The law governing access to your electronic communications and data stored in the cloud, the Electronic Communications Privacy Act (“ECPA”) was enacted in 1986, the same year that Top Gun was the highest grossing film in the United States. A decade later, Hotmail launched, then in 1997 Yahoo began offering email services, and Google’s Gmail became available in 2004. Today, many Americans’ lives (and livelihoods) are closely integrated with at least one electronic communications service or remote computing service, but ECPA has not been amended since 1986. ECPA needs to be reformed. As written, the statute authorizes the government to compel service providers to disclose the content of communications which have been “in electronic storage” for more than 180 days by means of a subpoena or court order, rather than meeting the more stringent requirements for a warrant.
The lack of reform is not due to a lack of understanding of the issue. Tech companies and coalitions, civil liberties organizations, and common-sense members of Congress from both sides of the aisle have introduced legislative reforms to ECPA for years. Interest in ECPA reform grew stronger after the Sixth Circuit held in 2010 that despite the statutory text, subscribers have a reasonable expectation of privacy in the content of their emails held by a commercial provider (regardless of how long those messages have been “in electronic storage”), and so the government must obtain a warrant in accordance with the Fourth Amendment to compel disclosure of the content of a subscriber’s messages (United States v. Warshak, 631 F.3d 266, 288 (6th Cir. 2010)). Since the Sixth Circuit issued this opinion, it has become common practice among internet providers to rely on Warshak in insisting on a warrant in order to produce content. Nevertheless, the statute itself has not yet been amended.
Legislators have repeatedly introduced bills to amend ECPA to reflect this “warrant for content” standard, and on January 9, 2017, the Email Privacy Act was reintroduced in the House by a bipartisan group of nine co-sponsors and referred to the House Judiciary Committee. The list of co-sponsors has already grown to include 35 Democrats and 34 Republicans, which is not surprising since an identical bill passed unanimously in the House (419 – 0) in April 2016. The bill stalled in the Senate due to a series of proposed amendments which were not supported by the coalition of stakeholders that drafted the original legislation. Proponents are optimistic that the bill will be more successful this year and that 2017 will finally be the year of ECPA reform, but in this year of unexpected developments, nothing is guaranteed.
The Email Privacy Act would amend several provisions of the Stored Communications Act (a subsection of ECPA), but three changes are most noteworthy for providers of electronic communications or remote computing services:
“Warrant for content” codified in federal law
The proposed amendments would create consistency for providers and governmental entities by establishing that a warrant is required to compel disclosure of the content of communications. Providers may still voluntarily disclose content to the government in the case of an imminent emergency, or if another exception applies (i.e. with the consent of the user). However, the Email Privacy Act also creates an exception for Congressional subpoenas, which purportedly would still be sufficient to compel disclosure of the content of users’ communications. Another exception to this new rule would allow the government to obtain the content of communications with a subpoena, court order, or warrant if the communication “advertises or promotes a product or service and … has been made readily accessible to the general public.”
Timeline for responding to warrants
While Rule 41 of the Federal Rules of Criminal Procedure specifies that a warrant must be executed by law enforcement within 14 days, there is no clear timeline for compliance by service providers once they have been served during that period with a valid warrant. As a compromise, the Email Privacy Act amends the statute to provide that warrants to service providers “may indicate the date by which the provider must make the disclosure to the governmental entity. In the absence of a date on the warrant indicating the date by which the provider must make disclosure to the governmental entity, the provider shall promptly respond to the warrant.”
Notice to subscribers
The Email Privacy Act explicitly authorizes providers to notify their users of legal process pertaining to the subscriber’s account unless prohibited by a non-disclosure order. Furthermore, the section which governs these non-disclosure orders would be amended to establish that such gag orders may only issue for a period of 180 days at a time (rather than the indefinite gag orders that some providers have litigated). The government may seek extensions to the non-disclosure order for 180 day periods, but the burden is clearly on the government to seek the extension, rather than requiring providers to follow up with the government to determine if they are still gagged.