Email Privacy, At Last?

Last week, New America’s Open Technology Institute (OTI) joined a coalition of civil society groups and tech companies in a letter to the leadership of the House and Senate Armed Services Committees, urging the inclusion of the Email Privacy Act in the National Defense Authorization Act (NDAA). The Email Privacy Act would update the decades-old Electronic Communications Privacy Act (ECPA). It would repair what has become a privacy-invasive loophole and protect the contents of our private online communications from warrantless government searches.

When you send an email or Facebook message, you might reasonably assume the contents of that message will remain totally private. But under ECPA, the government can compel service providers like Google and Facebook to hand over a customer’s entire communications history older than six months–including attached images and files–without a warrant based on probable cause.

The Digital Due Process Coalition, of which OTI is a member, has long called for Congress to end this arbitrary loophole. The House of Representatives has answered that call twice by unanimously passing the Email Privacy Act, which would eliminate ECPA’s “180-day” rule and require the government to obtain a warrant before collecting communications contents, irrespective of when they were created. The bill would codify privacy protections that are already supported by judicial precedent in U.S. v. Warshak, where the Sixth Circuit Court of Appeals held that the Fourth Amendment warrant requirement applies to all online communications contents. The Supreme Court also recently cited this case approvingly in its ruling in Carpenter v. U.S.

After Warshak, the Department of Justice began enforcing the warrant requirement across the country as a matter of policy (even though the law did not require it). But that policy could change for regions outside the Sixth Circuit. A law, on the other hand, must be followed, which is why it is still critical that Congress amend ECPA to close the exception to the warrant-for-content rule. The House bill does not address every privacy concern with this outdated law. For one, it does not include a requirement that the customer be notified when a warrant is served for their online communications. However, as the coalition letter states, the bill “represents a carefully negotiated compromise which preserves existing exceptions to the warrant requirement, provides a new ability for civil agencies to obtain access to previously public commercial content, and maintains the government’s ability to preserve records and obtain emails from employees of corporations.”

Yet there are still roadblocks in the Act’s way. Past iterations of the Email Privacy Act have been doomed by “poison pill” amendments, such as unnecessary new emergency and civil agency exceptions, and an expansion to the national security letter (NSL) statute. The NSL amendment would have expanded that authority to encompass electronic communications transactional records (ECTRs), which can reveal everything from an individual’s physical location and daily routine to their browsing history and personal contacts. With this amendment, the FBI would be allowed to force service providers to turn over these highly revealing data about their users without any judicial oversight.

Poison pill amendments would defeat the Email Privacy Act’s very purpose by turning a bill that should protect Americans’ privacy into one that threatens it. That is why it is crucial that the Email Privacy Act be attached in an unamended form to the NDAA, which is considered a must-pass bill. Given the obstacles looming in the Senate, it may be the only way to ensure that this essential piece of legislation finally becomes law.