Email Privacy Protections Lax at Federal Level, but State, Private Solutions Picking Up Slack
In 1986, when most people had yet to even have heard the word “Internet,” the U.S. Congress passed a law, the Electronic Communications Privacy Act (ECPA), granting Americans broad privacy protections in their online communications.
Back then, computer storage space was comparatively expensive, and accessing online networks generally required initiating a slow dial-up connection. For these reasons, email was stored on users' computers, not in the “cloud” – i.e., service providers' web-accessible servers – as is common practice today. Email applications would by default remove emails from the server as soon as they had been safely retrieved to the user's hard drive, thereby freeing up strictly-limited server-side space and leaving email accessible while offline.
It was with these norms in mind that the ECPA was written. The law requires federal law enforcement agencies to obtain a warrant before they seize emails from third-party servers – but only for emails less than 180 days old. Emails older than 180 days on third-party servers are considered “abandoned” under the ECPA, and law enforcement require only a subpoena or court order to obtain them – a much lower barrier.
That was not an issue in 1986, when email could reasonably be considered abandoned when left intact on third-party servers for six months. But that is clearly not the case today. With the cost of hard drive space having dropped steeply and steadily, the vast majority of email accounts have server-side storage limits so large as to make it unnecessary ever to delete a single email. Thus, most email users today have messages dating all the way back to the creation of their accounts, and just six months' worth of those communications are protected by the strict legal standard of a warrant.
Senator Patrick Leahy (D-VT) has tried for years to amend the ECPA to require government agencies to have a warrant in order to access any electronic communications on third-party servers, regardless of when they were received. His current amendment, co-sponsored by Senator Mike Lee (R-UT), was recently approved in April by the Senate Judiciary Committee, which Leahy chairs.
The bipartisan bill has also attracted the attention and support of a wide range of businesses and interest groups from across the political spectrum. Tech giants Google, Apple, Facebook, and others, together with organizations such as the U.S. Chamber of Commerce, Tea Party group FreedomWorks, and the Electronic Frontier Foundation signed onto an open letter to the Senate in July urging the passage of the Leahy-Lee bill, S. 607.
The letter also expressed strong opposition to a proposal by the Securities and Exchange Commission (SEC) that it and other federal civil law enforcement agencies be specifically exempted from the stricter standards the amendments would enact. In an April letter to Senator Leahy, SEC Chairman Mary Jo White pointed out that the Commission's investigations are far more successful when evidence is obtained via an administrative subpoena issued to a third-party internet service provider (ISP), as opposed to the actual target of the investigation. The Commission would be “foreclosed,” White says, from obtaining emails from ISPs if it – a civil agency – were held to the standards of the Federal Rules of Criminal Procedure. Instead, White proposes that the SEC and similar agencies be permitted “in appropriate circumstances” to obtains emails directly from ISPs “upon satisfying a judicial standard comparable to the one that governs receipt of a criminal warrant.” Implicit in White's request is the notion that all emails – not just those over 180 days old – might be obtainable by civil agencies under these circumstances, leaving that information even more vulnerable in some cases than it is now.
The effects of this proposal were made into law are not lost on the signatories of the July letter, which points out that when the target of an investigation is served a subpoena requiring that they turn over certain documents, they are permitted to carefully control the production so as to exclude irrelevant or privileged material. On the other hand, ISPs, being unable to determine relevance or privilege, would be forced to hand over all data attached to a user account. Moreover, the target of the investigation would have no opportunity to object.
As of this writing, the full Senate has not taken up the Leahy bill for debate and a vote, but public pressure continues to mount to reform the antiquated law. In the meantime, ISPs and their customers who would rather not cough up potentially sensitive data are finding legal shelter in a Sixth Circuit Court ruling in the 2010 case U.S. v. Warshak. The court held that the Fourth Amendment prohibited the Department of Justice (DOJ) from obtaining emails using a subpoena or court order. Many ISPs are citing Warshak in support of their refusal to hand over data without a warrant, and indeed, Chairman White cited the case as having “greatly impeded” the SEC's use of administrative subpoenas in their investigations.
State legislatures are also taking steps to better protect privacy absent federal action. In June, Texas Gov. Rick Perry signed a law strengthening the protection of emails from state and local law enforcement. And in May, Montana created a law protecting not only emails, but also cellphone location data – a first in the nation. Maine passed laws protecting cell phone text messages and location data – the latter after overriding the governor's veto. And lawmakers in New York, Florida, and Massachusetts are expected to take up the issue in their upcoming legislative sessions.
For those with a pressing need to protect their emails from prying eyes, publicly-available tools such as PGP offer email encryption strong enough to be practically immune to “brute force” attacks – that is, attacks made through sheer computational force absent a compromised key. The benefit of encrypted email comes at the cost of some convenience. It requires an agreement between the sender and recipient to use a particular encryption protocol and a familiarity with how to use the protocol on the part of both users.
After twenty-seven years, Americans' privacy in their electronic communications may be on the verge of a much-needed upgrade. In the meantime, attorneys can make their clients aware of the shortcomings of the laws in place today and should consider learning about encryption for their most sensitive emails.