The email privacy hole Congress won’t fix
Of all the good tech-policy ideas dying a slow death in Congress, none has sunk to a deeper level of “Groundhog Day” futility than the effort to reform the Electronic Communications Privacy Act of 1986.
That law tech-policy types call “ECPA” has long since become a four-letter word. Its original sin was leaning on an obsolete understanding of email to grant warrant-free access to messages stored online, but its major failing is now irrelevance: webmail providers demand a warrant anyway.
And yet Congress can’t fix a law that has decayed from dangerousness to uselessness. This year is still young and many Republicans now profess themselves uneasy over the Federal Bureau of Investigation’s reach — but history suggests 2018 will end like the years before it, with ECPA intact.
How we got here
ECPA’s error should have been obvious to people versed in bulletin-board systems and email protocols 32 years ago: It imposes a 180-day limit on how long messages stay parked on “an electronic communications system.”
Up to that expiration date, the government needs a warrant from a judge based on probable cause to compel a communications provider to turn over your mail. Afterwards, a mere subpoena suffices.
The advent of webmail services in which your messages never left the cloud — beginning less than 10 years after ECPA’s passage with Hotmail — only made that line look more absurd.
In 2010, the U.S. Court of Appeals for the Sixth Circuit held in U.S. vs. Warshak that the government needed a warrant even for messages stored more than 180 days.
But it wasn’t until after a front-page sex scandal uncovered in part via e-mail—then-Gen. David Petraeus’s 2012 fling with biographer Paula Broadwell — that Congress paid a little more attention.
Legislative purgatory
Alas, the reform bill Sen. Patrick Leahy (D.-Vt.) had introduced in 2011 only got out of committee in 2012. Leahy tried again in 2013 with Sen. Mike Lee (R.-Utah) and did no better—even though the Justice Department said it could live with a warrant requirement.
The only ECPA good news that year came from Google (GOOG, GOOGL), Facebook (FB), Microsoft (MSFT) and this site’s parent firm Yahoo: They all revealed they had insisted on a warrant for stored email since 2010 or 2011, citing the 2010 Warshak ruling.
(And yet none had thought until then that their customers would want to know about this defense of their rights, which speaks volumes about the false innocence of those pre-Edward Snowden times.)
Since then, other telecom firms as AT&T (T), Comcast (CMCSA) and Yahoo’s corporate parent Verizon (VZ) have also said they require warrants. Smaller mail services without staff counsel, however, may still oblige a subpoena.
2013 saw Leahy and Lee make another attempt to reform ECPA; this, too, failed to get a Senate vote. A companion bill in the House introduced by Reps. Kevin Yoder (R.-Kans.) and Jared Polis (D.-Colo.), the Email Privacy Act, racked up 272 co-sponsors but didn’t escape a subcommittee in 2014.
Hope sprang anew in 2015, when that year’s version of the Email Privacy Act passed the House 419-0 and the Obama White House endorsed ECPA reform.
But in the Senate, Leahy and Lee’s bill died in committee after Sen. John Cornyn (R.-Tex.) and then-Sen. Jeff Sessions (R.-Ala.) moved to amend it to give law enforcement warrant-free access in terrorism and emergency cases.
Last February, a new version of the Email Privacy Act sailed through the House on a voice vote—and, basically, nothing’s happened since. Leahy and Lee’s latest Senate bill has yet to advance out of the Judiciary Committee.
Two members of Cornyn’s staff did not answer a query sent Thursday asking if his views had changed.
Opposition is a renewable resource
What would hold back a bill that Democrats and Republicans support and name-brand email providers ignore in practice?
Under the Obama administration, the Securities and Exchange Commission and the Federal Trade Commission complained that a warrant requirement would impede their enforcement activities—even though representatives of each also testified that they don’t use their existing ECPA authority.
The Trump administration has made it clear that it wants to loosen rules on both companies and law enforcement, which may weaken the agencies’ cause while encouraging the anti-terrorism argument. Meanwhile, its overall vagueness about tech policy has included silence about fixing ECPA.
“There is no reason to expect they will act to move reform forward,” concluded Sharon Bradford Franklin, director of surveillance and cybersecurity policy at New America’s Open Technology Institute.
Meanwhile, Congress has a hard time passing anything these days, not just in tech policy.
“There no longer seems to be space for small, useful reforms like this update to ECPA,” said Chris Calabrese, vice president for policy at the Center for Democracy & Technology. “Because everything is hard to pass, other actors like local law enforcement and the FBI want to make sure that they get their unrelated priorities met in any piece of legislation.”
Calabrese and Bradford Franklin both now hope for favorable Supreme Court rulings in cases on warrantless access to cell-phone location data and mail stored overseas.
Hoping the courts clean up Congress’s mess is, as the president might say, sad. But seeing as how judicial intervention finally yielded meaningful progress in patent reform last year, it also appears sadly realistic.
More from Rob:
Email Rob at rob@robpegoraro.com; follow him on Twitter at@robpegoraro.
Follow Yahoo Finance on Facebook, Twitter, Instagram, and LinkedIn
