ECPA Reform 2.0: Previewing the Debate in the 115th Congress
On January 9th, Reps. Yoder and Polis re-introduced the Email Privacy Act to update the Electronic Communications Privacy Act (ECPA) (there is no Senate companion bill yet). ECPA sets forth the rules for how federal, state and local government agencies (and foreign governments) obtain electronic communication content and metadata from U.S. service providers.
Published by The Lawfare Institute
in Cooperation With
On January 9th, Reps. Yoder and Polis re-introduced the Email Privacy Act to update the Electronic Communications Privacy Act (ECPA) (there is no Senate companion bill yet). ECPA sets forth the rules for how federal, state and local government agencies (and foreign governments) obtain electronic communication content and metadata from U.S. service providers. The bill tracks the version passed unanimously by the House last April. Despite the bill’s broad, bipartisan support in the House, achieving that overwhelming vote did not happen overnight. The bill as passed is a modest, although not insignificant, reform. But in order to achieve full House support a number of proposals were removed and several politically-thorny issues were simply left to be dealt with in the future by, you guessed it, the 115th Congress.
The Senate was unswayed by the bill’s popularity in the House—a common misconception being when one chamber overwhelmingly passes a bill, the other will as well. Ultimately, the Senate did not reach consensus on ECPA reform legislation, the unsurprising result of ongoing substantive disputes in a truncated legislative year.
The question now is what the new Congress will do on ECPA reform. It seems unlikely that both chambers will simply pass the Email Privacy Act as introduced in the early months of the first session. There are hurdles beyond just reaching consensus on the substance of the text. First, the new administration has an ambitious agenda that will keep it and Congress busy for its first 100 days and beyond. Second, the looming expiration of the FISA Amendments Act (FAA) will demand the attention of the Judiciary Committees, also responsible for ECPA reform. While some have suggested that ECPA reform might be tied to FAA reauthorization, the likelihood that Congress will wind down the clock on FAA reauthorization until the end of the year limits the political bandwidth for coupling it with ECPA reform.
The core reform undertaken by the Email Privacy Act is elimination of the so-called “180-day rule” under which emails, text messages, and the like that are older than 180 days can be compelled from providers with a subpoena or court order rather than a warrant. Below is a summary of a few of the high level issues that Congress may address in ECPA reform beyond establishing the warrant-only standard for criminal investigations.
Compelled disclosure in emergencies or with customer consent
Debated but not included in the House-passed Email Privacy Act is whether the government should be authorized to require disclosure of emails and customer records in certain circumstances, namely with the customer’s consent or in emergencies. Existing law allows the government to require disclosure of non-content records with the customer’s consent. But that same consent cannot be used to require a provider to turn over the content of communications. In an emergency, the government can request emails or customer records but the disclosure by the provider is voluntary and the provider determines whether an emergency exists.
The voluntary nature of these disclosures, coupled with a revised warrant-only standard, spurred law enforcement to lobby Congress to mandate disclosure where there is consent or in the event of an emergency. Proponents of the bill caution that this move could lead to disclosures in the absence of a true emergency and impose undue burdens on providers to ferret out legitimate consent.
This issue is likely to emerge again this Congress, particularily in the Senate. Emergency disclosures will be more controversial than consent. All things considered, it seems unlikely that the argument providers are better suited to determine if an emergency exists will prevail. If Congress does add emergencies to ECPA’s mandatory disclosure provision, the question will be whether this addition should be accompanied by restrictions on these demands or on the use of evidence derived from them.
Access to electronic communication content by civil investigative agencies
Also debated but not addressed by the House is whether Congress should provide a mechanism for civil investigative agencies to compel emails and other electronic communications from providers. The elimination of the 180-day rule would also eliminate the means by which civil agencies such as the SEC, FTC, or the civil components of DOJ, obtain information directly from providers. Opponents of such a mechanism argue that the warrant should be the only manner by which governments compel communication content from providers. They also contend that civil agencies do not need to subpoena a provider when they can simply subpoena the customer directly. DOJ and other civil agencies assert that, while it is not uncommon to subpoena the customer directly, were that the exclusive means investigators would lose valuable information if, for instance, the customer is unresponsive or has fled the jurisdiction. One mechanism proposed last Congress would require civil agencies to first serve the customer with subpoena process and only after the customer’s failure to comply could the agency then seek a court order to obtain the information from the provider.
Such a mechanism was resoundingly rejected in the House last Congress and that is unlikely to change now. The Senate, however, has indicated some sympathy for the plight of civil agencies. That may mean this contentious proposal will reemerge.
Foreign government access to U.S. provider-held content
There has been ample discussion on the issue of cross-border data flow and accompanying legal barriers such as those confronted by foreign governments who require access to emails held in the U.S. This is yet another issue in which ECPA plays a pivotal role. Simply put, U.S. providers may only disclose electronic content to U.S. government entities, either voluntarily or when compelled to do so. This presents an evidentiary hurdle—that functions more like a barrier—to foreign countries investigating crimes by or against their own citizens. In the absence of a palatable remedy, foreign governments have already begun to pursue data localization laws and enforcement actions against American companies. This is an increasingly urgent issue, but one that cannot realistically be resolved separately from broader ECPA reform.
Last summer, the administration transmitted to Congress a long-awaited legislative proposal to amend ECPA to authorize bilateral agreements between the U.S. and foreign governments to facilitate requests to providers for electronic data. The U.S. has already negotiated such an agreement with the United Kingdom, which cannot take effect until Congress legislates (for its part, the U.K.’s Investigatory Powers bill, which took effect December 30th, includes the necessary changes to British law to enact this agreement).
There appears to be broad consensus on the Hill regarding the need to address the concerns of foreign allies and American companies stuck in the middle of conflicting laws. But to breath life into these agreements, Congress must decide difficult issues like what criteria foreign governments must satisfy to be eligible for such access and who makes that determination. Congress must also decide whether access should be granted for real-time collection under the Wiretap Act in addition to disclosure of stored content under the Stored Communications Act and whether access should be dictated by foreign law or the U.S. warrant standard.
U.S. government access to emails stored outside the U.S.
Also on deck for ECPA reform is the question of whether the government should be allowed to use the ECPA process to obtain electronic data stored outside the United States (or, in the alternative, belonging to a foreign national outside the United States). Rather serendipitously, this three decades-old law imposes the same standard on U.S. investigators regardless of where the data is stored or who is under investigation. Therefore, under current law, any Gmail or Facebook user in the world who is being investigated in the U.S. enjoys the same protections afforded Americans under the law, namely the warrant requirement in criminal investigations.
Despite this, some providers have objected to the use of ECPA warrants by American investigators to compel disclosure of data stored outside the U.S. by providers subject to U.S. law. They argue that the Stored Communications Act does not apply extraterritorially and, therefore, warrants issued pursuant to it cannot be used to acquire electronic data held in foreign countries. This objection manifested in litigation in the Second Circuit and introduction of the LEADS Act last Congress. The LEADS Act amends ECPA to offer partial extraterritoriality for warrants seeking data belonging to U.S. persons regardless of where it is stored.
In the absence of ECPA process, U.S. investigators would be at the mercy of the Mutual Legal Assistance Treaty process. This arduous and lengthy process requires the United States to seek the assistance of the foreign government where the data is held, subject to disclosure under that country’s standards. This is as untenable a process for U.S. investigators seeking data held by U.S. companies overseas, as it is for foreign investigators seeking to obtain access to data held in the U.S.
Last summer the Second Circuit ruled in Microsoft Corp. v. U.S. that ECPA does not allow courts to issue warrants for overseas data. By limiting ECPA’s application to only domestic data, the decision effectively eliminates warrant protection for millions of U.S. providers’ customers, including possibly U.S. customers (should their data ever make its way onto a foreign server). Notably, prior to the Second Circuit’s decision, the House and Senate sponsors of the LEADs Act introduced a second bill, ICPA (not to be confused with ECPA). ICPA pivots away from the data location-approach of the LEADS Act to define the legitimacy of ECPA warrants on the basis of the nationality and location of the customer. In doing so, the bill arguably negates the litigation in the Second Circuit by stating that ECPA warrants apply “regardless of where such contents may be in electronic storage or otherwise stored, held, or maintained[.]”
Reportedly, providers have continued to comply with ECPA warrants for data stored abroad despite the court’s ruling while DOJ sought rehearing en banc. That request was denied on Monday. Presumably, DOJ will petition the Supreme Court for review and, in the interim, providers will likely continue to respond to ECPA warrants in the Second Circuit regardless of the data’s location.
There is broad consensus that Congress should resolve the issue of the Stored Communication Act’s application to data stored overseas. But there is a separate issue created by the Second Circuit’s ruling—one that calls for making the law extraterritorial. The pending bilateral agreement with the U.K. (and any future agreements) is reciprocal, meaning that the U.S. will be granted direct access to British communication providers in return for U.K. access to American providers. The Microsoft decision, however, negates the use of ECPA warrants for data stored abroad and thus eliminates the reciprocity that is the foundation of the bilateral agreement.
ECTR National Security Letters
The most contentious issue is an amendment to the so-called ECTR national security letter authority. ECPA authorizes the FBI to request certain non-content records in its national security investigations. The statute is essentially broken down into two parts. The first imposes a duty on providers to turn over certain records. The second authorizes the FBI to request those records. The phrase “electronic communication transactional records” appears in the first section but not the second. Beginning in 2009, providers began rejecting ECTR NSLs, citing the FBI’s lack of authority to issue them. Since 2009, the government has relied on FISA court orders to obtain ECTR records, a more time-consuming and resource-intensive process. And since 2009, some on Capitol Hill have sought to amend the statute. The update was proposed for inclusion in the USA FREEDOM Act and, most recently, in the Senate’s consideration of ECPA last year.
Providers and civil liberties advocates characterize the change as an expansion of the FBI’s authority to obtain communication records, including records about U.S. citizens, without prior court approval. Proponents of the change view it as a long-overdue correction to a “scrivener’s error.”
Once again, attention on this debate turns primarily to the Senate as there has been little appetite in the House, even amongst many Republican members, to “expand” FBI national security investigative authority. Last summer, however, for the first time in several years, the House rejected an appropriations amendment to prohibit searching FISA 702 data with U.S. person selectors. This might signal that the winds are shifting on surveillance authorities in the wake of the San Bernardino, Orlando, and other terror plots here and around the world. This issue might be included in either an ECPA reform bill or the FISA Amendments Act reauthorization. But it will undoubtedly continue to be a controversial issue, at least in the Senate.
