Under the 1986 Electronic Communications Privacy Act (ECPA),1 the government has relatively easy access to a vast amount of data stored online, and account holders have little recourse. For years, privacy advocates have urged that the statute be amended, since the law predates the widespread use of email and the cloud storage of data, among other innovations. In response, Senator Patrick Leahy (D-VT), chair of the Senate Judiciary Committee, has proposed amendments to ECPA, that may result in some additional protections being added in 2013.

Under the current version of ECPA, the government can obtain access to email stored online for more than 180 days by merely presenting a subpoena to the Email Service Provider for the contents of the user’s email account.2 A court’s review and approval are not required. Subpoenas may be challenged in court, but challenges to subpoenas, particularly grand jury subpoenas, are rarely successful.

To obtain more recent messages, the government must proceed by a search warrant, which requires judicial approval.3 The warrant must be supported by probable cause and describe the things to be seized with particularity, to protect against “the ‘general warrant’ abhorred by the [18th century American] colonists” and a “general, exploratory rummaging in a person’s belongings.” The search should be as limited as possible so that invasions of privacy and property are not greater than necessary.4

For example, in United States v. Cioffi, the U.S. District Court for the Eastern District of New York (J. Block) held that a search warrant for the contents of a Gmail account violated the Fourth Amendment because the warrant failed to limit the items sought to emails containing evidence of the particular crimes being investigated. Judge Frederic Block reasoned that “whatever new challenges computer searches pose in terms of particularity, it is always necessary—and hardly onerous—to confine any search to evidence of particular crimes.”5

As straightforward as that proposition is, courts routinely grant warrants for all contents of an email account, and such warrants have been upheld when challenged as being unconstitutionally overbroad.6 Moreover, because the government appears ex parte before the court when seeking a search warrant, there is no opportunity to challenge a warrant before it is issued.

It is also noteworthy that, in response to a search warrant for an email account, the government may receive documents that far exceed the scope of the warrant. Even where a search warrant for the contents of an email account is limited on its face to the evidence, instrumentalities, and fruits of specific crimes, the warrant typically has an attachment seeking the entire contents of a user’s email account for a given time period. The recipients of those instructions typically comply, and turn over all account data.

Limiting Intrusion

Courts have struggled to determine what best practices the government should use to limit the intrusion by culling out documents not subject to the warrant before the government performs its review. Suggestions have included using key word searches to separate relevant from irrelevant documents and using a screening team to review the documents and provide the government only the documents subject to the warrant. But courts have not generally required the government to commit to a search protocol before issuing a warrant.7

As indicated, the owner of the email account is unlikely to know when an Email Service Provider receives a search warrant, or to be in a position to object to its issuance. He may or may not be informed when an Email Service Provider has received a subpoena, as ECPA has broad provisions allowing the government to delay in notifying the owner of the data.8 If an Email Service Provider has a policy of informing users when their data is sought by the government, unless notice is prohibited by law or a court order, the notice may allow the user the opportunity to challenge a subpoena, although, as previously noted, few such challenges are successful.9

Some companies go further in attempting to protect their users’ data. When a court determined that a criminal defendant, charged with disorderly conduct for allegedly marching on the portion of the Brooklyn Bridge reserved for cars as part of an Occupy Wall Street protest, lacked standing to quash a subpoena for data from a Twitter account, Twitter attempted to quash the subpoena, but was unsuccessful.10 More frequently, however, users learn that the government has accessed their data only after the invasion has already occurred and the damage is done.

Amendments Proposed

There may be some relief in the works. In May 2011, Senator Leahy proposed amendments to ECPA that would require a warrant for all government searches of electronic data. After Leahy proposed the amendments, the U.S. Department of Justice and other law enforcement objected to the proposed changes, since the amended statute would require it to obtain search warrants in more circumstances than required under current law.

Although it was reported by CNET.com on Nov. 20 that Leahy had succumbed to the pressure and rewritten the bill to “allow more than 22 agencies—including the Securities and Exchange Commission and the Federal Communications Commission—to access Americans’ e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant,”11 Leahy tweeted later that same day that he did not support the reported rewrite, and would not abandon the proposal for requiring warrants.12 The version of the bill that was subsequently circulated on Nov. 26 included the requirement that the government obtain a warrant to access all email, regardless of how long it had been stored. On Nov. 29, the Senate Judiciary Committee approved the new language, and it will next be submitted to the full Senate for a vote, which is likely to happen this year.

While the proposed amendments to ECPA would require the government to obtain a search warrant before accessing online user communications, regardless of the age of the data, the government will still be able to obtain broad access to user data stored online so long as it provides sufficient support. Moreover, unless the courts more stringently enforce the particularity requirement, the government will receive and review documents outside the scope of a warrant while executing its search. Accordingly, emails using web-based data storage, like Gmail, communications through Facebook, and messages sent through other websites and applications are not really private. They are preserved by entities other than the sender and the recipient, can exist practically forever, and may be accessed fairly easily by the government. While convenient, email is not truly confidential.

Bridget M. Rohde is a member at Mintz, Levin, Cohn, Ferris, Glovsky and Popeo and a former chief of the Criminal Division of the U.S. Attorney’s Office for the Eastern District of New York. Sara J. Crasson is a senior associate at Mintz Levin.

Endnotes:

1. Pub. L. No. 99-508, 100 Stat. 1848 (codified in sections between 18 U.S.C. §§2510- 3127).

2. 18 U.S.C. 2703.

3. 18 U.S.C. 2703.

4.Coolidge v. New Hampshire, 403 U.S. 443, 467 (1971), overruled in part, on other grounds, by United States v. Williams, 592 F.3d 511, 523 (4th Cir. 2010).

5. 668 F.Supp.2d 385, 396 (E.D.N.Y. 2009) (citing United States v. Riccardi, 405 F.3d 852, 862 (10th Cir. 2005)).

6. See, e.g., United States v. McDarrah, 2006 U.S. Dist. LEXIS 48269, aff’d, 351 Fed. Appx. 558 (2d Cir. 2009).

7. See United States v. Bowen, 689 F.Supp.2d 675, 681 (S.D.N.Y. 2010).

8. 18 U.S.C. §2705.

9. See, e.g. Michelle Maltais, “Cloud Services and Search Warrants: When Are Users Notified?” Los Angeles Times, April 27, 2012.

10. See New York v. Harris, No. 2011NY080152 (N.Y. Crim. Ct., Decision and Order dated June 30, 2012); “Judge: Twitter Must Turn Over Occupy Wall Street Protester’s Tweets,” nbcny.com, July 2, 2012.

11. Declan McCullagh, Senate Bill Rewrite Lets Feds Read Your E-mail Without Warrants, CNet.com, Nov. 20, 2012.

12. Tweet of Senator Patrick Leahy, @SenatorLeahy, 10:01a.m., Nov. 20, 2012.