In 1986, it would have been strange to keep an email for longer than six months. First of all, not that many people—10 million, maybe, compared to hundreds of millions today—had email accounts. And for those that did, keeping email that long would have been a luxury, an egregious use of limited storage space. Service providers didn’t have space to keep back-ups of old emails on their servers: They deleted them.
That was the world in which Congress first legislated what access law enforcement could have to email and other electronic communications, when it passed the Electronic Communications Privacy Act. And in that world, it seemed perfectly reasonable to give fresh emails—communications younger than 180 days—strong legal protections, while worrying less about emails that hung around for longer than six months.
The result is that, under current law, government officials don’t need a warrant to get access to all those old emails you’ve archived, ignored, deleted, or let hang out forever in your inbox. And if they subpoena your email, they can get all of them—not just the ones that might be relevant to their investigation. Just think about David Petraeus, Paula Broadwell and Jill Kelley: they learned the hard way how broad law enforcement’s leeway is to dig around in email accounts.
Civil liberties and Internet privacy advocates have been pushing for years to reform ECPA, the bill that covers all this access, which was last updated in the post-9/11 PATRIOT Act. In the last session of Congress, Sen. Patrick Leahy (D-VT) put together a reform bill and shepherded it through a key Senate committee; Now, both the House and Senate have already begun to push for a new law.
On Tuesday, Rep. Bob Goodlatte (R-VA), the chairman of the House Judiciary Committee, said at a hearing on ECPA that reforming the law was one of the committee’s “top priorities,” and on the Senate side, Leahy and Sen. Mike Lee (R-UT) together introduced their new version of ECPA reform.
At the House hearing, there was broad agreement among representatives on the right and left, and from the witnesses, that ECPA could use an update. The law, said Rep. Jim Sensenbrenner (R-WI), who was chairing the hearing, is “like having a national highway policy drafted in the 19th century.” But Congress still needs to figure out what, exactly, a new version of the law would look like.
At the hearing, though, not all of the witnesses had particularly specific answers for that question. Orin Kerr, a expert on computer crime law, identified five problems with the current law but did not, initially, suggest particular fixes. Elana Tyrangiel, representing the Department of Justice, said that there was something to the idea of requiring warrants in order to access email but argued that there was also a need for ”contingencies for certain, limited functions for which this may pose a problem.” Her written testimony laid out a host of situations in which her department would like to be able to subpoena service providers, particularly for civil investigations, such as civil rights violations, environmental harms, or tax evasion. But on many points, she told the committee that the DOJ didn’t have a specific position yet and was eager to collaborate to hammer out the best answer. Richard Salgado, Google’s director of law enforcement and information security, didn’t say anything much more specific in his testimony than that the law “must be updated to help encourage the continued growth of the cloud and our economy.”
The witness with the clearest idea of what changes should be made was Richard Littlehale, from the Tennessee Bureau of Investigation, who was there to speak to state government interests. Littlehale wasn’t as gung-ho as the other witnesses about the need to strengthen the privacy provisions in ECPA. What he wanted, mostly, was for any ECPA reform to contain provisions that would compel service providers to respond more quickly and predictably to law enforcement requests for information and for the new bill to contain exceptions that would allow law enforcement quick access to the information they wanted in emergencies. He also said, though, that Congress should be careful about making the job of law enforcement any harder.