The U.S. House surprised everyone when it voted the Email Privacy Act (EPA) bill unanimously on Wednesday. The bill has been stalled in Congress for many years, mainly due to lobbying from law enforcement and other civil agencies such as the Securities and Exchange Commission (SEC) and the Internal Revenue Service (IRS). The EPA bill ought to modernize the three-decades-old Electronic Communications Privacy Act (ECPA) by requiring a warrant for all data requests for private communications.
Stalled For Years, EPA Now Passes Unanimously
Agencies such as the SEC have fought the bill for years, because they want to obtain emails and other private digital conversations without a warrant. The agencies are likely to continue to lobby against the bill in the Senate, as well.
The bill was stalled for so long that the ACLU started a campaign to pass similar state-level reform, in every state. This looked like a resource-intensive and time-consuming campaign, but the ACLU must’ve thought this still had a better chance of happening than the EPA becoming a federal law.
Plus, even if only a single state had passed it, it would’ve still been considered a win, because the people in that state could’ve benefited from online privacy rights that are more in line with their offline privacy rights. The ACLU managed to get 16 states and the District of Columbia to sign up for the reform. This was a significant win, but it’s still fewer than a third of the states.
All of this makes it so surprising that the House voted unanimously on the federal electronic communications reform bill, called the Email Privacy Act.
The EPA is still not perfect and doesn’t get quite the level of offline privacy protections that Americans experience through other laws. One of its major weaknesses is that the government doesn’t have to notify users of a given service that it requested their communications--not then, not ever.
It’s one thing to avoid notifying users when a request is made so as not to compromise an ongoing investigation, but it’s a different matter that the government never has to tell the users, even after a case has been closed. There’s simply no good reason for such a policy to exist.
As Microsoft recently noted when it announced its lawsuit against the U.S. government for drastically increasing its secret data requests over the past few years, the gag orders should automatically expire. They should only be extended with a judge’s approval based on “real necessity” to do so. If the government can’t prove it actually needs the extension, then there’s no reason to keep the request secret anymore.
In its lawsuit, Microsoft also asked for companies to be able to tell their users when the government requested the data, even if the government doesn’t tell the users itself. The new EPA bill seems to allow companies to do that. However, this is far from an ideal policy; it depends on the goodwill of companies to report to users, as well as their willingness to take on the U.S. government when they decide to challenge a gag order.
Most companies may not be so quick to tell their users about the requests, or they may be highly selective in who they choose to tell. It’s also not clear yet whether a National Security Letter could still prevent a company from reporting to users. However, chances are that the FBI could issue such a gag order, or at least it may interpret the law in that way (as it often does in its own favor). Then, even if the FBI is wrong, the companies would still have to challenge that gag order in Court to escape from it.
The Good Parts
This whole disclosure issue aside, the bill was significantly worse a couple of months ago when it had special carve-outs for the government to request data without a warrant in “emergency” situations--a clause ripe for abuse. The carve-outs were eliminated in a recent update to the bill.
One of the Email Privacy Act’s main purposes was to eliminate loopholes that existed in 1986’s ECPA. One of them allowed the government to consider emails “abandoned” after six months, which may have made some sense back in 1986, but in today’s world where email service providers keep your data forever, it doesn’t.
Despite its misleading name, the Email Privacy Act covers all electronic communications, not just email. That should include texts and VOIP calls, as well.
The Senate Fight
Although things in the House went surprising well for privacy advocates, they are likely to go much less smoothly in the Senate, unless both people and companies make their voices heard and contact their Senators.
In the Senate, there's Dianne Feinstein (D-CA) and Richard Burr (R-NC), the co-sponsors of the recent anti-encryption bill, who may not be too supportive of this EPA bill. The two bills may both focus on warrants, but one tries to ensure that nothing can ever be hidden from the government, whereas the other tries to ensure that the government (almost) never requests information without a warrant. When looking at them from this perspective, the two bills couldn’t be any different.
There are also 25 Senators who have already cosponsored a similar bill in the Senate, written by by Patrick Leahy (D-VT) and Mike Lee (R-UT). They said in an official statement:
“Today’s 419-0 House vote for the Email Privacy Act is an historic step toward updating our privacy laws for the digital age. It should go without saying that law enforcement agents should have to get a warrant to read Americans’ emails or retrieve their sensitive information from the cloud – yet that is not what our statutes currently require. It is long past time to reassure the American people that their online communications are protected from warrantless searches.
Despite some of its issues, the EPA is still a strong privacy reform as it currently stands in the House version, and it's supported by the EFF, ACLU and other civil liberties groups. It remains to be seen if the Senate will be able to pass a similar bill before the two are merged and sent to President Obama to sign the unified bill into law.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.