SEC, DOJ And Law Enforcement Want To Rewrite Email Privacy Law Update… In Their Favor

from the updated-for-government-needs-and-wants dept

The SEC (Securities and Exchange Commission) has been fighting much-needed updates to the ECPA (Electronic Communications Privacy Act) for a few years now, claiming that treating old email like new email would somehow strip it of its power to investigate and punish wrongdoing. For no discernible reason, legislators decided to treat electronic mail like physical mail, designating unopened emails over six months old “abandoned” and accessible by almost anyone using nothing more than a subpoena.

Moving the law towards logic would insert a warrant requirement for old emails, bringing them under the same protection as emails less than 180 days old. But it’s not just the SEC that’s resistant to changing the law. It’s also local law enforcement and the DOJ itself, both of which have greater powers than the SEC when it comes to accessing electronic communications.

The most recent hearing featured testimony from the SEC, DOJ and, for no discernible reason, the Tennessee Bureau of Investigation. The consensus is that the law should be updated, but not that part of it (SEC) and only if it makes it easier for law enforcement to obtain more stuff without warrants (DOJ, TBI).

The SEC’s argument against the introduction of a warrant requirement is that it would prevent the agency from obtaining other user data from ISPs using only a subpoena, glossing over the fact that it likes having warrantless access to tons of email.

When we conduct an investigation, we generally will seek emails and other electronic communications from the key actors via an administrative subpoena – a statutorily authorized mechanism for gathering documents and other evidence in our investigations. In certain instances, the person whose emails are sought will respond to our request. But in other instances, the subpoena recipient may have erased emails, tendered only some emails, asserted damaged hardware, or refused to respond – unsurprisingly, individuals who violate the law are often reluctant to produce to the government evidence of their own misconduct. In still other instances, email account holders cannot be subpoenaed because they are beyond our jurisdiction.

It is at this point in an investigation that we may in some instances, when other mechanisms for obtaining the evidence are unlikely to be successful, need to seek information from the internet service provider (ISP). H.R. 699 would require government entities to procure a criminal warrant when they seek the content of emails and other electronic communications from ISPs. Because the SEC and other civil law enforcement agencies cannot obtain criminal warrants, we would effectively not be able to gather evidence, including communications such as emails, directly from an ISP, regardless of the circumstances.

As is (sort of) admitted in the SEC’s testimony, the current law provides more protection for physical documents than electronic ones. However, SEC Director Andrew Ceresney spins this as an argument against modifying the ECPA.

Some have asserted that providing civil law enforcement with an ability to obtain electronic communications from ISPs in limited circumstances would mean electronic documents enjoy less protection than paper documents. That is not accurate. Indeed, as currently drafted, H.R. 699 would create an unprecedented digital shelter – unavailable for paper materials – that would enable wrongdoers to conceal an entire category of evidence from the SEC and civil law enforcement.

The DOJ and Tennessee Bureau of Investigation also express alarm at the proposed rollback of subpoena powers, but they use the kidnapping of children, rather than financial misconduct, as their starting points.

While the DOJ admits the 180-day cutoff period makes very little sense, it suggests no fixes along those lines. Instead, it suggests warrant exceptions for Pen Register statutes (information about communications) be aligned with those in the Wiretap Act (the communications themselves) so DOJ agencies can acquire the data along with the communications when operating a wiretap. It makes a certain amount of sense, but it’s actually just the DOJ asking for the less-stringent set of exceptions (tied to the Wiretap Act, believe it or not) to be applied across the board.

It also asks for legislators to better define what can be accessed with certain orders to eliminate “inconsistency” in judge behavior.

The Fifth Circuit has interpreted this provision to require a court to issue a 2703(d) order when the government makes the “specific and articulable facts” showing specified by § 2703(d). See In re Application of the United States, 724 F.3d 600 (5th Cir. 2013). However, the Third Circuit has held that because the statute says that a § 2703(d) order “may” be issued if the government makes the necessary showing, judges may choose not to sign an application even if it provides the statutory showing. See In re Application of the United States, 620 F.3d 304 (3d Cir. 2010). The Third Circuit’s approach makes the issuance of § 2703(d) orders unpredictable and potentially inconsistent; some judges may impose additional requirements, while others may not.

(Hey, judicial inconsistency isn’t much fun for defendants, either.)

Once again, the DOJ is looking for a less-stringent standard to be applied, rather than truly looking to bring this law into the 21st century. Its plea for “technologically-neutral” handling of communications data is similarly focused on applying a lower standard to the acquisition of communications, no matter their source.

The Tennessee Bureau of Investigation, on the other hand, argues that an updated ECPA would put too much power in the hands of ISPs and other entities responsive to law enforcement warrants and subpoenas.

H.R. 699 goes far beyond the commonly stated goal of modernizing ECPA by requiring a search warrant for all stored content. In fact, it creates protections for a wider range of stored electronic evidence that could pose a greater hindrance to law enforcement than protections afforded evidence stored on a computer inside a house or office. Searches in response to ECPA process are performed by service providers, not by law enforcement officers, and H.R. 699 extends the notice provisions previously necessary only with lesser levels of process like subpoenas along with the probable cause standard. The end result is that law enforcement has to get a search warrant to access more evidence, and must bear the added burden of notice requirements that were previously limited to lesser process, without the benefit of controlling the execution of the warrant.

Apparently, any increase in difficulty — no matter its relation to the Fourth Amendment — is unacceptable.

Because H.R. 699 in its current form imposes burdens that will make our job harder without offering any relief in other areas, we urge the committee not to pass H.R. 699 without amending the bill to reflect greater sensitivity to the concerns of the state and local law enforcement community. When we have to get a warrant, it should mean something; right now, H.R. 699 turns the compulsory process of a search warrant into a subpoena with a higher proof requirement.

The Bureau’s Richard Littlehale further lays out his argument for lowered requirements by claiming entities being served with legal paperwork have been less than helpful in the past.

In many instances, we are unable to utilize evidence that would be of enormous value in protecting the public because the technologies used to carry and store that information are not accessible to us, no matter what legal process we obtain. That may be because of technological problems, but just as frequently it is because of non-technical barriers to access. The companies that retain these records are often unable or unwilling to respond to law enforcement’s lawful demands in a timely manner, and there are few consequences for an incomplete or inaccurate response. The primary emergency disclosure provision in the section of ECPA that we use to obtain stored content is voluntary for the providers, not mandatory, and even where emergency access is granted to law enforcement, in some instances, there is insufficient service provider compliance staff to process legitimate emergency requests quickly.

Littlehale’s argument appears to be a paraphrasing of Pat Paulsen’s satirical campaign slogan: if we (law enforcement) have to up our standards, up theirs! He apparently feels ISPs, etc. don’t face enough legal penalties for not immediately handing over everything law enforcement demands, whether they have the capability to do so or not. Littlehale wants warrant service under a modified ECPA to more closely resemble warrant service at a residence: where cops announce their presence after they’ve entered and destroyed everything they touch in search of evidence. He can’t handle the fact that private entities maintain control of digital communications sought and that his agency (and others) must approach them (rather than drive up on their lawns and shoot grenades through their windows) with the proper paperwork and wait until responsive information is gathered and turned over.

Much like the DOJ and the SEC, Littlehale doesn’t want an updated law. He wants a law rewritten to treat digital communications like physical communications, bringing the barrier to access and the expectation of privacy down to the lowest level possible. That’s what is really being discussed here. Not a rewrite of an outdated law to reflect the reality of modern communications, but ways to make an already law enforcement-friendly law even friendlier.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “SEC, DOJ And Law Enforcement Want To Rewrite Email Privacy Law Update… In Their Favor”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

For want of a warrant the case was lost...

The kicker of course is that there would be no problem so long as they had a warrant for exactly what they wanted, and kept their requests reasonable and within the scope of the law.

However, their near fanatical aversion to creating paper-trails of what they are doing, and demands of every possible scrap of data ‘just in case’ is why they are having so much trouble. Solve those two issues, and things will be much better for all.

Anonymous Coward says:

Re: For want of a warrant the case was lost...

…their near fanatical aversion to creating paper-trails…

You’d be surprised at how much paperwork (even digital copies on PC/laptop/notebook) law enforcement has to fill out to take a case to court. If you’ve heard of a case being dismissed “due to technicality(ies)”: that usually means at least one form filled wrong or even missing. Same with physical evidence: missing or wrong forms or even the actual evidence missing can get a case dismissed, even if one knows the defendant is guilty.

And that can happen even if a warrant was issued!

Wendy Cockcroft says:

Re: Re: For want of a warrant the case was lost...

All the more reason to not go cheap on the admin. As an administrator I assure you that every scrap of information pertaining to a case (or a job) needs to be recorded and itemised as a range of departments and managers need it to get the work done, get hold of the appropriate materials, chase it down to completion, and ensure we get (and the parties involved) paid for it. And all of this is in aid of…

…proving to our client that we did what we said we did.

Paperwork is important, people.

JD says:

Minus one word ...

In certain instances, the person whose emails are sought will respond to our request. But in other instances, the recipient may have erased emails, tendered only some emails, asserted damaged hardware, or refused to respond – unsurprisingly, individuals who violate the law are often reluctant to produce to the government evidence of their own misconduct.

But enough about FOIA requests ….

Richard (profile) says:

Make our jobs harder

Because H.R. 699 in its current form imposes burdens that will make our job harder without offering any relief in other areas,
Hey – I get stuff from our management that make my job harder on a regular basis. I don’t get to lobby to change the law – I just have to klive with it. Why should they be any different!

(Especially as it seems that in this case there is a good reason for it. Most of the things I have to put up with don’t even have that.)

Anonymous Coward says:

The government is trying to weaken or eliminate warrant requirements with every single privacy or cybersecurity-related law, yet they want us to believe them when they say “they only want access to a backdoor when a warrant is obtained”.

Yeah, right. Even if they would agree to have that in place initially, they would probably push for an update of that law 5 years later where the warrant is no longer necessary “because it makes their job harder” or something stupid like that.

Anonymous Coward says:

SEC access didn't produce any convictions

during the massive frauds of the financial crisis.

The SEC had plenty of email and SMS data from all of the banksters without warrants.

Since they didn’t “use it” then, then “lose it” now.

What is the point of having all of this power, if you never use it for *good* during the biggest fraud scandal in a century?

Anonymous Coward says:

Re: Re:

There is no good or legal excuse, but they don’t want good or legal, they want a slam dunk prosecution. They want to have so many charges brought against you that you have no choice but to bargain away your freedom and rights. The prosecution of almost every case in America has orders of magnitude greater time and money to go after you, then your theoretically innocent until proven self can ever deal with. They have rigged the scaled of justice to always tip in their favor and any suggestion of correcting the imbalance is a threat to their very existence.

Anonymous Coward says:

Simple Solution

In most current email systems, such as GMail or Yahoo, the mail is retained on the provider’s servers, for access from any machine one can log into. This basically means the email remains on the server until it times out or until you purposely delete it. That is how most email is handles now.

In times past, there was (and still is) a system called POP3. The normal path for POP3 email is that it gets downloaded to the client and then is deleted from the server the instant that happens. One can elect to keep the messages on the server, but most clients default to delete after download.

The solution is simple: use POP3 email with delete after download enabled, and discontinue web-based email systems. Yes, it will be a bit less convenient in that only one computer should be accessing the messages (because once downloaded and read it gets deleted from the server), but no email will remain on the server for the gummint to seize or snoop into. So, in this case, the security increase is worth a little less convenience.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...