving in the Senate more than four years ago.

"I appreciate more fully how difficult it can be to bring about a change of law that basically everyone agrees on," Lee said at a Sept. 16 hearing of the Senate Judiciary Committee.

Lee's Senate bill, co-authored with Sen. Patrick Leahy (D-Vt.), has 23 cosponsors, and a companion measure in the House has attracted 292 backers, more than enough to pass the bill outright.

The tech sector wants change. Technology trade associations like the Software Alliance, the Software and Information Industry Association, the Computer and Communications Industry Association, and the Information and Technology and Industry Association have all backed the Lee-Leahy bill, in large part because current rules require cloud providers and ISPs to act as a kind of gatekeeper for adjudicating legal requests, and does not require providers to offer notice to customers.

Preserving the status quo

But it's not clear sailing for the legislation, in part because the Obama administration is pushing back against some provisions of the bill, arguing that the warrant requirements would hamstring civil enforcement agencies that lack the authority to issue warrants.

Elana Tyrangiel, principal deputy assistant attorney general, is all for leveling the way remote and locally stored emails are treated. But she warned in her testimony that if new legislation imposing a blanket warrant requirement were passed, "civil investigators enforcing civil rights, environmental, antitrust, and a host of other laws would be left unable to obtain stored communications content from providers."

Other federal regulators have equities they'd like to see preserved or even expanded in an ECPA rewrite. The Federal Trade Commission wants to be able to obtain stored commercial material that was once used in advertising or promotion, for the purpose of making fraud cases. The Securities and Exchange Commission is concerned that the absence of a provision to compel ISPs and other providers to release stored email communications on the basis of a court order that falls short of a warrant could lead to individual targets of investigations flouting administrative subpoenas.

Some on the Judiciary Committee concurred in this line of thinking. Sen. Sheldon Whitehouse (D-R.I.) said that the warrant requirement could "make some civil frauds and racketeering potentially uninvestigable, if the target has done a good enough job of hiding his traces."

Leahy noted that a revised ECPA might not mean much to the SEC, the FTC, and the civil divisions of the Justice Department. "We want these agencies to be effective, but they must abide by the same constitutional constraints that apply to everyone else," he said. "They have not been able to obtain emails without a warrant because of the 2010 federal court ruling, and our bill would not alter that status quo."

Some compromise to give access to civil enforcers appears probable. Committee Chairman Chuck Grassley (R-Iowa) told reporters after the hearing that he didn't have a timetable yet to markup the bill, much less secure time for a debate and vote on the Senate floor.

"We are beginning discussions to see if we can find a balance between law enforcement and privacy," Grassley said. When a similar measure was approved by the Judiciary Committee in the previous Congress, Grassley as ranking member on the committee noted in the bill report that "more consideration is needed with regard to the bill's removal of a valuable tool from civil regulatory agencies, which rely on administrative subpoenas to obtain email communications when investigating insider trading, accounting fraud, and false or misleading statements made by companies about their financial situations."

It's also possible that an ECPA reform effort could be expanded to include some other pressing law enforcement data issues, such as access to data stored by U.S. companies on servers located abroad.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected