Proposals to update the email privacy law, the Electronic Communications Privacy Act (ECPA), are moving quickly in Congress. ECPA is in dire need of an update as it was written in the mid-1980s long before the advent of ubiquitous webmail and cloud storage. In the past, ECPA was used by the Department of Justice (DOJ) to obtain emails and other private online messages older than 180 days without a probable cause warrant. If law enforcement sought those same messages in the physical world, a warrant would be required. This difference is not only wrong, but also inconsistent with the Fourth Amendment. Senators Patrick Leahy and Mike Lee plan to fix this.
Last month, S. 607, a bill sponsored by Senators Leahy and Lee, passed out of the Senate Judiciary Committee. The bill requires that law enforcement obtain a warrant if it wants any private online messages, like private Facebook messages or Twitter direct messages. The Digital Due Process coalition, a diverse coalition of privacy advocates (including EFF) and major companies, has worked hard to advance ECPA reform and should be commended for its work. But because many agencies and companies already require a warrant for all private online messages, more could be done to bolster the law.
The bill should go beyond the status quo. Missing in the bill is a suppression remedy. In the current draft, if law enforcement obtained your email without a warrant, in violation of the revised law, nothing would prevent that illegally obtained evidence from being admitted in a criminal trial. A suppression remedy is a common sense addition to the bill ensuring that its impact is equal to its intent: ensuring all private virtual messages—just like any other private physical message—are available to the government only with a warrant based on probable cause.
In United States v. Warshak (2010), the Sixth circuit ruled that the 180-day rule, as written, was unconstitutional. At a hearing last month, the DOJ Office of Legal Policy finally admitted that emails older than 180 days should logically be protected by a warrant. That statement suggests that that the DOJ will be seeking warrants for all private online messages going forward.
But even before DOJ's admission, many companies already required a warrant before they allow law enforcement access to a user's private messages. In The Hill, Google, Microsoft, and Yahoo—the three largest webmail providers—said they require the government obtain a search warrant before accessing private content. In addition, Facebook and Twitter also require a warrant for private messages. Our Who Has Your Back campaign lists even more companies.
Senators Leahy and Lee provided a good start for ECPA reform. Likewise, the DDP coalition has done tremendous work to move the bill forward. But ECPA reform must do more than codify the status quo. At the minimum, any bill passed by Congress should have a suppression remedy.