Senators Mike Lee (R-UT) and Patrick Leahy (D-VT), along with six other co-sponsors have introduced the Email Privacy Act of 2017. [1] The bill would amend Title II of the Electronic Communications Privacy Act (ECPA) by requiring law enforcement agents to obtain a warrant before acquiring the content of electronic messages. It has been referred to the Senate Committee on the Judiciary. The House of Representatives passed similar legislation in February 2017. [2]

ECPA Was Ground-Breaking When It Was Enacted – But Now, Not So Much

The ECPA was passed in 1986 to modernize the Wiretap Act to account for advances in technology. [3] It created new law – the Stored Communications Act – to establish privacy protections for electronic communications. Anytime someone sends or receives an email or other electronic message, a third-party service provider makes it happen. Pursuant to long-standing Supreme Court precedent, there is no “reasonable expectation of privacy” in information disclosed to a third party, and thus no Fourth Amendment protection. [4] The Stored Communications Act’s original intent was to help restore Fourth Amendment-like protections to the online world.

In general, the Stored Communications Act prohibits a service provider from voluntarily disclosing electronic communications and records, and provides the government with ability to compel service providers to disclose the contents of electronic communications and customer records. In layman’s terms, the Act regulates “when the government can demand that Google turn over emails; when social media sites like Facebook must provide private posts; when video-sharing sites like YouTube must provide stored videos; and when cell phone companies must turn over cell location information.” [5] The various provisions in the Stored Communications Act strik a balance between a desire to protect the privacy of Internet-based communications and the legitimate needs of law enforcement. [6]

As it stands now though, the Stored Communications Act is in great need of an update. As Representative Jerrold Nadler (D-NY) explained prior to the passage of the Email Privacy Act in the House, “[o]ver the last 30 years, [there has been] a revolution in communications technology, and what might have made sense in 1986 is vastly out of date today.” [7] The ECPA was written many years prior to the birth of the commercial Internet, long before Congress could imagine the ways in which Americans now send, share, and store electronic communications and information. Because of these changes, the Act’s statutory protections are not aligned with the ways in which consumers currently use technology, nor do they comport with consumers’ expectations of privacy when using electronic messaging services.

To provide an example, under existing 18 U.S.C. Section 2703(a), emails that remain stored on a server for longer than 180 days are considered abandoned. The statute allows governmental entities to obtain the contents of such emails using a court order or administrative subpoena. The language in Section 2703(a) reflects both an understanding of how email technology worked in 1986, and an awareness of the limited use of email by the public at that time. To access email, a person typically logged in to a remote server and downloaded her emails to her desktop computer. A copy of an email would typically remain on the remote server after download until later deleted by the owner of the email account. Computers did not have large amounts of storage capacity. Free web-based email services like Gmail and Yahoo! did not exist yet. In 1986, “[i]t was unheard of that a commercial product would allow users to send and receive electronic communications around the globe for free and store those communications for years with a third-party provider.” [8] Since then, email technology has advanced, but the laws governing access to electronic messages have not. The Email Privacy Act is Congress’ remedy for this problem.

1. [1] S. 1654, Email Privacy Act of 2017, 115th Cong. (intr. July 27, 2017).
2. [2] H.R. 387, Email Privacy Act, 115th Cong. (as passed by the House Feb.. 6, 2017).
3. [3] Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848. Title I of the ECPA extended the Wiretap Act to the contents of electronic communications in transit. 18 U.S.C. §§ 2510–2522. Title II contains the Stored Communications Act. 18 U.S.C. §§ 2701–2712. Title III added the pen register and trap and trace statutes covering non-content communications. 18 U.S.C. §§ 3121–3127.
4. [4] See United States v. Miller, 425 U.S. 435 (1976); Smith v. Maryland, 442 U.S. 735 (1979).
5. [5] Richard M. Thompson II and Jared P. Cole, Stored Communications Act: Reform of the Electronic Communications Privacy Act (ECPA), Congressional Research Service, p.1 (May 19, 2015).
6. [6] See S. Rep. No. 541, 99th Cong., 2d Sess., reprinted in 1986 U.S. Code Cong. & Admin. News at 3555, 3557.
7. [7] Rep. Jerrold Nadler (D-NY), 163 Cong. Rec. H988, H991, 115th Cong. (Feb. 6, 2017).
8. [8] Rep. Bob Goodlatte (R-VA), 163 Cong. Rec. H988, H990, 115th Cong. (Feb. 6, 2017).