The Electronic Frontier Foundation’s (“EFF’s”) March 18, 2013 article reported on the “first hearing in what many . . . hope will be a successful update to the archaic Electronic Communications and Privacy Act (“ECPA”) in this year’s Congress.” In his press release, Senator Leahy, said he had “worked to make sure . . . updates” to the ECPA “carefully balance privacy interests, the needs of law enforcement and the interests of [the] thriving American tech sector.” Senator Lee added that “the Fourth Amendment was meant to protect” private information stored in “digital filing cabinets.”
Senators Leahy and Lee introduced S. 607: Electronic Communications Privacy Act Amendments Act of 2013 (“S. 607”) which, among other things, establishes “a search warrant requirement in order for the government” to acquire the “content of . . . emails . . . when those communications are stored with a third-party service provider.” (see The Leahy-Lee Electronic Communications Privacy Act Amendments Act for a summary of amendments.) Subsequently, in an April 24, 2013 letter to Senator Leahy, Chairperson Mary Jo White (“Chairperson White”), of the Securities and Exchange Commission (“SEC”) expressed her concerns about proposed updates to the ECPA. In her letter, Chairperson White asked Senator Leahy to consider the negative impact that S. 607 would have on the SEC’s “enforcement efforts . . . .”
The 27 year old ECPA, an EFF article explained, “allows the government to argue that private online messages older than 180 days are not protected by the Fourth Amendment and that the government can access the messages without a warrant.” The Sixth Circuit Court of Appeals, however, held in U.S. v. Warshak, 631 F.3d 266, 288 (6th Cir. 2010) (“Warshak”) that the use of an ECPA Section 2703(b) subpoena or court order to obtain the contents of emails violated the Fourth Amendment’s prohibition against warrantless searches. Chairperson White claimed that S. 607’s codification of the Warshak decision would hinder the SEC’s investigations because the SEC would have to obtain consent from the “entity being investigated” in order to get email content “directly from ISPs.”
In a May 30, 2013 memo, distributed to the ABA’s Administrative Law and Regulatory Practice Section, Greg Nojeim (“Nojeim”), with the Center for Democracy and Technology (“CDT”), strongly disagreed with Chairperson White’s assessment that codifying the warrant requirement would limit the SEC’s ability to conduct investigations. Nojeim expressed concern that the SEC wanted to “get documents from service providers without giving the target an opportunity to cull the records for relevancy, assert any privilege, or otherwise raise any objections.
In her letter to Senator Leahy, Chairperson White explained that the SEC “frequently seeks to obtain the contents of emails” in order to carry out its mandate. And without the Section 2703(b) authority to subpoena an ISP directly, she argued, the SEC would not be able to obtain critical evidence (e.g. deleted, not produced, or otherwise unavailable emails.). Nojeim countered, in his memo, that “regulatory agencies [including the SEC] already have substantial power to identify user accounts, freeze those accounts to prevent destruction or alteration, and use subpoenas served on the account owner to force disclosure.” He argued that Chairperson White’s concerns are already addressed under current law. For example, 18 USC 2703(f) requires an ISP, upon the request of a government entity, to take all necessary steps to preserve records in its possession pending the issuance of a court order or other process.
Chairperson White concluded her letter by urging Senator Leahy to consider a “better balance between privacy interests and the protection of investors.”“[I]n appropriate circumstances and with court approval,” she recommended continued authority for the SEC to obtain emails directly from ISPs. Alternately, Nojeim argued that passing S. 607 was the best way to allow the SEC to determine the “existence of possibly relevant information,” so then subpoenas could be “served on . . . subscribers to actually obtain the content.” To allow the SEC to obtain emails directly from ISPs, Nojeim concluded, would be “unnecessary, . . . diminish privacy, [and] threaten proprietary information . . . .” Nojeim welcomes input from interested parties at email@example.com or 202-407-8815.
Finally, the EFF is “glad to see ECPA reform robustly moving” and “with bills in both houses of Congress the future of ECPA reform is bright.” The EFF believes that “users should be guaranteed the same rights in their virtual lives as they are in their physical lives” and encourages interested parties to tell “Congressmen to support reform.” Many are looking forward to the eventual modernization of this dated privacy law.
This post was originally published on the legacy ABA Section of Administrative Law and Regulatory Practice Notice and Comment blog, which merged with the Yale Journal on Regulation Notice and Comment blog in 2015.