Justice Dept. (almost) reneges on email privacy law stance, but the devil is in the details
Well, that was quick.
Earlier today, the Justice Department was preparing to tell a US House committee that it needed further powers under new legislation to acquire citizen data that included Facebook and Twitter private messages, along with other online stored communications.
In what appears to be a flip-flop of substantial proportions, not least likely due to the public concern over our citizen rights to email and stored communication privacy, the federal agency has reversed its stance and now supports court-ordered search warrants over subpoenas.
The difference is subtle, but up until now, the US Justice Department believes that only a subpoena is required to acquire citizen data under the US email privacy law — the Electronic Communications Privacy Act 1986 — rather than a court-ordered search warrant.
But the devil is in the details.
What the laws currently say
Under current legislation, ECPA allows a subpoena signed by a US prosecutor to compel email providers to hand over emails that are over 180 days old. Should the data be less than 180 days old, a court-ordered warrant is required. It was written at a time where email servers were only megabytes in size and not like today where emails can span back many years, if not more than a decade.
Read this
This has been the focus of the hearings in order to determine whether or not email and stored communication laws need updating. Many, including politicians, believe that they do.
A new bill proposed by a bi-partisan group of US House members are hoping to introduce a new law — the Online Communications and Geolocation Protection Act (OCGPA) — that would force US authorities into obtaining a court-ordered warrant to access any electronic communication that a person may possess. It will also include geolocation data, such as where your cellphone has been.
Under a similar law, the Stored Communications Act (SCA), which prohibits unlawful access to stored communications, and regulates how much the US government can acquire from online service providers. But, it does allow email and storage providers to hand over certain data in case of utter emergencies, such as if loss of life is imminent.
The SCA also establishes a mandatory data retention period, under which providers must hold onto stored data for up to 180 days in case of government requests. Companies such as Google, Twitter and Dropbox, along with privacy groups, have argued that the interpretations of ECPA by US authorities have made it easier for them to acquire data that should be protected.
What the Justice Department said
According to US acting assistant attorney general Elana Tyrangiel, while the current email privacy laws have assisted in a number of investigations, not limited to false claims, antitrust investigations and tax enforcement, federal authorities should attempt to seek a warrant signed by a judge rather than a subpoena signed by a US prosecutor.
She said in her testimony [PDF]:
We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old. Similarly, it makes sense that the statute not accord lesser protection to opened emails than it gives to emails that are unopened.
There are a number of caveats that US authorities want to ensure are installed effectively in case of emergencies, such as where loss of life could take place. This, however, already leads the Justice Department into tricky territory as balancing the need for loss of life in five minutes versus one month away could lead to further degradations to civil liberties.
She said:
Some have suggested that the best way to enhance privacy under the SCA would be to require law enforcement to obtain a warrant based on probable cause to compel disclosure of stored email and similar stored content information from a service provider.
We appreciate the appeal of this approach and believe that it has considerable merit, provided that Congress consider contingencies for certain, limited functions for which this may pose a problem.
What the Justice Department, and effectively the collect thought across the chain of federal authorities, believe is that while US citizens should be given greater rights to privacy in line with the increasing expanse of technology and data, US authorities still have a job to do.
The Justice Department's "180-day rule" does, however, follow a similar line of thinking by Google, which also gave its view on the need to update old and outdated laws, as a company subject to such orders that can compel it to hand over its customers' data.
What Google said
Google director for law enforcement and information security Richard Salgado told the committee [PDF]: "The Department of Justice also takes the position that a subpoena is appropriate to compel the service provider to disclose the contents of an email even if it is not older than 180 days if the user has already opened it."
The search giant has already made such requests more public and open by publishing limited details of the requests it receives. It even won a recent battle with the White House to see that National Security Letter 'gagging orders' — which have since been ruled unconstitutional by a US District Court — are published to its Transparency Report.
While the specific number of gagging orders are not disclosed, various numerical ranges are disclosed. Google said earlier this year that government requests for its users' data has risen by 136 percent in just three years.
As a result, Google warns, many companies and businesses are avoiding third-party outsourced services such as the aforementioned under concerns that they may have data siphoned off by US federal agencies, and those companies gagged from telling the businesses in question.