Just days after the largest reform to U.S. surveillance law in years took effect, lawmakers on Tuesday held a long-awaited hearing on reforming the Electronic Communications Privacy Act (ECPA). By far the most widely supported bill in Congress, the Email Privacy Act—introduced nearly two-and-a-half years ago—was the center of attention during the House Judiciary Committee hearing, and though it was clear lawmakers on the whole supported it, there is still disagreement on how best to move forward.
“Everyone on this panel agrees a warrant requirement for digital information is needed,” said Red Branch Consulting Founder Paul Rosenzweig, one of six panelists at the hearing. “It’s unbelievable we haven’t been able to work out the details of how to do that.”
At one end, civil and criminal law enforcement are concerned that parts of the proposed reforms will hurt their ability to investigate criminal activity, while at the other, the technology industry as well as privacy and civil liberties advocates are concerned that a nearly 30-year-old law is being rapidly outdated by digital technology and needs an update ASAP.
“It is undeniable that there is strong interest in aligning ECPA with the Fourth Amendment and users’ reasonable expectations of privacy,” testified Google Director of Law Enforcement and Information Security Richard Salgado. Google, which is part of the Digital Due Process Coalition, is one of more than 100 organizations that support the Email Privacy Act.
Salgado pointed out that two major developments have altered the legal landscape since he last testified about ECPA reform in March 2013: The Supreme Court ruling in Riley v. California now requires that law enforcement obtain a warrant prior to searching cellphones, and the recently codified CalECPA mandates law enforcement obtain warrants prior to compelling service providers to share user data and metadata.
However, several government agencies and law enforcement oppose reforms.
The Securities and Exchange Commission (SEC) is perhaps the most vocal civil enforcement authority opposing H.R. 699. At issue for civil law enforcement agencies is that H.R. 699 would require government entities to procure a criminal warrant prior to obtaining users’ information, a power that civil agencies do not have.
“As is currently drafted,” testified SEC Division of Enforcement Director Andrew Ceresney, “H.R. 699 would create an unprecedented digital shelter—unavailable for paper materials—that would enable wrongdoers to conceal an entire category of evidence from the SEC and civil law enforcement.”
Ceresney took the most heat from lawmakers Tuesday, as several Congressmen said the SEC and other civil law enforcement agencies are overreaching into Americans’ privacy. Several lawmakers asked why the SEC had not requested any warrants from service providers since Warshak vs. United States, in which the Sixth Circuit ruled that individuals have a reasonable expectation of privacy in the content of their emails and, as such, a warrant must be required.
The Center for Democracy & Technology’s Chris Calabrese was also critical of the SEC’s arguments, pointing out that another civil agency—the Internal Revenue Service—overreached when it investigated Tea Party supporters. He said the scope of access to private data would be significantly broadened.
Rep. John Ratcliffe (R-TX) also pointed out that, according to an SEC annual report from last year, the agency “touted a record year with cutting-edge enforcement actions” and that it had successfully brought more cases than ever before. “Given the record number of cases,” he queried, “all done without encroaching the Fourth Amendment, why are you asking Congress” for more authority?
Rep. Jim Sensenbrenner (R-WI), who authored the USA PATRIOT Act, was also critical of law enforcement. “Law enforcement wants to expand the scope of what is law, while privacy advocates say the law is the law, codify it … I think this is a slam dunk” but law enforcement wants to “expand the dragnet.”
Importantly, ECPA’s effect on U.S. business was also highlighted during the hearing. The CDT’s Calabrese pointed out that ECPA creates legal uncertainty for cloud providers. Red Branch Consulting’s Rosenzweig said, “Today, emails are our private papers and cloud storage is the file cabinet of our papers.”
“You would find out more about me on the cloud than in my house,” pointed out Calabrese.
But it's not just cloud providers. Rep. Zoe Lofgren (D-CA) said, “This has an impact on American businesses. The most important technology companies in the world are based in the U.S.,” but she pointed out, perceptions around the world have grown that the U.S. government has too much access to user data processed by U.S. companies.
Google’s Salgado concurred: “This has a significant impact on the American industry. It’s no secret that this concern is held by Europe” and that user data “is there for the taking by the U.S. government.”
He added, “This bill is a good step toward ending that perception.”