The Electronic Communications Privacy Act (ECPA) has guided law enforcement’s collection of emails for three decades. In that time, the processing and location of emails has changed, many people have objected to the use of warrantless email searches, and some government entities were poorly served.
Today, emails are usually not stored on consumers’ computers. They are generally stored in providers’ cloud storage, so an email search typically involves cooperation from an electronic communications provider.
There is widespread sentiment supporting a requirement for a judicially-issued warrant before law enforcement can demand emails from a service provider. Indeed, the fourth amendment describes the public’s protection in these processes as “no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
The fourth amendment probably motivates the 86 percent of voters who want Congress to update ECPA. Similar enthusiasm for an upgrade to ECPA has led to 305 House co-sponsors for the successor law, called Email Protection Act.”
ECPA drew complaints from the Federal Trade Commission and the Securities and Exchange Commission who were condemned to seek evidence through subpoenas because civil agencies cannot request criminal warrants. Subpoenas are addressed and served to the owner of the evidence. That greatly increases the risk that an owner of the needed evidence would alter or destroy the evidence upon awareness of the subpoena. Sadly, the destruction of email evidence is not uncommon.
ECPA allowed other agencies to obtain warrants form a judge merely by filing an affidavit of probable cause, or in the case of 180-day old emails, obtain those emails without a warrant. The warrant allowed a law enforcement organization (LEO) to obtain the information without notifying the information’s owner.
Even the Department of Justice (DOJ), which has subpoena authority, has made questionable requests for personal data – such as trying to get the emails of an Irish citizen living in Ireland off of a server housed in Ireland and owned by Microsoft’s Irish subsidiary. It would make a lot more sense for the DOJ to work with their overseas counterparts than to expose its multi-national U.S. corporations to potential retaliation and economic boycotts by foreign governments. Countries do not like other countries spying on their citizens and they have laws prohibiting against this activity.
ECPA also made the search authority distinctions based on how long the emails had been stored with service the provider. The Email Privacy Act abandons distinctions based on email vintage.
The Email Privacy Act is crafted to meet the needs of most law enforcement and government entities at the same time it cleans up troublesome aspects of ECPA. The two issues pivotal to meeting LEO and Government needs are the speedy issue of a court warrant, and the suitable timing of the notice given to the search target. Under some circumstances, a delay is needed in serving the required notice to the search target that his incriminating emails have been copied. The delay may help LEOs determine the identity of collaborators or the location of other evidence.
The Email Privacy Act prohibits a provider of remote computing or electronic communication to divulge to a government entity any of the public’s communications stored or maintained by the provider, with some exceptions. The exceptions outline how email searches are permitted. Governmental entities must obtain a court-issued warrant before requiring any provider to disclose the content of communications. A LEO within 10 days or a government entity within 3 days must supply the communication’s owner with a copy of the warrant and identity of the requesting government entity.
The issuance of a court warrant still requires an affidavit from the warrant requestor with a finding of probable cause. Probable cause means “sufficient reason based upon known facts to believe a crime has been committed or that certain property isconnected with a crime.”
The effectiveness of the Email Privacy Act will revolve on how well the required notice of information seizure is managed and the adequacy of the “probable cause” used to obtain the warrant. When a LEO or government entity provides probable cause to a judge, the judge should conduct a balanced, fast assessment on the adequacy of the probable cause. That may be best done by judges who handle a high volume of warrant requests. While people should be told quickly of any seizure of their private information, law enforcement effectiveness in protecting the public may on occasion need to delay that notice, perhaps for months.
The Email Privacy Act seems to be a welcome step forward in protecting our privacy without hobbling law enforcement, and Congress should act quickly on it.
Alan Daley is writes for The American Consumer Institute Center for Citizen Research, a nonprofit educational and research organization. For more information about the Institute, visit www.theamericanconsumer.org.