Privacy and limited government groups in the Digital 4th Coalition say it is imperative that Congress update the 1986 Electronic Communications Privacy Act (ECPA) to better protect cloud-stored e-mails held by ISPs from government surveillance, and without any harmful amendments that would give federal agencies like the SEC a carve-out from those heightened protections.
That came in a press conference in advance of a hearing Sept. 16 in the Senate Judiciary Committee on legislation—the ECPA Amendments Act—that would extend privacy protections to e-mails over 180 days old. There is a similar E-Mail Privacy Act pending in the House.
Currently, older e-mails have a lesser standard for government access than newer e-mails. The current bills would require a probable cause warrant to access third-party e-mails older than 180 days, just as it is required for those newer than 180 days.
On the conference call with reporters were Gabe Rottman, legislative Counsel for the American Civil Liberties Union; Lou Mejia, former chief litigation counsel at the SEC, and Morgan Reed, executive director of Act: The App Association, and each took turns talking about the need for the heightened protections.
Rottman said that when the law was passed, Congress was focused on intercepting e-mails but that now, the bigger privacy concern is for all that data that can be stored in the cloud. He said the lesser protection for older e-mails was an artificial distinction and an "obsolete and dangerous" loophole for privacy that must be closed ASAP.
"It is crucially important that Congress move swiftly to pass ECPA reform," he said.
Slated to testify at the hearing is Andrew Ceresney, current director of the Enforcement Division at the SEC, who is expected to argue that civil agencies should still get to operate under that lesser standard for older e-mails.
Mejia said he did not accept the anticipated argument that heightening the standard would harm FCC efforts to enforce securities laws.
"That is really not the case," he said. Mejia said that getting the information on older e-mails was still possible by going "directly to the source" through subpoena's of the specific users or that users' entire circle of friends. They can also issue preservation requests to ISPs to prevent those individuals from deleting the information, and still get non-content information from service providers. "They can still get the information," he said, adding that that was what he did when he was at the SEC.
Mejia said the SEC suggestion of a bill carve-out that would require something less than a warrant for civil agencies would not work because the Supreme Court has said you can't have different standards for different agencies, and, because as a practical matter, it would "eviscerate the warrant requirement for law enforcement authorities" since SEC and Justice often share info. So there could be a situation where DOJ could not get a warrant. SEC could get it on a lesser standard, and share that with Justice.
Offering a business perspective, Reed said that if Congress does not act, app developers trying to grow their businesses internationally will not be able to provide a satisfactory answer to the question: "What happens to my date." If the company cannot provide a straightforward answer that makes sense, "we lose that business, which means we lose jobs and opportunities to innovate."
He said that other companies are trying to grab app business from the U.S. by pointing to the uncertainty about date. "We are losing to competitors because they can answer the question: 'How are you handling our data.'"
Separately, the Institute for Policy Innovation, added its voice for ECPA reform, calling the legislation "an urgent and necessary step to uphold Americans’ Fourth Amendment rights guarding against warrantless search and seizure of electronic data."