The U.S. House surprised everyone when it voted the Email Privacy Act (EPA) bill unanimously on Wednesday. The bill has been stalled in Congress for many years, mainly due to lobbying from law enforcement and other civil agencies such as the Securities and Exchange Commission (SEC) and the Internal Revenue Service (IRS). The EPA bill ought to modernize the three-decades-old Electronic Communications Privacy Act (ECPA) by requiring a warrant for all data requests for private communications.
Stalled For Years, EPA Now Passes Unanimously
Agencies such as the SEC have fought the bill for years, because they want to obtain emails and other private digital conversations without a warrant. The agencies are likely to continue to lobby against the bill in the Senate, as well.
The bill was stalled for so long that the ACLU started a campaign to pass similar state-level reform, in every state. This looked like a resource-intensive and time-consuming campaign, but the ACLU must’ve thought this still had a better chance of happening than the EPA becoming a federal law.
Plus, even if only a single state had passed it, it would’ve still been considered a win, because the people in that state could’ve benefited from online privacy rights that are more in line with their offline privacy rights. The ACLU managed to get 16 states and the District of Columbia to sign up for the reform. This was a significant win, but it’s still fewer than a third of the states.
All of this makes it so surprising that the House voted unanimously on the federal electronic communications reform bill, called the Email Privacy Act.
The EPA is still not perfect and doesn’t get quite the level of offline privacy protections that Americans experience through other laws. One of its major weaknesses is that the government doesn’t have to notify users of a given service that it requested their communications--not then, not ever.
It’s one thing to avoid notifying users when a request is made so as not to compromise an ongoing investigation, but it’s a different matter that the government never has to tell the users, even after a case has been closed. There’s simply no good reason for such a policy to exist.
As Microsoft recently noted when it announced its lawsuit against the U.S. government for drastically increasing its secret data requests over the past few years, the gag orders should automatically expire. They should only be extended with a judge’s approval based on “real necessity” to do so. If the government can’t prove it actually needs the extension, then there’s no reason to keep the request secret anymore.
In its lawsuit, Microsoft also asked for companies to be able to tell their users when the government requested the data, even if the government doesn’t tell the users itself. The new EPA bill seems to allow companies to do that. However, this is far from an ideal policy; it depends on the goodwill of companies to report to users, as well as their willingness to take on the U.S. government when they decide to challenge a gag order.
Most companies may not be so quick to tell their users about the requests, or they may be highly selective in who they choose to tell. It’s also not clear yet whether a National Security Letter could still prevent a company from reporting to users. However, chances are that the FBI could issue such a gag order, or at least it may interpret the law in that way (as it often does in its own favor). Then, even if the FBI is wrong, the companies would still have to challenge that gag order in Court to escape from it.
The Good Parts
This whole disclosure issue aside, the bill was significantly worse a couple of months ago when it had special carve-outs for the government to request data without a warrant in “emergency” situations--a clause ripe for abuse. The carve-outs were eliminated in a recent update to the bill.
One of the Email Privacy Act’s main purposes was to eliminate loopholes that existed in 1986’s ECPA. One of them allowed the government to consider emails “abandoned” after six months, which may have made some sense back in 1986, but in today’s world where email service providers keep your data forever, it doesn’t.
Despite its misleading name, the Email Privacy Act covers all electronic communications, not just email. That should include texts and VOIP calls, as well.
The Senate Fight
Although things in the House went surprising well for privacy advocates, they are likely to go much less smoothly in the Senate, unless both people and companies make their voices heard and contact their Senators.
In the Senate, there's Dianne Feinstein (D-CA) and Richard Burr (R-NC), the co-sponsors of the recent anti-encryption bill, who may not be too supportive of this EPA bill. The two bills may both focus on warrants, but one tries to ensure that nothing can ever be hidden from the government, whereas the other tries to ensure that the government (almost) never requests information without a warrant. When looking at them from this perspective, the two bills couldn’t be any different.
There are also 25 Senators who have already cosponsored a similar bill in the Senate, written by by Patrick Leahy (D-VT) and Mike Lee (R-UT). They said in an official statement:
“Today’s 419-0 House vote for the Email Privacy Act is an historic step toward updating our privacy laws for the digital age. It should go without saying that law enforcement agents should have to get a warrant to read Americans’ emails or retrieve their sensitive information from the cloud – yet that is not what our statutes currently require. It is long past time to reassure the American people that their online communications are protected from warrantless searches.
Despite some of its issues, the EPA is still a strong privacy reform as it currently stands in the House version, and it's supported by the EFF, ACLU and other civil liberties groups. It remains to be seen if the Senate will be able to pass a similar bill before the two are merged and sent to President Obama to sign the unified bill into law.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.
still wish notification was required as well. they notify you with a copy of the warrant when searching your house or property but no such courtesy online. even after they have the data if nothing else. i understand that they fear it being deleted but once they have it, no reason not to give a heads up.
Think organized crime: when police requests warrants for those, they usually coordinate strikes across dozens of locations to prevent accomplices and suspects from alerting each other and have a head-start on evidence destruction.
Or think wiretaps: you are rarely told about the wiretap until the evidence gathered through it is presented in court since telling before the investigation would make you that much warier of divulging any further information through those means and prevent investigators from getting that information.
a question would be how long does stuff stay on the server after you personally delete it. rarely does "deleting" an email actually remove it from the email server. profiles and such on social media are even worse. they hold onto data even after an account is deleted by the user. the bill points specifically to data that is over 6 months old (newer stuff already needs a warrant). somehow i think this access probably includes stuff the user already feels is gone in many cases
Protect me from drugs
Protect me from criminals sending emails
Protect me from terrorists
Often we need protected from the government more than anything else. The economy is in shambles, we are enslaved to debt, and we create a new terrorist organization on a weekly basis all while doing missile simulations on the coasts of Asia. These government use each other to scare their citizenry into thinking an attack from a major country is imminent. It isn't going to happen. You're more likely to be killed by the police than a terrorist. And you're more likely to starve from unemployment than eat bad vegetables from an unregulated farmer.
That's not a fair across the board comparison. It doesn't take a Sherlock to understand that your risk of getting shot by police is many times higher if you are a criminal and live a criminal lifestyle. It goes up even higher if you point your gun at a cop or do not obey his commands. It is extremely low if you live a normal law abiding life. That's just common sense...no statistics needed (like the majority of those shot by cops have a criminal record).
On the flip side, you are supposed to go to a corner cafe in Paris, an airport in Brussels, or a government building in San Bernardino and not have to worry about getting blown up or shot up by terrorists because the government is supposed to be protecting us from armed terrorists (especially where fully automatic firearms are supposedly banned by the federal government powers-to-be).
did you read the release? this law is actually a good one adding the requirement for a warrant when one was not required before. this is actually a good thing, unlike the other recent laws.
but i do agree, that we have let an imagined fear of "bad guys" doing all kinds of bad things erode our rights to the point they are almost not there anymore. i am not willing to give up my privacy and ability to protect myself online, simply so that someone else can't also.
but in the end this is a good law that hopefully gets the same treatment in the senate and passes through intact. but somehow i doubt it as the senate really seems to hate the individual right now. business can do no wrong, but the individual should be feared and watched very very closely.
I believe it is a completely fair across the board comparison as an innocent can fully expect a terrorist attack against their life and property, but should they expect one from one from those sworn to protect and serve? I am not a utilitarian. One wrongful death from the police does not justify any number of good acts. Government agencies including police forces everywhere have gravely overstepped their moral boundaries. Even the mere harassment generated by patrol officers on a daily basis warrants the public's realization that they are a large menace to society. Perhaps, even more so than the uneducated, poor, and deranged lunatics that live thousands of miles beyond our boarders. Lunatics who have absolutely no means to do us any harm what-so-ever until our good friend's in blue assist the government in extorting our tax dollars that are used to ship weapons overseas to them.
There is a connection and the police are the arm of the state. No matter there 'intentions' they do the will of their political masters. They can not plead innocence until this ends.