Senate panel mulls update to email access rules

Law enforcement access to email communications is covered by the nearly three-decade old law that applies different standards for emails stored on user computers or stored remotely, to emails that are older than 180-days, or remain unopened.

Many of the provisions of the Electronic Communications Privacy Act were rendered inoperable by a federal court ruling in 2010, and there is widespread support to update the 1986 law to create a level playing field for communications stored in the cloud. Per the law, an agency can collect the content of older, previously opened, or remotely stored emails from a provider without a search warrant issued by a judge on the basis of probable cause. In practice, after some of ECPA's provisions were unconstitutional, the FBI and federal law enforcement in general has been adhering to the stricter warrant standard.

Still, the legislation itself remains on the books, like a bit of legacy code that can't be expunged.

Sen. Mike Lee (R-Utah), a lead sponsor of legislation that would update ECPA, has been backing a modernization since arriving in the Senate more than four years ago.

"I appreciate more fully how difficult it can be to bring about a change of law that basically everyone agrees on," Lee said at a Sept. 16 hearing of the Senate Judiciary Committee.

Lee's Senate bill, co-authored with Sen. Patrick Leahy (D-Vt.), has 23 cosponsors, and a companion measure in the House has attracted 292 backers, more than enough to pass the bill outright.

The tech sector wants change. Technology trade associations like the Software Alliance, the Software and Information Industry Association, the Computer and Communications Industry Association, and the Information and Technology and Industry Association have all backed the Lee-Leahy bill, in large part because current rules require cloud providers and ISPs to act as a kind of gatekeeper for adjudicating legal requests, and does not require providers to offer notice to customers.

Preserving the status quo

But it's not clear sailing for the legislation, in part because the Obama administration is pushing back against some provisions of the bill, arguing that the warrant requirements would hamstring civil enforcement agencies that lack the authority to issue warrants.

Elana Tyrangiel, principal deputy assistant attorney general, is all for leveling the way remote and locally stored emails are treated. But she warned in her testimony that if new legislation imposing a blanket warrant requirement were passed, "civil investigators enforcing civil rights, environmental, antitrust, and a host of other laws would be left unable to obtain stored communications content from providers."

Other federal regulators have equities they'd like to see preserved or even expanded in an ECPA rewrite. The Federal Trade Commission wants to be able to obtain stored commercial material that was once used in advertising or promotion, for the purpose of making fraud cases. The Securities and Exchange Commission is concerned that the absence of a provision to compel ISPs and other providers to release stored email communications on the basis of a court order that falls short of a warrant could lead to individual targets of investigations flouting administrative subpoenas.

Some on the Judiciary Committee concurred in this line of thinking. Sen. Sheldon Whitehouse (D-R.I.) said that the warrant requirement could "make some civil frauds and racketeering potentially uninvestigable, if the target has done a good enough job of hiding his traces."

Leahy noted that a revised ECPA might not mean much to the SEC, the FTC, and the civil divisions of the Justice Department. "We want these agencies to be effective, but they must abide by the same constitutional constraints that apply to everyone else," he said. "They have not been able to obtain emails without a warrant because of the 2010 federal court ruling, and our bill would not alter that status quo."

Some compromise to give access to civil enforcers appears probable. Committee Chairman Chuck Grassley (R-Iowa) told reporters after the hearing that he didn't have a timetable yet to markup the bill, much less secure time for a debate and vote on the Senate floor.

"We are beginning discussions to see if we can find a balance between law enforcement and privacy," Grassley said. When a similar measure was approved by the Judiciary Committee in the previous Congress, Grassley as ranking member on the committee noted in the bill report that "more consideration is needed with regard to the bill's removal of a valuable tool from civil regulatory agencies, which rely on administrative subpoenas to obtain email communications when investigating insider trading, accounting fraud, and false or misleading statements made by companies about their financial situations."

It's also possible that an ECPA reform effort could be expanded to include some other pressing law enforcement data issues, such as access to data stored by U.S. companies on servers located abroad.