The House Judiciary Committee Tuesday debated HR 699, the Email Privacy Act (EPA), which would update the Electronic Communications Privacy Act (ECPA) to, among other things, require the government to get a warrant to access emails, social media posts and other online content stored by Internet Service Providers and other email service providers—like Google.
Reforming ECPA has been a priority for Committee chairman Bob Goodlatte (R-Va.). He said ECPA remains necessary, but that it must be modernized and the proper balance between privacy and access struck.
Both sides agree that ECPA needs updating, including requiring a warrant, but how to do it is the sticking point.
One side of the argument are law enforcement agencies that say the law as written would tie their hands and does not have sufficient carve-outs for extraordinary circumstances, and civil agencies that lack the ability to secure criminal warrants. On the other side are communications companies that say requiring full protection of a warrant to Internet content personal communications better aligns the law with the current state of digital storage technology.
In his testimony, Richard Salgado, director of law enforcement and information security at Google—he oversees the company’s' response to government requests for information—pointed out that the bill had 304 co-sponsors, more than any other pending bill in Congress, and has the support of the Digital Due Process coalition (DDP), of which Google is a member along with more than 100 others.
He said that while ECPA was "foresighted" when it was adopted in 1986, but in 2015 it "frustrates users reasonable expectations of privacy" an expectation that content stored online should have the same Fourth Amendment protections—from search and seizure—as do documents stored in their desk drawers.
Salgado also said the bill would help combat the misperception around the world that data stored in the U.S. is there for the government taking.
Throwing a little cold water on the bill was Andrew Ceresney, director of the Enforcement Division of the U.S. Securities and Exchange Commission.
He said that while there were ways to update ECPA, the bill in its current form "poses significant risks to the American public by impeding the ability of the SEC and other civil law enforcement agencies to investigate and uncover financial fraud and other unlawful conduct."
Ceresney said there were ways to strengthen the law without frustrating law enforcement. He said that SEC may need information from ISPs. The SEC can't seek a criminal warrant, so if that became the standard the SEC would not have authority to collect information, and would encourage ponzi schemers and inside traders to be non-cooperative in document production.
He said ECPA should be updated, and there should be judicial redress for an individual before an ISP is compelled to produce information, but civil law enforcement should still have limited access to content.
The SEC has not subpoenaed ISPS in the past several years as Congress has tried to hammer out how they apply to online content.
Steven Cook, president of the board of the Association of Assistant United States Attorneys said the importance of the Stored Communications Act (SCA) portion of ECPA, which gives them access to stored e-mails, was that it could mean the difference between returning a child alive to their parents and not doing so or stopping a terrorist.
He said EPA does not recognize well-established exceptions to the warrant requirement. He also takes issue with the notice requirements in the bill that would require the government to inform third parties--such as the subjects of ongoing investigations--of the e-mail provider warrant for their info.
He said criminals have unlimited access to information and that law enforcement needs access too, consistent with privacy practices. He said requiring the warrant was, well, "unwarranted."
The law enforcement witnesses on the panel were in agreement on two things: ECPA needs updating, but EPA went too far and tied the hands of law enforcement.
"A probable cause standard may well be appropriate for access to evidentiary content on private servers," said Richard Littlehale, assistant special agent in the Tennessee Bureau of Investigation, "but we do not believe it is in the interest of justice to create a new statutory framework that affords that evidence more protection that it would receive in the real world simply because it is digital."
He said "exigency and consent" exceptions to the warrant standard should be allowed.
Rep. John Conyers (D-Mich.) said the government should be obligated to show probable cause before an Internet Service Provider discloses content from its customers.
Chris Calabrese, with the Center for Democracy and Technology, agreed. He urged swift passage of the bill. The technology has changed, but the law has not, he said, creating a privacy loophole that cannot be filled by patchwork fixes.
He said civil agencies--like the SEC--are trying to "blow a hole" in privacy protections. Imagine if the IRS had these powers when it was investigating Tea Party members he said, clearly looking to strike a chord with the Republican leadership of the committee. He said that kind of overreach EPA is meant to prevent.
He said it is critical for the committee to pass the bill to cure a "constitutional defect" in ECPA.
Goodlatte asked Salgado how the bill would impact Congress' ability to get access to information through a subpoena for information stored in the cloud by an executive branch member per its oversight responsibilities. Salgado said he did not know and Goodlatte said he would like to get an answer.