The Federal Trade Commission, the government’s chief privacy regulator, asked Congress for warrantless access to Americans’ emails during a Senate hearing Wednesday, where regulators, law enforcement and the tech industry discussed reforming a 30-year-old law granting the government access to Americans’ emails after they’re 180 days old.
Daniel Salsburg, chief counsel in the FTC’s Office of Technology, Research and Investigation, testified before the Senate Judiciary Committee alongside representatives from the Justice Department and the Securities and Exchange Commission in support of the Electronic Communications Privacy Act (ECPA) — a piece of Reagan-era legislation allowing agencies to subpoena “business records” from private companies after 180 days.
In the case of Internet service providers (ISPs), that includes users’ emails.
“The [FTC] therefore suggests that Congress consider providing a judicial mechanism that would authorize the commission to seek a court order directing the provider to produce the content if the commission establishes it has sought to compel it directly from the target, but the target has failed to produce it,” Salsburg, whose office resides in the FTC’s Bureau of Consumer Protection, said in his testimony.
Salsburg said such a “mechanism” derived from ECPA is essential to the agency’s ability to enforce regulations, as more communications and data transition online and onto cloud storage, and he wasn’t alone. Elana Tyrangiel, DOJ’s Deputy Assistant Attorney General and SEC Division of Enforcement Director Andrew Ceresney argued for similar accommodations in proposed ECPA reforms.
At the top of those reforms are the ECPA Amendments Act and the Law Enforcement Access to Data Stored Abroad (LEADS) Act, bipartisan legislation principally designed to prevent U.S. agencies from compelling companies to turn over user data stored in overseas servers, unless the account holder is a U.S. citizen. The bill would also update the Mutual Legal Assistance Treaty process, which allows governments to pursue such information from law enforcement in their countries of origin.
The government’s use of the outdated 1986 law, adopted long before the age of widespread digital communications, has been recently highlighted in a legal dispute between Microsoft and DOJ, currently pending before the Second Circuit Court of Appeals. The government argues that as a company based in the U.S., Microsoft must comply with a subpoena to turn over cloud-stored Outlook emails housed in a Dublin, Ireland server as part of a drug trafficking investigation.
Representatives from DOJ, the SEC and FTC expressed general consent for closing the loophole that treats old emails differently from new, but reiterated the importance of keeping some form of subpoena power for emails intact, which allows agencies to seek emails directly from Internet service providers without a warrant.
Legislation to reform ECPA already boasts a veto-proof majority in the House and the support of almost half the Senate on paper. Many of lawmakers’ questions Thursday scrutinized agency reps, with particular regard to the FTC.
“The FTC plays a key role in protecting Americans’ privacy and Americans, understandably, care deeply about the privacy of their emails and their online documents,” Minnesota Democratic Sen. Al Franken told Salsburg.
“I do find … the final portion of your testimony a little surprising — I did not expect to hear the FTC’s Bureau of Consumer Protection suggesting that the ECPA Amendments Act be significantly rewritten to give FTC broad authority to obtain, via simply court order, Americans email content from third-party service providers.”
Salsburg admitted he has no “empirical data to support” the need for such authority, and added to date, the FTC has never sought emails. Yet as more communications and data transition online, he foresees the need to do so in the future.
In a statement to the committee Thursday morning, FTC Commissioner Julie Brill dissented with her colleague, and said it’s “exceedingly rare that it would be useful for the FTC to seek content through ECPA,” and highlighted the inherent privacy concerns and questionable constitutionality of Salsburg’s request.
“The FTC claims to be a champion of consumer privacy, yet the agency wants access to Americans’ data without a warrant,” TechFreedom President Berin Szoka said in a statement Thursday. “The commission’s testimony today confirms longstanding rumors that it will only support ECPA reform if it gets a carveout from the bill’s warrant requirement.
“This is the issue that has stalled ECPA reform for over five years, despite overwhelming bipartisan support,” he continued. “The FTC’s testimony is carefully crafted to sound reasonable, but the agency is simply helping to obstruct the major privacy reform of our generation.”
Other agencies testified they too are not currently using the authority, but said in its reform, they want warrant-like authority to obtain emails in civil cases. Warrants, used in criminal cases, require probable cause obtained in the course of criminal investigations.
Center for Democracy & Technology Vice President Chris Calabrese, who testified in a second panel, described the agencies’ request as a “dramatic expansion of their authority to get at ordinary citizens’ inboxes,” and a “huge power grab from civil agencies, no matter how they frame it.”
“We certainly appreciate the concerns that have been raised in the rather long debate about this provision, but I’m afraid these are really just distractions,” Richard Salgado, Google’s director of law enforcement and information security, told the committee.
Salgado, who testified alongside Calabrese, pointed to a 2010 federal appeals case — United States v. Warshak — which found federal subpoenas for old emails, as justified by ECPA, an unconstitutional violation of the Fourth Amendment.
“What we have on our books right now is an unconstitutional provision,” Salgado said. “And we could fix that. And we have a very elegant way in the current bill that takes care of this.”
Iowa Republican and Senate Judiciary Committee Chairman Chuck Grassley said the ECPA Amendments Act in still in the early stages of markup, and offered no timeline for bringing the legislation to the floor.