Congress has bandied about reforming the Electronic Communications Privacy Act (ECPA) for years, but there’s suddenly momentum to get something done in 2015. The Email Privacy Act (H.R. 699) introduced by Congressmen Kevin Yoder (R-KS) and Jared Polis (D-CO) in February currently has 287 cosponsors, the second highest total of any bill in the House. The House Judiciary Committee, under whose jurisdiction ECPA lies, will be holding a hearing and/or a markup of the bill sometime soon, likely in September.
ECPA reform is badly overdue because the law simply doesn’t jive with the realities of modern email. The original law was passed way back in 1986, when email was still a nascent technology, and deemed all emails over 180 days old to be “abandoned.” Memory was at such a premium in 1986 that emails over 180 days old barely existed, and thus this provision wasn’t an issue at the time, but things have changed significantly over the last 29 years.
Under ECPA, law enforcement and government agencies can acquire abandoned emails from an email provider without a warrant, simply needing a subpoena to obtain access, which requires a much lower burden of proof. This presents a significant problem for email service providers who want to protect the privacy of their users, particularly smaller providers.
The Sixth Circuit Court of Appeals ruled in a 2010 case that, under the 4th Amendment, law enforcement must use a warrant to acquire these emails from providers, but it hasn't stopped them from trying to get them through subpoenas. At this point, most larger email providers do not comply with subpoenas from law enforcement, but smaller providers may not have this information. Further, given that this is just one circuit court's decision, a conflicting decision from another court could upend the law. Congress thus needs to pass ECPA reform and close this loophole on 180+ day old emails.
Support for the Email Privacy Act is bordering on unanimous these days, but there are still some hang-ups on potential amendments that could derail the bill. The first of these is building in an exception for civil agencies (particularly the SEC), which does not have the ability to issue warrants. Such an exception would destroy the benefits gained by ECPA reform, as it would erode privacy by codifying new powers for civil agencies they currently do not have. Civil agencies can still get to emails through normal channels, by serving subpoenas on users, not service providers. The SEC even testified in April that it does not currently obtain emails from service providers.
The second potential hurdle is the question of codifying an emergency exception. Under current practice, a government entity may request digital content from providers by declaring an emergency situation. Email providers can then decide, based on the circumstances, whether or not to comply. However, there appears to be a push to require providers to comply any time the government declares it to be an emergency. This has dangerous potential for abuse, especially when a company like Google is already complying with ~75% of emergency requests. Email providers do not want to be responsible for derailing an investigation into a legitimate emergency situation, but requiring providers to comply with all “emergencies” means that all a government entity needs to do to get information is to claim an emergency.
These two amendments to the Email Privacy Act would seriously weaken a much-needed change to an outdated law. ECPA reform is necessary to protect the privacy of Americans and to ensure that email users trust their providers to protect that privacy. To ensure this is carried out properly, Congress should not further amend the Email Privacy Act and weaken the privacy protections it will put in place.