At the dawn of the personal computing and networking age, Congress passed a law that regulates when the government may access personal content stored not on our own hard drives—which is protected by the Fourth Amendment—but on the servers of private companies. While it was the result of thoughtful foresight, the law is in desperate need of updating, given the rapid rise of cloud computing and users’ expectation that their private communications and other documents will remain private regardless of where they are stored. Now legislation to update the law is pending in Congress, and it has broad bipartisan support. But progress has been stalled by civil agencies maneuvering for an unprecedented power grab.
The Electronic Communications Privacy Act, passed in 1986, requires the government to obtain a warrant, based on probable cause and signed by a judge, to access private messages—including emails, social media messages, text messages, and voice mails—that are up to 180 days old and stored by online service providers.
The statute, however, allows the government to access private messages older than 180 days with an administrative subpoena. This means that the government need only prove that these older communications are relevant to an investigation, which is a much lower legal standard for the government to meet than probable cause. The government may also access private documents such as photos, diary entries, financial statements, or medical records that users might upload to cloud storage providers like Dropbox with an administrative subpoena regardless of their age.
Congress crafted the strange structure of ECPA before it could imagine the wealth of personal information that would be stored on companies’ servers rather than on our own devices’ hard drives due to the drop in the cost of cloud storage, the rise of mobile computing, and the changing habits of a whole new generation that grew up with the Internet.
In 2010, a federal appeals court considered the constitutionality of the ECPA rules. The 6th U.S. Circuit Court of Appeals ruled in United States v. Warshak that the government violated the Fourth Amendment when it obtained emails stored by an online service provider without a warrant under the statute. Since then, the majority of companies have followed Warshak and required that the government show up with a warrant before they will turn over any personal content stored in the cloud, regardless of age. While the Warshak decision was a good one and has changed industry practice, the court’s interpretation of the Fourth Amendment technically does not have national applicability. That would take a Supreme Court decision—and the odds of one are low. So Congress is considering a pair of bills that would codify Warshak and create a warrant requirement for any government entity that seeks personal content stored in the cloud: the Electronic Communications Privacy Act Amendments Act (S. 356), championed by Sens. Patrick Leahy, D-Vermont, and Mike Lee, R-Utah, and the Email Privacy Act (H.R. 699), championed by Reps. Kevin Yoder, R-Kansas, and Jared Polis D-Colorado.
The legislation has significant bipartisan support. In Congress, S. 356 has 25 co-sponsors and H.R. 699 has 306 co-sponsors, significantly more than the 218 votes needed to pass the House. The Obama administration supported ECPA reform in its 2014 “big data” report while then–Attorney General Eric Holder expressed his support for a warrant-for-content requirement in 2013. The bills are also supported by a diverse coalition of privacy groups, companies and industry associations, and academics.
ECPA reform legislation is ready for a vote, but Congress has been sidetracked. The Securities and Exchange Commission, representing the interests of civil agencies, vehemently opposes ECPA reform legislation and is demanding more power than it has today. Civil agencies lack the authority to issue warrants, so under ECPA as currently worded, they may not access private messages that are up to 180 days old stored by online service providers (though they may access private messages older than 180 days and other documents with an administrative subpoena). And under Warshak as applied, they may not access any personal online content whatsoever.
Yet the agency testified at a Senate Judiciary Committee hearing in September that it wants the power to easily access personal content stored by online service providers, albeit with notice to the account holder so that he or she may “challenge the request in a judicial proceeding.”
The SEC has been vague about what legal standard its “requests” would have to meet. Warrants must be based on probable cause that the individual’s emails or other content contain evidence of a crime, and the government must present specific facts under oath before a judge supporting the assertion of probable cause. Notice to account holders would be good (they do not get to challenge warrants before they are issued by a judge), but whatever legal standard the SEC envisions for its “requests” is surely lower than probable cause. It’s probably relevance, which is the extremely low and hugely broad legal standard for subpoenas.
Should Congress create a loophole in ECPA reform legislation for the SEC and other civil agencies, personal privacy would be significantly threatened. During the Senate Judiciary Committee hearing in September, Sen. Mike Lee called attention to a risk of carving out such expansive authority for civil agencies: Criminal law enforcement agencies will use civil agencies as proxies to get around the warrant requirement—meaning that a civil agency could use the lower legal standard to access personal content stored by online service providers and then share that content with criminal investigators.
Moreover, it’s far from clear that civil agencies have a problem at all. In April, the SEC chairwoman testified that the agency does not even use existing administrative (i.e., investigative) subpoena authority to access personal content stored by online service providers. Instead, it seeks emails directly from individuals. And the Federal Trade Commission admitted the same thing during the Senate Judiciary Committee hearing in September.
If Congress is entertaining amendments to the two bills under consideration, it should consider how they can be improved to better protect the privacy of Americans. Two additions in particular would vastly improve the legislation: The government should also have to obtain a warrant before accessing location information generated by mobile devices, and there should be a suppression remedy, meaning that if the government violates the law, a criminal defendant can have the illegally obtained evidence thrown out of court.
The Fourth Amendment unquestionably protects our private correspondence and other documents stored in our homes or offices, and even on our own hard drives. Congress must pass a clean ECPA reform law without loopholes that protects personal content stored by online service providers the same way—with a warrant. Given the rise of cloud-based communications and storage, it no longer makes sense that privacy rights should hinge on where personal content is stored.
This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.
