In 1986, it would have been strange to keep an email for longer than six months. First of all, not that many people—10 million, maybe, compared to hundreds of millions today—had email accounts. And for those that did, keeping email that long would have been a luxury, an egregious use of limited storage space. Service providers didn’t have space to keep back-ups of old emails on their servers: They deleted them.
That was the world in which Congress first legislated what access law enforcement could have to email and other electronic communications, when it passed the Electronic Communications Privacy Act. And in that world, it seemed perfectly reasonable to give fresh emails—communications younger than 180 days—strong legal protections, while worrying less about emails that hung around for longer than six months.
The result is that, under current law, government officials don’t need a warrant to get access to all those old emails you’ve archived, ignored, deleted, or let hang out forever in your inbox. And if they subpoena your email, they can get all of them—not just the ones that might be relevant to their investigation. Just think about David Petraeus, Paula Broadwell and Jill Kelley: they learned the hard way how broad law enforcement’s leeway is to dig around in email accounts.
Civil liberties and Internet privacy advocates have been pushing for years to reform ECPA, the bill that covers all this access, which was last updated in the post-9/11 PATRIOT Act. In the last session of Congress, Sen. Patrick Leahy (D-VT) put together a reform bill and shepherded it through a key Senate committee; Now, both the House and Senate have already begun to push for a new law.
On Tuesday, Rep. Bob Goodlatte (R-VA), the chairman of the House Judiciary Committee, said at a hearing on ECPA that reforming the law was one of the committee’s “top priorities,” and on the Senate side, Leahy and Sen. Mike Lee (R-UT) together introduced their new version of ECPA reform.
At the House hearing, there was broad agreement among representatives on the right and left, and from the witnesses, that ECPA could use an update. The law, said Rep. Jim Sensenbrenner (R-WI), who was chairing the hearing, is “like having a national highway policy drafted in the 19th century.” But Congress still needs to figure out what, exactly, a new version of the law would look like.
At the hearing, though, not all of the witnesses had particularly specific answers for that question. Orin Kerr, a expert on computer crime law, identified five problems with the current law but did not, initially, suggest particular fixes. Elana Tyrangiel, representing the Department of Justice, said that there was something to the idea of requiring warrants in order to access email but argued that there was also a need for ”contingencies for certain, limited functions for which this may pose a problem.” Her written testimony laid out a host of situations in which her department would like to be able to subpoena service providers, particularly for civil investigations, such as civil rights violations, environmental harms, or tax evasion. But on many points, she told the committee that the DOJ didn’t have a specific position yet and was eager to collaborate to hammer out the best answer. Richard Salgado, Google’s director of law enforcement and information security, didn’t say anything much more specific in his testimony than that the law “must be updated to help encourage the continued growth of the cloud and our economy.”
The witness with the clearest idea of what changes should be made was Richard Littlehale, from the Tennessee Bureau of Investigation, who was there to speak to state government interests. Littlehale wasn’t as gung-ho as the other witnesses about the need to strengthen the privacy provisions in ECPA. What he wanted, mostly, was for any ECPA reform to contain provisions that would compel service providers to respond more quickly and predictably to law enforcement requests for information and for the new bill to contain exceptions that would allow law enforcement quick access to the information they wanted in emergencies. He also said, though, that Congress should be careful about making the job of law enforcement any harder.
There are specific ideas for reform out there, though. The Digital Due Process Coalition, of which Google is a member, supports the idea that law enforcement should have access to electronic communications “only with a search warrant issued based on probable cause.” Same for the location information that cellphones are now constantly collecting. The coalition also wants the government to jump through more hoops before providers have to hand over information like the contents of “to” and “from” email fields. The ACLU wants the same reporting requirements that apply to wiretaps to apply to electronic surveillance requests as well as a prohibition on using illegally obtained electronic information in court.
As the bill works its way through Congress, though, this push for reform will face off against pressure from law enforcement to retain as much legal wiggle room as possible. Groups that push for Internet privacy think the Leahy-Lee bill released this week is a good start: The ACLU said in a statement that it supports the bill, and the Center for Democracy and Technology called Leahy and Lee a “Dream Team.” The bill eliminates the distinction between emails older and younger than 180 days and requires a warrant for government agencies to obtain emails and other communications from service providers. But Leahy started out with a very similar bill last session and faced pressure from law enforcement to include exceptions for a host of government agencies to access emails, Google Docs, and other communications without a warrant. It’s always difficult for legislators to make it harder for law enforcement officials to do their jobs—even if there’s broad agreement that rules that they’re currently operating under are as outdated as eight-track tapes.
Disclosure: CJR has received funding from the Motion Picture Association of America (MPAA) to cover intellectual-property issues, but the organization has no influence on the content.