Krebs on Security, February 7, 2017
In-depth security news and investigation
On Monday of last week, The U.S. House of Representatives approved a bill that would update the nation’s email surveillance laws so that federal investigators are required to obtain a court-ordered warrant for access to older stored emails. Under the current law, U.S. authorities can legally obtain stored emails older than 180 days using only a subpoena issued by a prosecutor or FBI agent without the approval of a judge.
The House passed by a voice vote The Email Privacy Act (HR 387). The bill amends the Electronic Communications Privacy Act (ECPA), a 1986 statute that was originally designed to protect Americans from Big Brother and from government overreach. Unfortunately, the law is now so outdated that it actually provides legal cover for the very sort of overreach it was designed to prevent.
Online messaging was something of a novelty when lawmakers were crafting ECPA, which gave email moving over the network essentially the same protection as a phone call or postal letter. In short, it required the government to obtain a court-approved warrant to gain access to that information.
But the U.S. Justice Department wanted different treatment for stored electronic communications. Congress struck a compromise, decreeing that after 180 days email would no longer be protected by the warrant standard and instead would be available to the government with an administrative subpoena and without requiring the approval of a judge.
HR 387’s sponsor Kevin Yoder (R-Kan.) explained in a speech on the House floor Monday that back when the bill was passed, hardly anybody stored their personal correspondence “in the cloud.” He said the thinking at the time was that “if an individual was leaving an email on a third-party server it was akin to that person leaving their paper mail in a garbage can at the end of their driveway.”
“Thus, that individual had no reasonable expectation of privacy in regards to that email under the Fourth Amendment,” Yoder said.
Lee Tien, a senior staff attorney with the Electronic Frontier Foundation (EFF), said a simple subpoena also can get law enforcement the following information about communications records (in addition to the content of emails stored at a service provider for more than 180 days):
-local and long distance telephone connection records, or records of session times and durations;
-length of service (including start date) and types of service utilized;
-telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and
-means and source of payment for such service (including any credit card or bank account number), of a subscriber to or customer of such service when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena.
The Email Privacy Act does not force investigators to jump through any additional hoops for accessing so-called “metadata” messaging information about stored communications, such as the Internet address or email address of a message sender. Under ECPA, the “transactional” data associated with communications — such as dialing information showing what numbers you are calling — was treated as less sensitive. ECPA allows the government to use something less than a warrant to obtain this routing and signaling information.
The rules are slightly different in California, thanks to the passage of CalECPA, a law that went into effect in 2016. CalECPA not only requires California government entities to obtain a search warrant before obtaining or accessing electronic information, it also requires a warrant for metadata.
Activists who’ve championed ECPA reform for years are cheering the House vote, but some are concerned that the bill may once again get hung up in the Senate. Last year, the House passed the bill in an unanimous 419-0 vote, but the measure stalled in the upper chambers of the Senate.
The EFF’s Tien said he’s worried that the bill heading to the Senate may not have the support of the Trump administration, which could hinder its chances in a Republican-controlled chamber.
“The Senate is a very different story, and it was a different story last year when Democrats had more votes,” Tien said.
Whether the bill even gets considered by the Senate at all is bound to be an issue again this year.
“I feel a little wounded because it’s been a hard fight,” Tien said. “It hasn’t been an easy fight to get this far.”
The U.S. government is not in the habit of publishing data about subpoenas it has requested and received, but several companies that are frequently on the receiving end of such requests do release aggregate numbers. For example, Apple, Facebook, Google, Microsoft and Twitter all publish transparency reports. They’re worth a read.
For a primer on protecting your communications from prying eyes and some tools to help preserve your privacy, check out the EFF’s Surveillance Self-Defense guide.