A Response to Law Enforcement Concerns with Email Privacy
By Jadzia Butler
Texas Insider Report WASHINGTON D.C. The Email Privacy Act (H.R. 699) is finally on its way to markup in
the House Judiciary Committee. With over 300 cosponsors it is the most popular piece of legislation that has yet to receive a vote. Its no wonder its so popular the commonsense notion that our
30-year-old Electronic Communications Privacy Act (ECPA) should be updated
to reflect the technological innovations that have taken place since 1986 is one that
even Republicans & Democrats in Congress can agree on.
If the Email Privacy Act becomes law the protections from unreasonable searches and seizures afforded to our private letters files and homes in the physical world will finally apply to our digital world too:
Law Enforcement will be required to obtain a warrant based on probable cause before accessing our private communications such as emails as well as documents pictures and other information stored in the cloud.
Were in the home stretch and weve waited long enough. Congress must pass and the President must sign the Email Privacy Act. However some groups continue to express concern that the Act will pose too great a burden to law enforcement. One of those groups is
the FBI Agents Association (FBIAA) which recently released a letter voicing their criticism of the Act.
Below are CDTs responses to each of their concerns:
Concern #1: H.R. 699 Creates Obstacles to Law Enforcement
Notification Procedures
The FBIAA is concerned that the Acts notification procedures which require that a target be given a copy of the warrant and a description of the nature of the law enforcement inquiry within 10 days could hinder investigations result in administrative and technical errors and pose a potential threat to public safety. However the Acts notice requirements are very similar to those that already exist in the physical world and the Act preserves the same exceptions to current notice requirements that law enforcement officials rely on today (for example notice can be delayed if it could lead to the destruction of evidence).
Current law already requires that targets be provided with a description of the nature of the law enforcement inquiry in the case of notice that has been delayed; the Email Privacy Act simply applies the same requirement to regular notice as well. It makes no sense to say when notice need not be delayed because the criteria for doing so arent met (because notice would not seriously jeopardize an investigation) that disclosing the nature of the inquiry would somehow be more problematic than at the end of a delayed notice period. In fact the bill is already more friendly to law enforcement than currently warrant requirements in the physical world.
When someones home is searched they receive immediate notice. Here notice is delayed for 10 days allowing law enforcement a second chance to seek a delay of notice if its warranted.
In addition the FBIAA is concerned that limiting delayed notification to 180 days could undermine investigations that take more than 180 days to complete. However notice can be delayed in 180-day increments as many times as needed. In fact the bill doubles the period during which notice can be delayed from 90 days under current law (see 18 U.S.C. 2705(a)(1)(A)) to 180 days. This is an improvement for law enforcement.
Moreover unlike current law the Act requires providers to notify law enforcement of their intent to inform a customer of the existence of a warrant seeking their information before doing so which should mitigate the risk of administrative and technical errors.
Americans digital content often contain the most sensitive private aspects of their lives from purchase orders and health information to love letters and political or religious communications and often dates back years. A covert search of a citizens inbox by the government like a covert search of a persons home is one of the most invasive searches possible. It directly contradicts the values at the heart of the Fourth Amendment and must only be done out of absolute necessity. The Acts notice provisions are critical to preserving our rights as citizens in the digital world and should not as the FBIAA suggests be removed.
Exceptions to the Warrant Requirement
The FBIAA expressed concern that
H.R. 699 does not contain any exceptions to the warrant requirement which could pose risks to investigations that are uniquely time-sensitive. However the Act does not need to contain explicit exceptions because such exceptions already exist under current law and the bill does not remove them. Specifically the Act preserves all of the exceptions that the FBIAA suggested should be included in the bill:
Voluntary disclosure by providers in case of an emergency (18 U.S.C. 2702(b)(8));- Voluntary disclosure by providers with consent (2702(b)(3));
- Publicly available information there is no warrant requirement for information that is currently publicly available;
- To/From Information there is no warrant requirement in the bill or in current law for to/from information from emails. Such information can be obtained with a court order issued under 2703(d) (which are issued under a lower standard) or with a warrant. If obtained with either the same exceptions to the warrant requirement apply (2702(c)); and
- Mandatory disclosure of child pornography to the National Center for Missing and Exploited Children under 18 U.S.C. 2258A (as referenced in 2702(b)(6)).
Although the Act introduces a warrant requirement for electronic content (regardless of the age of that content) it still preserves the exceptions to the warrant requirement that currently exists today.
Remote Computing Services
The FBIAA criticized the Act for creating new warrant requirements for information held by
Remote Computing Services (RCSs) which they believe will make it unnecessarily difficult" for law enforcement to obtain the information they need. However the warrant requirement must be expanded to reflect the fact that more information is being stored in the cloud than ever before (in 2014 it was estimated that the amount of data stored in the cloud would reach 3.77 zettabytes by this year).
Consider the types of information you keep stored in the cloud instead of your devices so that you can free up space and access your data everywhere you go:
- your Google docs
- your photos
- your calendars and
- your music playlists for example
Not requiring a warrant for these items because of the way in which they are stored yet requiring a warrant for email simply does not make sense.
Some have argued that incidental collection of content such as a persons name might be swept up into the RCS" category under the Act which would render information like airline reservations subject to the warrant requirement. However this concern mischaracterizes what an RCS is and how they are identified. Whether or not an entity counts as an RCS has always been contingent on their role with respect to handling data (as in whether they are holding a persons information as a source of off-site storage).
An airline for example collects passengers information not as a source for storage but as means for booking airline tickets. Merely collecting such information does not convert an airline into an RCS. This is consistent with guidance from courts and legal scholars such as Orin Kerr (see page 9: A provider can act as an RCS with respect to some communications an ECS with respect to other communications and neither an RCS nor an ECS with respect to other communications.")
Applying the warrant requirement to RCSs reflects the reality of this day and age: we are creating more digital content than ever before and wish to access that content on several devices. As a result of the need for additional space and flexibility the amount of sensitive information stored in the cloud will only continue to grow.
Concern #2: H.R. 699 Should Ensure Access to Electronic Evidence
Law Enforcement & Going Dark"
Given that Congress rarely acts on electronic privacy issues the FBIAA argued that updating ECPA would be a good opportunity to solve what they perceive to be a going dark" problem and suggested that Congress take steps to ensure" that technology companies allow for access to electronic data (when lawful). CDT along with the many privacy and civil liberties advocacy groups technology companies and academics believes that encryption and security go hand-in-hand.
A government mandate requiring companies to build a backdoor" into encryption for surveillance which the FBI has suggested would put users at the mercy of hackers identity thieves and malicious governments as well as impose heavy costs on US businesses. Moreover as a recent study from Harvards Berkman Center pointed out the government is not actually going dark" at
all. Our world is becoming increasingly connected from our smartphones and iPads to our cars and thermostats. As a result we are always on."
We live our lives online which has made more data about us available and given the government more tools to obtain and analyze that data than ever before. Given our ever-increasing vulnerability to cyber attacks Congress should be working to strengthen encryption not weaken it.
Aside from CDTs strong feelings about the so-called going dark" issue there simply is not enough time to resolve this contentious debate in the context of the Email Privacy Act. Nor is anyone saying that we should weaken the standards for accessing communications. In fact FBI Director Comey said in recent testimony that the FBI seeks warrants for all email (see Comey testimony page 69).
Requiring Service Provider Cooperation
The FBIAA believes that H.R. 699 does not adequately address the need for service providers to cooperate with law enforcement requests by providing timely responses and they suggest requiring providers to develop internal mechanisms that designate at least one individual to be a 24/7 point of contact for law enforcement. However providers are already giving extensive assistance to law enforcement in order to help them meet their needs.
Some of the larger providers already have public manuals that identify points of contact who may be available 24/7. If their assistance is not timely law enforcement can bring a provider into court and get a court order compelling their assistance within a set period of time. In fact courts issuing warrants have the authority without any change in the law to require a response from the provider by a specific date. Although timely" assistance is obviously important what constitutes timely" can vary from context to context.
As a result CDT opposes putting a shot clock" of any kind on all providers regardless of circumstance because doing so would require them to prioritize less important information just because the clock" on that information is about to run out.
The FBIAA also suggests that Congress amend § 2709 which governs the issuance of National Security Letters (NSLs) to require providers to hand over all electronic communications transaction records" when requested by law enforcement officials. Electronic communication transaction records" is not a defined term but based on previous attempts by the FBI to amend ECPAs NSL provision we can assume that it includes email to/from information and URLs of websites visited.
These types of information are precisely the kinds of more sensitive information that CDT and many other civil liberties groups have agreed should be available to the FBI only with a court order not through the NSL process which does not require judicial authorization. Rather than making sensitive transaction records available through the NSL process other less-sensitive transaction data could be made available instead such as records of session times and durations subscriber number or identity (including temporary IP addresses) and means of payment such as credit card numbers. Beyond that such an amendment to § 2709 would mark a radical of expansion in the FBIs authority to issue National Security Letters and obtain sensitive data without judicial oversight.
The Email Privacy Act would make long-overdue reforms official. It is a good bill that effectively balances the needs of law enforcement with the expectations of privacy that users understandably have about the wealth of information that they now store online as opposed to in a filing cabinet.
CDT applauds the House Judiciary Committee for finally taking action and encourages Members to pass the Act as written
without delay.
Jadzia Butler is the Privacy Surveillance & Security Fellow at the Center for Democracy & Technology. Her work focuses on the right to privacy in the Digital Age the relationship between national security objectives & civil liberties and ways the government and the private sector can respond to evolving cybersecurity threats.
