On Tuesday, March 19, 2012, the Obama Administration took a significant step toward increasing user privacy when the Department of Justice dropped its long-standing opposition to a warrant requirement before government officials can obtain content stored in the Cloud. Testifying before the U.S. House Judiciary Subcommittee on Crime, Terrorism, Homeland Security, and Investigations, Acting Assistant Attorney General Elana Tyrangiel commented on possible reforms to the Electronic Communications Privacy Act (“ECPA”), and particularly the controversial provisions of the Stored Communications Act (“SCA”) (18 USC 2701 et seq.) which govern when the Government may compel third-party service providers like Google, Microsoft, and Twitter to disclose the contents of stored electronic communications. C-Span’s video coverage of the hearing is available here.
The SCA was enacted in 1986, well before widespread cloud computing made long-term storage of user content by third party providers the norm. Currently, its provisions permit government authorities to compel a third-party service provider to disclose user content that has been stored on its servers for less than 180 days only pursuant to a court-issued warrant supported by probable cause. By contrast, unopened emails and content stored for more than 180 days may be compelled with a subpoena or a court order, neither of which requires a finding of probable cause by a neutral judicial officer. Critics have long charged that the SCA creates arbitrary and outdated distinctions among categories of digital content, a point which, in a surprising turn last week, the Obama Administration conceded. Ms. Tyrangiel stated: “[T]here is no principled basis to treat email less than 180 days old differently than email more than 180 days old,” or to afford different protections to opened and unopened emails. Moreover, the Justice Department agreed, there is “appeal” and “considerable merit” to proposals to “require law enforcement to obtain a warrant based on probable cause to compel disclosure of stored email and similar stored content information from a service provider.”
The Justice Department nevertheless tempered its support for the search-warrant approach with the caveat that “Congress [must] consider contingencies for certain, limited functions for which this may pose a problem”—such as for civil litigators and regulators enforcing various laws that do not carry criminal penalties (and therefore for which criminal search warrants are not available). Although government agencies enforcing, for example, civil rights, antitrust, or environmental laws retain the ability to issue civil subpoenas seeking content information directly from the subscriber, this power may be insufficient, Ms. Tyrangiel asserted, where a subscriber is a bankrupt corporation, a deceased individual, or a target “tempted to destroy [his or her] communications rather than turn them over.” Moreover, the Justice Department argued, as government investigators of civil and criminal corporate misconduct have historically been able to obtain the contents of hard-copy corporate business records from a corporation without a warrant, the SCA should not create greater hurdles for electronic records than exist for hard-copy records. That is, where a corporation is serving as its own email service provider, the warrant requirement should not extend to the contents of its corporate email.
The Justice Department’s comments come on the heels of repeated calls for reform to ECPA, and, as the Washington Post reported on March 19, 2013, have been met with “cautious optimism by privacy advocates and civil liberties groups,” who say the Administration has offered “a starting point for a compromise in a debate that has endured for more than a decade.”
Importantly, the playing field for such a compromise is set. Sen. Patrick Leahy (D-VT) has named updating ECPA as his “top privacy priority for the 113th Congress,” and on Tuesday, March 19, introduced a bipartisan bill in the Senate (S. 607) that would eliminate the 180-day rule and opened/unopened email distinction, require a warrant for all content disclosures, and require notice to a subscriber within ten days of a content disclosure unless a court order permits delayed notification. The bill, co-sponsored by Sen. Mike Lee (R-UT), also addresses (in part) the Justice Department’s concerns about civil discovery subpoenas and internal corporate email, providing that civil discovery subpoenas may be used to compel disclosure of certain non-content information, and making clear that the government may subpoena a corporation for the contents of emails sent by or to its employees and agents over the corporation’s internal email server.
On March 6, 2013, Representatives Zoe Lofgren (D-Calif.), Ted Poe (R-Texas), and Suzan DelBene (D-Wash.) introduced an even more pro-privacy rights bill in the House of Representatives. In addition to increasing protections for stored communications, the Online Communications and Protection Act (H.R. 983) would prohibit government interception and provider disclosure of a subscriber’s geolocational information, unless a warrant is obtained or certain exceptions apply. An additional bipartisan bill targeting geolocational privacy was introduced in the Senate and the House on March 21, 2013.
It is clear that the Justice Department’s change of position—even with all of its caveats—could not come soon enough. The astronomic proliferation of personal content being stored in the Cloud—from emails to Twitter feeds, Skype chats, Facebook posts, DropBox contents, Flickr streams, and online banking materials—demands reconsideration of what level of government access is proper. Service providers such as Google, Twitter, and Microsoft report that the Government is increasingly seeking access to user content and other information, and frequently without a warrant—requests that these companies have tried to narrow or deny on uncertain legal ground. Although one Circuit court has concluded that the SCA’s provisions permitting warrantless searches of emails sent through or stored by a commercial ISP are unconstitutional, the Supreme Court has not yet spoken on the issue. ECPA reforms that set forth a clear standard requiring a warrant before the Government may access stored electronic content will help service providers determine what information they may and must disclose, will increase user confidence in the security of information they place in the cloud, and will reduce litigation about the admissibility of evidence obtained from a third-party service provider.
However, it is clear that the road to reform will not be an easy one. As commentators have noted, corporations and industry groups will likely object to the Justice Department’s insistence that the warrant requirement not be extended to corporate-provided email. Others will object to a carve-out for government regulators, who may seek content directly from subscribers. Finally, the Justice Department’s silence on a warrant requirement for geolocational data signals that additional debate can be expected on that issue as well. However lively that debate, it appears that momentum is finally growing for ECPA reform this Congressional term.