SEC, DOJ And Law Enforcement Want To Rewrite Email Privacy Law Update... In Their Favor
from the updated-for-government-needs-and-wants dept
The SEC (Securities and Exchange Commission) has been fighting much-needed updates to the ECPA (Electronic Communications Privacy Act) for a few years now, claiming that treating old email like new email would somehow strip it of its power to investigate and punish wrongdoing. For no discernible reason, legislators decided to treat electronic mail like physical mail, designating unopened emails over six months old "abandoned" and accessible by almost anyone using nothing more than a subpoena.
Moving the law towards logic would insert a warrant requirement for old emails, bringing them under the same protection as emails less than 180 days old. But it's not just the SEC that's resistant to changing the law. It's also local law enforcement and the DOJ itself, both of which have greater powers than the SEC when it comes to accessing electronic communications.
The most recent hearing featured testimony from the SEC, DOJ and, for no discernible reason, the Tennessee Bureau of Investigation. The consensus is that the law should be updated, but not that part of it (SEC) and only if it makes it easier for law enforcement to obtain more stuff without warrants (DOJ, TBI).
The SEC's argument against the introduction of a warrant requirement is that it would prevent the agency from obtaining other user data from ISPs using only a subpoena, glossing over the fact that it likes having warrantless access to tons of email.
When we conduct an investigation, we generally will seek emails and other electronic communications from the key actors via an administrative subpoena – a statutorily authorized mechanism for gathering documents and other evidence in our investigations. In certain instances, the person whose emails are sought will respond to our request. But in other instances, the subpoena recipient may have erased emails, tendered only some emails, asserted damaged hardware, or refused to respond – unsurprisingly, individuals who violate the law are often reluctant to produce to the government evidence of their own misconduct. In still other instances, email account holders cannot be subpoenaed because they are beyond our jurisdiction.As is (sort of) admitted in the SEC's testimony, the current law provides more protection for physical documents than electronic ones. However, SEC Director Andrew Ceresney spins this as an argument against modifying the ECPA.
It is at this point in an investigation that we may in some instances, when other mechanisms for obtaining the evidence are unlikely to be successful, need to seek information from the internet service provider (ISP). H.R. 699 would require government entities to procure a criminal warrant when they seek the content of emails and other electronic communications from ISPs. Because the SEC and other civil law enforcement agencies cannot obtain criminal warrants, we would effectively not be able to gather evidence, including communications such as emails, directly from an ISP, regardless of the circumstances.
Some have asserted that providing civil law enforcement with an ability to obtain electronic communications from ISPs in limited circumstances would mean electronic documents enjoy less protection than paper documents. That is not accurate. Indeed, as currently drafted, H.R. 699 would create an unprecedented digital shelter – unavailable for paper materials – that would enable wrongdoers to conceal an entire category of evidence from the SEC and civil law enforcement.The DOJ and Tennessee Bureau of Investigation also express alarm at the proposed rollback of subpoena powers, but they use the kidnapping of children, rather than financial misconduct, as their starting points.
While the DOJ admits the 180-day cutoff period makes very little sense, it suggests no fixes along those lines. Instead, it suggests warrant exceptions for Pen Register statutes (information about communications) be aligned with those in the Wiretap Act (the communications themselves) so DOJ agencies can acquire the data along with the communications when operating a wiretap. It makes a certain amount of sense, but it's actually just the DOJ asking for the less-stringent set of exceptions (tied to the Wiretap Act, believe it or not) to be applied across the board.
It also asks for legislators to better define what can be accessed with certain orders to eliminate "inconsistency" in judge behavior.
The Fifth Circuit has interpreted this provision to require a court to issue a 2703(d) order when the government makes the “specific and articulable facts” showing specified by § 2703(d). See In re Application of the United States, 724 F.3d 600 (5th Cir. 2013). However, the Third Circuit has held that because the statute says that a § 2703(d) order “may” be issued if the government makes the necessary showing, judges may choose not to sign an application even if it provides the statutory showing. See In re Application of the United States, 620 F.3d 304 (3d Cir. 2010). The Third Circuit’s approach makes the issuance of § 2703(d) orders unpredictable and potentially inconsistent; some judges may impose additional requirements, while others may not.(Hey, judicial inconsistency isn't much fun for defendants, either.)
Once again, the DOJ is looking for a less-stringent standard to be applied, rather than truly looking to bring this law into the 21st century. Its plea for "technologically-neutral" handling of communications data is similarly focused on applying a lower standard to the acquisition of communications, no matter their source.
The Tennessee Bureau of Investigation, on the other hand, argues that an updated ECPA would put too much power in the hands of ISPs and other entities responsive to law enforcement warrants and subpoenas.
H.R. 699 goes far beyond the commonly stated goal of modernizing ECPA by requiring a search warrant for all stored content. In fact, it creates protections for a wider range of stored electronic evidence that could pose a greater hindrance to law enforcement than protections afforded evidence stored on a computer inside a house or office. Searches in response to ECPA process are performed by service providers, not by law enforcement officers, and H.R. 699 extends the notice provisions previously necessary only with lesser levels of process like subpoenas along with the probable cause standard. The end result is that law enforcement has to get a search warrant to access more evidence, and must bear the added burden of notice requirements that were previously limited to lesser process, without the benefit of controlling the execution of the warrant.Apparently, any increase in difficulty -- no matter its relation to the Fourth Amendment -- is unacceptable.
Because H.R. 699 in its current form imposes burdens that will make our job harder without offering any relief in other areas, we urge the committee not to pass H.R. 699 without amending the bill to reflect greater sensitivity to the concerns of the state and local law enforcement community. When we have to get a warrant, it should mean something; right now, H.R. 699 turns the compulsory process of a search warrant into a subpoena with a higher proof requirement.The Bureau's Richard Littlehale further lays out his argument for lowered requirements by claiming entities being served with legal paperwork have been less than helpful in the past.
In many instances, we are unable to utilize evidence that would be of enormous value in protecting the public because the technologies used to carry and store that information are not accessible to us, no matter what legal process we obtain. That may be because of technological problems, but just as frequently it is because of non-technical barriers to access. The companies that retain these records are often unable or unwilling to respond to law enforcement’s lawful demands in a timely manner, and there are few consequences for an incomplete or inaccurate response. The primary emergency disclosure provision in the section of ECPA that we use to obtain stored content is voluntary for the providers, not mandatory, and even where emergency access is granted to law enforcement, in some instances, there is insufficient service provider compliance staff to process legitimate emergency requests quickly.Littlehale's argument appears to be a paraphrasing of Pat Paulsen's satirical campaign slogan: if we (law enforcement) have to up our standards, up theirs! He apparently feels ISPs, etc. don't face enough legal penalties for not immediately handing over everything law enforcement demands, whether they have the capability to do so or not. Littlehale wants warrant service under a modified ECPA to more closely resemble warrant service at a residence: where cops announce their presence after they've entered and destroyed everything they touch in search of evidence. He can't handle the fact that private entities maintain control of digital communications sought and that his agency (and others) must approach them (rather than drive up on their lawns and shoot grenades through their windows) with the proper paperwork and wait until responsive information is gathered and turned over.
Much like the DOJ and the SEC, Littlehale doesn't want an updated law. He wants a law rewritten to treat digital communications like physical communications, bringing the barrier to access and the expectation of privacy down to the lowest level possible. That's what is really being discussed here. Not a rewrite of an outdated law to reflect the reality of modern communications, but ways to make an already law enforcement-friendly law even friendlier.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, doj, ecpa, reform, sec, warrants
Reader Comments
Subscribe: RSS
View by: Time | Thread
For want of a warrant the case was lost...
However, their near fanatical aversion to creating paper-trails of what they are doing, and demands of every possible scrap of data 'just in case' is why they are having so much trouble. Solve those two issues, and things will be much better for all.
[ link to this | view in thread ]
Minus one word ...
But enough about FOIA requests ....
[ link to this | view in thread ]
[ link to this | view in thread ]
Make our jobs harder
Hey - I get stuff from our management that make my job harder on a regular basis. I don't get to lobby to change the law - I just have to klive with it. Why should they be any different!
(Especially as it seems that in this case there is a good reason for it. Most of the things I have to put up with don't even have that.)
[ link to this | view in thread ]
Yeah, right. Even if they would agree to have that in place initially, they would probably push for an update of that law 5 years later where the warrant is no longer necessary "because it makes their job harder" or something stupid like that.
[ link to this | view in thread ]
SEC access didn't produce any convictions
The SEC had plenty of email and SMS data from all of the banksters without warrants.
Since they didn't "use it" then, then "lose it" now.
What is the point of having all of this power, if you never use it for *good* during the biggest fraud scandal in a century?
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
I thought a constitutions amendment was needed.
[ link to this | view in thread ]
Too easy to bypass can't believe they are even trying
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: For want of a warrant the case was lost...
You'd be surprised at how much paperwork (even digital copies on PC/laptop/notebook) law enforcement has to fill out to take a case to court. If you've heard of a case being dismissed "due to technicality(ies)": that usually means at least one form filled wrong or even missing. Same with physical evidence: missing or wrong forms or even the actual evidence missing can get a case dismissed, even if one knows the defendant is guilty.
And that can happen even if a warrant was issued!
[ link to this | view in thread ]
Simple Solution
In times past, there was (and still is) a system called POP3. The normal path for POP3 email is that it gets downloaded to the client and then is deleted from the server the instant that happens. One can elect to keep the messages on the server, but most clients default to delete after download.
The solution is simple: use POP3 email with delete after download enabled, and discontinue web-based email systems. Yes, it will be a bit less convenient in that only one computer should be accessing the messages (because once downloaded and read it gets deleted from the server), but no email will remain on the server for the gummint to seize or snoop into. So, in this case, the security increase is worth a little less convenience.
.
[ link to this | view in thread ]
Volunteer State
[ link to this | view in thread ]
Re: Re: For want of a warrant the case was lost...
...proving to our client that we did what we said we did.
Paperwork is important, people.
[ link to this | view in thread ]