Preserving Email Privacy Requires Closing a Loophole, and Not Creating Another
In 1986, as email was just starting to become a consumer product, Congress passed the Electronic Communication Privacy Act (ECPA) based on a simple concept: Americans’ private papers, whether hard copy or electronic, should be protected from government search without a warrant. A broad spectrum of civil libertarians, technology experts, and businesses united to create ECPA to apply this principle as law, and apply it across government. Any government entity, whether it is the FBI, local law enforcement, or a civil agency, should not be able to access your emails if it doesn’t have a warrant. Sadly, some in government now want to change that principle we strove for.
After almost 30 years, ECPA is long overdue for a “systems update.” The way we use technology has changed, and the law limiting government access to your private use of technology needs to change to. In a the modern world where we use hundreds of phone apps to access not just emails but also electronic bank records, medical data, and private photos in the cloud, the law should be clear and up to date.
This is important because ECPA contains a 180-day exception to the warrant requirement. At the time this exception made sense because in 1986 online inboxes could only hold a few emails, and those older than 180-days were considered “abandoned.” But now with mass cloud storage it’s common to archive years of emails online, turning the 180-day rule into a pernicious loophole. Upholding the principle ECPA was created for requires closing this loophole.
Congress is preparing to do just that with the Email Privacy Act, legislation that would end this unintended problem by removing the 180-day exception. Unfortunately, the Securities and Exchange Commission (SEC) is trying to take this opportunity to expand its power. The SEC is calling for an exception in the reform legislation that both flies in the face of the principle ECPA was founded upon, and concocts a revisionist history. The SEC is asking for a “civil agency carve out” to ECPA’s warrant requirement.
Such a carve-out – which includes all civil agencies – fundamentally goes against the principle ECPA was created for: no one in government should be able to access your private emails without a warrant, just like no one in government can access your private letters. The SEC says it needs this “carve out” because the Email Privacy Act is taking away a power it’s long had. This is simply untrue – the Email Privacy Act is restoring civil agencies power to what it was when ECPA passed, and ending an unintended temporary gap of privacy protection.
Civil agencies only attained the ability to access emails without a warrant when technological advance began to support mass cloud storage of email in the 2000’s, letting it (as well as law enforcement) exploit the 180-day loophole in ECPA permitting warrantless access to old emails. And even since then, the SEC has been asked and failed to provide a single case where using this loophole has proven to be critical to an agency investigation. We’re not taking away civil agencies’ power – we’re leaving them with the same power they had in the 1980’s and 1990’s when emails were frequently used, but not archived in the cloud, and the same power they had when letters were sent by fax and postage.
Civil agencies have functioned from their inception until the rise of cloud-based email storage without warrant-free access to our private communications, and they can do so now. And granting civil agencies the power to warantlessly grab emails risks law enforcement using this exception as a “backdoor,” encouraging civil agencies to begin investigations that are then expanded to include criminal charges after emails are accessed without a warrant.
Congress should enact ECPA reform in a manner that follows its original goal – give all our emails proper privacy protection – not codify an invasive power for all civil agencies that they’ve only briefly possessed because of a legislative loophole and unforeseen technology. A complete fix to ECPA, without a new loophole or exception, is critical to restoring Americans’ privacy rights.