Should the contents of email messages be protected from unwarranted law enforcement scrutiny to the same extent as physical letters sent through the mail? The answer seems obvious. Email is today’s postal service, and the personal contents of email messages are as private to people as the letters sent through the U.S. Postal Service.
But as obvious as that may seem, it is not what the law states. Today, some of the contents of email—most notably emails stored on a server, such as through Gmail—are not as well-protected.
To read Americans’ mail as it is in transit with the Postal Service, the government generally needs a warrant issued by a neutral magistrate and must have probable cause to believe the search will provide evidence of a crime.
To read the content of email messages stored on a cloud server, the government does not need a warrant at all—it can view the content by issuing a subpoena to the cloud service provider. Unlike a warrant, a subpoena is not based on probable cause and is not reviewed by a judge before it is issued. In practice, it is issued by a prosecutor, is unchecked by a judge and can be based on most any ground.
The reason for this difference in treatment is more historical than malevolent. The law that protects email communications—the Electronic Communications Privacy Act —was written in 1986, when Gmail did not exist, cloud servers were a dream of the future and nobody could imagine storing email for any length of time because digital storage costs were so high.
As a result, under current law, as data moves from local storage to the cloud, the government argues it does not need to ask the owner of the data for permission to see it. Instead, the government claims it can go to the cloud provider, demand the data with a subpoena and prohibit the data owner from being notified. This law needs to change: When government agents want Internet service providers and cloud providers to disclose sensitive data, they should have to obtain a warrant from a judge.
In addition, the current rules are absurdly complicated. There is one rule for “opened” email, a different rule for unopened. There is also one rule for email less than 181 days old and a different rule for email 181 days or older. Even large companies, with teams of lawyers and paralegals, find the complexity of the law a burden. Start-ups must spend time and money on lawyers that would be better spent finding new ways to innovate.
In short, technology has changed the way Americas live. Today most people store their emails in the cloud. But the law has not kept up. That is why Congress needs to modernize the law. In both the last Congress and this one, bipartisan bills have been introduced in both houses of Congress to make the Electronic Communications Privacy Act relevant for the 21st century. In the last Congress, the bill never made it to the floor of either body. In the 114th Congress, both chambers should give the proposals plenary consideration.
Reform of the Electronic Communications Privacy Act must not be allowed to affect intelligence investigations and counterterrorism programs. The Foreign Intelligence Surveillance Act has its own set of rules for government access to email and documents stored in the “cloud.” Reform legislation will not affect those rules in any way.
The time is ripe for change and the principle is clear—in the normal law enforcement context, police and FBI officers should have no more access to Americans’ stored email than they do to private letters stored in a trunk in the attic.