The Email Privacy Act, which passed the House 419-0, is slated for consideration in the Senate Judiciary Committee hearing this week. The legislation updates the now 30-year old Electronic Communications Privacy Act to, among other things, require law enforcement to generally get a warrant before it seizes the content of one’s emails. (The current statute only includes a warrant requirement for emails that are stored for 180 days or less.)
But what should be an easy yes-no vote (with the overwhelming majority voting “yes”) is now being scuttled by a series of proposed amendments that raise significant concerns. Ellen Nakashima wrote an excellent Washington Post story yesterday describing one of these amendments (the so-called ECTR fix, also discussed by Robyn Greene here) — which would permit the government to obtain a person’s browsing history and location information using a national security letter, a kind of administrative subpoena that often comes with a gag order. Under current law, the government needs a court order to obtain this kind of information.
But while there has been a fair amount of attention to the so-called ECTR fix, there has been relatively little attention to an equally, if not more, troubling emergency authorization provision being offered by Sen. Jeff Sessions. (An excellent post by Al Gidari and op-ed by a retired DC homicide detective are two examples to the contrary.)
The amendment would allow the government to bypass the warrant requirement in times of claimed emergency. Specifically, it would mandate that providers turn over sought-after data in response to a claimed emergency from federal, state, or local law enforcement officials. Under current law, companies are permitted, but not required, to comply with such emergency — and warrantless — requests for data.
There are two huge problems with this proposal. First, it appears to be responding to a problem that doesn’t exist. Companies already have discretion to make emergency disclosures to governmental officials, and proponents of the legislation have failed to identify a single instance in which providers failed to disclose sought-after information in response to an actual, life-threatening emergency. To the contrary, the data suggest that providers do in fact regularly cooperate in response to emergency requests. (See the discussion here.)
Second, and of particular concern, the emergency disclosure mandate operates with no judicial backstop. None. Whatsoever. This is in direct contrast with the provisions in both the Wiretap Act and Foreign Intelligence Surveillance Act (FISA) that require companies to comply with emergency disclosure orders, but then also require subsequent post-hoc review by a court. Under the Wiretap Act, an emergency order has to be followed up with an application for a court authorization within 48 hours (see 18 U.S.C. § 2518(7)). And under FISA, an emergency order has to be followed with an application to the court within 7 days (see 50 U.S.C. § 1805(5)). If the order isn’t filed or the court application denied, the collection has to cease.
The proposed Sessions amendment, by contrast, allows the government to claim emergency and compel production of emails, without any back-end review. To be sure, requesting entities must state, under penalty of perjury, both a “short statement of facts in support of the emergency” and an “explanation of why the facts require disclosure without delay.” But to investigating agencies, lots of things look like emergencies that, in hindsight, are not actually emergencies. Or at least not the kind of emergency that couldn’t wait the amount of time it would take to make a telephonic warrant application. And let’s be realistic: How often do we really expect law enforcement officials to expend resources investigating and prosecuting their fellow officers for perjury? When one further considers that this power is extended to federal, state and local law enforcement, the breadth of the potential loophole becomes apparent.
To sum up, it’s not at all clear that this change is needed. But to the extent a mandatory emergency authorization is added, it is essential that it be coupled with post hoc judicial review. As is required under the Wiretap Act. And the Foreign Intelligence Surveillance Act. Otherwise, federal, state, and local entities will have near carte blanche authority to declare “emergency” and run rough-shod over the warrant requirement and other carefully calibrated privacy protections that the Email Privacy Act adds.