The SEC Fears The Email Privacy Act

December 3, 2015

Submitted for your consideration is a thought piece. Pointedly, I express no preference for either side of the developing debate. The issues and disputes are what they are. As publisher of the BrokeAndBroker.com Blog, I merely present this article with the hope that it prompts you to think, to ask questions, and to consider how you personally come down on the topic.


Email Privacy Act

Currently under consideration before the House of Representative's Committee on the Judiciary ("Judiciary Committee") is the Email Privacy Act ("HR 699"), which seeks to amend portions of the Electronic Communications Privacy Act ("ECPA"). In pertinent part, HR 699 preliminarily summarizes its goal as:

To amend title 18, United States Code, to update the privacy protections for electronic communications information that is stored by third-party service providers in order to protect consumer privacy interests while meeting law enforcement needs, and for other purposes.


Proposed Section 2 of HR 699 presently states in pertinent parts:

SEC. 2. CONFIDENTIALITY OF ELECTRONIC COMMUNICATIONS.

Section 2702(a)(3) of title 18, United States Code, is amended to read as follows:

"(3) a provider of remote computing service or electronic communication service to the public shall not knowingly divulge to any governmental entity the contents of any communication described in section 2703(a), or any record or other information pertaining to a subscriber or customer of such service."

SEC. 3. ELIMINATION OF 180-DAY RULE; SEARCH WARRANT REQUIREMENT; REQUIRED DISCLOSURE OF CUSTOMER RECORDS.

(a) In General.-Section 2703 of title 18, United States Code, is amended-

(1) by striking subsections (a), (b), and (c) and inserting the following:

"(a) Contents Of Wire Or Electronic Communications.-A governmental entity may require the disclosure by a provider of electronic communication service or remote computing service of the contents of a wire or electronic communication that is in electronic storage with or otherwise stored, held, or maintained by the provider only if the governmental entity obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) that is issued by a court of competent jurisdiction directing the disclosure. . .

Warrants Per Criminal Procedure

If HR 699 is passed in its present form, it would essentially prohibit Internet Service Providers ("ISPs"), among other covered parties, from disclosing electronic communications to any governmental entity other than pursuant to a warrant obtained pursuant to the Federal Rules of Criminal Procedure or applicable state procedures. Clearly, this prerequisite to obtain a warrant pursuant to criminal procedures will impose an obstacle in the path of any entity with civil-only powers. Is that a worthwhile inconvenience to protect our civil liberties or is that yet another dangerous impediment in the path of catching purported bad guys?

The SEC Fires A Warning Flare

On December 1, 2015, Securities and Exchange Commission ("SEC") Director of the Division of Enforcement, Andrew Ceresney, testified before the Judiciary Committee. See, "Testimony on Updating the Electronic Communications Privacy Act" During his remarks, Ceresney noted his concerns with the proposed amendments [footnotes omitted]:

Electronic communications often provide critical evidence in our investigations, as email and other message content (e.g., text and chat room messages) can establish timing, knowledge, or relationships in certain cases, or awareness that certain statements to investors were false or misleading.  In fact, establishing fraudulent intent is one of the most challenging issues in our investigations, and emails and other electronic messages are often the only direct evidence of that state of mind.  When we conduct an investigation, we generally will seek emails and other electronic communications from the key actors via an administrative subpoena - a statutorily authorized mechanism for gathering documents and other evidence in our investigations. In certain instances, the person whose emails are sought will respond to our request.  But in other instances, the subpoena recipient may have erased emails, tendered only some emails, asserted damaged hardware, or refused to respond - unsurprisingly, individuals who violate the law are often reluctant to produce to the government evidence of their own misconduct.  In still other instances, email account holders cannot be subpoenaed because they are beyond our jurisdiction.

It is at this point in an investigation that we may in some instances, when other mechanisms for obtaining the evidence are unlikely to be successful, need to seek information from the internet service provider (ISP).  H.R. 699 would require government entities to procure a criminal warrant when they seek the content of emails and other electronic communications from ISPs.  Because the SEC and other civil law enforcement agencies cannot obtain criminal warrants, we would effectively not be able to gather evidence, including communications such as emails, directly from an ISP, regardless of the circumstances. Thus, if the bill becomes law without modifications, the SEC and other civil law enforcement agencies would be denied the ability to obtain critical evidence, including potentially inculpatory electronic communications from ISPs, even in instances where a subscriber deleted his emails, related hardware was lost or damaged, or the subscriber fled to another jurisdiction. Depriving the SEC of authority to obtain email content from an ISP would also incentivize subpoena recipients to be less forthcoming in responding to investigatory requests because an individual who knows that the SEC lacks the authority to obtain his emails may thus feel free to destroy or not produce them. . .


The Digital Due Process Coalition Statement

In contrast with Director Ceresney's concerns, we have those of, for example, the "Digital Due Process," which defines itself as a "
a diverse coalition of privacy advocates, major companies and think tanks, working together." Among the coalition members are such organizations as Adobe, Amazon, Apple, AT&T, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo. See, partial list of coalition members. The Digital Due Process coalition explains that:

ECPA Reform: Why Now?

The Electronic Communications Privacy Act (ECPA) was a forward-looking statute when enacted in 1986. It specified standards for law enforcement access to electronic communications and associated data, affording important privacy protections to subscribers of emerging wireless and Internet technologies. Technology has advanced dramatically since 1986, and ECPA has been outpaced. The statute has not undergone a significant revision since it was enacted in 1986 - eons ago in Internet time.

As a result, ECPA is a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for both service providers and law enforcement agencies. ECPA can no longer be applied in a clear and consistent way, and, consequently, the vast amount of personal information generated by today's digital communication services may no longer be adequately protected. At the same time, ECPA must be flexible enough to allow law enforcement agencies and services providers to work effectively together to combat increasingly sophisticated cyber-criminals or sexual predators. . .


As more fully explained on the Digital Due Process coalition's website:

Specific Background on ECPA Reform Principles

1. The government should obtain a search warrant based on probable cause before it can compel a service provider to disclose a user's private communications or documents stored online.
  • This principle applies the safeguards that the law has traditionally provided for the privacy of our phone calls or the physical files we store in our homes to private communications, documents and other private user content stored in or transmitted through the Internet "cloud"-- private emails, instant messages, text messages, word processing documents and spreadsheets, photos, Internet search queries and private posts made over social networks.
  • This change was first proposed in bi-partisan legislation introduced in 1998 by Senators John Ashcroft and Patrick Leahy. It is consistent with appeals court decisions holding that emails and SMS text messages stored by communications providers are protected by the Fourth Amendment, and is also consistent with the leading legal scholarship on the issue.
2. The government should obtain a search warrant based on probable cause before it can track, prospectively or retrospectively, the location of a cell phone or other mobile communications device.
  • This principle addresses the treatment of the growing quantity and quality of data based on the location of cell phones, laptops and other mobile devices, which is currently the subject of conflicting court decisions; it proposes the conclusion reached by a majority of the courts that a search warrant is required for real-time cell phone tracking, and would apply the same standard to access to stored location data.
  • A warrant for mobile location information was first proposed in 1998 as part of the bipartisan Ashcroft-Leahy bill. It was approved 20 to 1 by the House Judiciary Committee in 2000.
3. Before obtaining transactional data in real time about when and with whom an individual communicates using email, instant messaging, text messaging, the telephone or any other communications technology, the government should demonstrate to a court that such data is relevant to an authorized criminal investigation.
  • In 2001, the law governing "pen registers and trap & trace devices"-technologies used to obtain transactional data in real time about when and with whom individuals communicate over the phone-was expanded to also allow monitoring of communications made over the Internet. In particular, the data at issue includes information on who individuals email with, who individuals IM with, who individuals send text messages to, and the Internet Protocol addresses of the Internet sites individuals visit.
  • This principle would update the law to reflect modern technology by establishing judicial review of surveillance requests for this data based on a factual showing of reasonable grounds to believe that the information sought is relevant to a crime being investigated.
4. Before obtaining transactional data about multiple unidentified users of communications or other online services when trying to track down a suspect, the government should first demonstrate to a court that the data is needed for its criminal investigation.
  • This principle addresses the circumstance when the government uses subpoenas to get information in bulk about broad categories of telephone or Internet users, rather than seeking the records of specific individuals that are relevant to an investigation. For example, there have been reported cases of bulk requests for information about everyone that visited a particular web site on a particular day, or everyone that used the Internet to sell products in a particular jurisdiction.
  • Because such bulk requests for information on classes of unidentified individuals implicate unique privacy interests, this principle applies a standard requiring a showing to the court that the bulk data is relevant to an investigation.
"About the Issue" digitaldueprocess.org