SEC Boss Can't Keep Her Story Straight On Whether Or Not SEC Snoops Through Your Emails Without A Warrant

from the let's-get-this-straight-now... dept

For many years now, we've been writing about the need for ECPA reform. ECPA is the Electronic Communications Privacy Act, written in the mid-1980s, which has some frankly bizarre definitions and rules concerning the privacy of electronic information. There are a lot of weird ones but the one we talk about most is that ECPA defines electronic communications that have been on a server for 180 days or more as "abandoned," allowing them to be examined without a warrant and without probable cause as required under the 4th Amendment. That may have made sense in the 1980s when electronic communications tended to be downloaded to local machines (and deleted), but make little sense in an era of cloud computing when the majority of people store their email forever on servers. For the past few years, Congress has proposed reforming ECPA to require an actual warrant for such emails, and there's tremendous Congressional support for this.

And yet... it never seems to pass. The story that we keep hearing is that two government agencies in particular really like ECPA's outdated system: the IRS and the SEC. Since both only have administrative subpoena power, and not the ability to issue warrants like law enforcement, the lower standards of ECPA make it much easier for them to snoop through your emails without having to show probable cause. Last year, in a Congressional hearing, the SEC's boss, Mary Jo White, was questioned about this by Congressman Kevin Yoder, who has been leading the charge on ECPA reform. As we reported at the time, in the conversation, White clearly said that the SEC needed this ability or it would lose "critical" information in its investigations. You can see the conversation from 2014 below, where White (starting around 2:30) explains how vital this process is to the SEC:
Here's the key line:
"What concerns me, as the head of a... law enforcement agency, is that we not put out of reach of lawful process... what is often, sometimes the only, but critical evidence of a serious securities fraud.... And we use that authority quite judiciously, but it's extremely important to law enforcement."
What struck us as interesting last year was White admitting that the SEC appeared to regularly use this process, since she noted that it was "extremely important" and provided "critical evidence."

Fast forward to this week, and the same two players were involved in yet another Congressional hearing. You can see that conversation here as well, with the critical point being made after about four and a half minutes, where White says some of the same stuff, about the privacy protections, and how even if the SEC used this process it still notifies the subscribers to give them a due process right to protest the subpoena... but also, oddly, seems to claim that the SEC never actually makes use of this process:
Here's the key line this time (the full response is a jumble of half sentences and unfinished thoughts, so it's a bit of a mess):
"While these discussions have been going on, to try to sufficiently balance the privacy and the law enforcement interests, we've not to date to my knowledge proceeded to subpoena the ISPs. But that, I think, is critical authority to be able to maintain -- done in the right way and with sufficient solicitousness and it's very important to the privacy interests which I do think can be balanced.
As I said, if you watch her entire response, it's a complete mess of half-finished thoughts, which seems rather typical of someone trying to sound like they're answering a question but not actually doing so. Later in the same answer, she insists that taking away this authority might take away an important tool.

So, we know that the SEC really wants to keep this tool. But last year it said it was "extremely important" and provided "critical evidence." This year, she's saying that the SEC isn't even using the tool. So, uh, which is it? Is this tool absolutely necessary for critical evidence, or is it not even being used by the SEC?

And, through all of this, the SEC still has not answered the most basic question: why can't it treat email the same way it has to treat paper documents under the 4th Amendment? That is, if it wants the document it can subpoena the end user for those documents. It does not get to route around the end user and subpoena a third party for those documents. So why can't it treat email in the same way?

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 17 Apr 2015 @ 7:46pm

    Mike, you are missing the subtlies here. No, they have never used a SUBPOENA to the ISP's. But, have they ever used national security letters? Or spyware? Or other forms of hacking to get access to the e-mails?

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 18 Apr 2015 @ 1:36pm

      "...to my knowledge..."

      I think her use of the Ollie North plausible deniability defense covers her butt just fine.

      But I think her suggestion that the authority she wishes to retain done in the right way suggests that oversight should be in place, e.g. fourth amendment protections. Even if her implication is accurate, that the power has not been abused, does not in any way indicate that it won't be in the future.

      If all the history in the world serves to inform, such abuse is, without proper oversight, inevitable. Do we fix the vulnerability now, or wait until there is a body count?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Anonymous Coward, 17 Apr 2015 @ 7:57pm

    Why not?

    "And, through all of this, the SEC still has not answered the most basic question: why can't it treat email the same way it has to treat paper documents under the 4th Amendment? That is, if it wants the document it can subpoena the end user for those documents. It does not get to route around the end user and subpoena a third party for those documents. So why can't it treat email in the same way?"

    A. Because it is more work.
    B. Because if shenanigans exist it will alert the subject that we are on to their shenanigans.
    C. Other redacted mumbo jumbo.
    D. All of the above.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Apr 2015 @ 8:30pm

    Why don't they just get a warrant from a judge? If it is evidence, get a warrant.

    reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 18 Apr 2015 @ 5:22am

      Re:

      Why don't they just get a warrant from a judge? If it is evidence, get a warrant.


      Well, technically, they can't. The SEC only has subpoena authority. The DOJ is needed to get a warrant. But the issue here is over who they can subpoena for what information and how it impacts the 4th amendment.

      reply to this | link to this | view in chronology ]

  • identicon
    Whoever, 17 Apr 2015 @ 9:00pm

    What has the SEC done?

    How many people were prosecuted over the recent financial meltdown? How many people has the SEC successfully prosecuted over insider trading? It's just another agency that's too close to the very people it should be regulating.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Anonymous Coward, 18 Apr 2015 @ 6:48am

      Re: What has the SEC done?

      It might well be a Department of Justice (for me, but not for thee is understood...right?) issue. SEC makes a case and takes it to DOJ to prosecute.

      Then again, they may BOTH be too close to that steaming, stinking pile of lucre know as Wall Stree.

      reply to this | link to this | view in chronology ]

  • icon
    Sheogorath (profile), 17 Apr 2015 @ 9:56pm

    And yet... [the email warrant requirement bill] never seems to pass.
    That's because of modern technology, you see. If someone should choose to export their emails from their webmail account to Dropbox, for example, then the authorities can just search there, and if the user has been engaging in 'piracy' by ripping their CDs...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Apr 2015 @ 10:54pm

    Tranny Porn

    The SEC snoops through your email to find tranny porn they have not seen yet so they can give it to their boss for brown eye points.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 17 Apr 2015 @ 11:38pm

    Good rule for lying: Plan ahead, and keep your story straight

    '...done in the right way and with sufficient solicitousness and it's very important to the privacy interests which I do think can be balanced.'

    A statement I would agree with, if the 'right way' was 'get a gorram warrant'. As it stands though, the fact that they are fighting so hard against the laughably easy task of simply applying for a warrant before snooping makes it pretty clear the vast majority of their fishing expeditions are just that, baseless searches with no actual justification, and certainly not ones that would hold up under scrutiny.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Apr 2015 @ 3:13am

    The terrorists can't get away with not paying their taxes -- or something.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Apr 2015 @ 4:57am

    Double standard

    Funny how no such reciprocal 180 days = abandoned when it comes to government email. Only the dumb serfs.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Apr 2015 @ 5:08am

    That's what microsoft did back then when you wanted to close your hotmail account. You couldn't. You had to wait 180 days without ever sending anything from it to go away. I was wondering why a lot in my little 16 year old head back in the late 90's.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Apr 2015 @ 6:05am

    Mary Jo White = Wall Street Puppet. Even if SEC had the power to snoop warrantlessly she wouldn't dare jeopardize her prospects of employment after retiring

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Apr 2015 @ 7:19am

    I'm in the financial industry

    The SEC has "march-in" rights to examine all of my email at work at any time w/o a warrant. This also applies to cellphone text messages, but it is technically much more difficult for the SEC to gain access to these, because these messages don't reside on a server at work.

    reply to this | link to this | view in chronology ]

  • identicon
    zero, 18 Apr 2015 @ 7:20am

    If you have to ask you are dumber than she is

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Apr 2015 @ 8:53am

    Easy explanation

    This feature is never used to obtain content, but they like having it because it is a critical tool used as the explanation whenever they need to parallel construct a plausible reason for having information they obtained illegally.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Apr 2015 @ 10:49am

    But terrorists!

    Everyday you don't hear of a terrorist plot being successfully pulled off means that this system is working.. And the ones that did go off without a hitch.. Well, just ignore them bcz we need more power.

    reply to this | link to this | view in chronology ]

  • identicon
    Mr Me, 19 Apr 2015 @ 2:38am

    I don't get it ...

    How are the SEC breaking my encryption?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2015 @ 11:22am

    Extremely important

    What struck us as interesting last year was White admitting that the SEC appeared to regularly use this process, since she noted that it was "extremely important" and provided "critical evidence."

    That's what every single law enforcement agency would claim if they, too, had warrantless access to people's data. We all know they can do their jobs just fine despite the warrant requirement, but were they in the SEC's position they'd say their jobs are impossible without unobstructed access to people's data.

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 19 Apr 2015 @ 6:54pm

      A lot of the people of the US are conditioned to trust Law Enforcement implicitly.

      Which is easy, since we have an instinct to trust authority wirh no regard as to how that authority came to power.

      So yeah, anyone in power can say "I need this power and more to do my job" and the laity will believe them.

      reply to this | link to this | view in chronology ]

  • identicon
    Swaneee, 19 Apr 2015 @ 10:07pm

    Subpeona Power

    What!! The subpoena power by the IRS and SEC does in fasct violsted our 4th Amendment rights as the notification to the consumer never happens. The issue with the ECPA, is that it fails to distinquish between civil and criminal law enforcement. Therefore, the IRS and SEC administratively "fish" for information. Shame on them..............

    reply to this | link to this | view in chronology ]

  • identicon
    Regret, 20 Apr 2015 @ 10:37am

    SEC subpoena of regulated financial businesses

    A bit off-topic, but I can speak as a former compliance officer with an SEC-regulated business: we had very strong incentives to cooperate with SEC requests for information, including e-mails, about our interactions with third parties. The SEC could basically put us out of business any time they wished to, so when they wanted to go fishing, we would bring the boat and the beer. The only resistance we would consider offering was 1) in order to limit the breadth of their information demands - in one case, the subpoena essentially requested every record of every activity since the inception of our firm; or 2) we would obviously not cooperate if there was any hint of self-incrimination in our response (fortunately this didn't occur) - but frankly, we would not dare to resist their requests solely because of concerns about a third-party's privacy.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.