Washington — In the next couple of weeks, the House Judiciary Committee will likely markup the Email Privacy Act, the leading bill aimed at reforming the Electronic Communications Privacy Act (ECPA). ECPA governs the circumstances under which online service providers may disclose the contents of communications or customer records to the government. CCIA strongly supports the passage of clean ECPA reform legislation, as introduced by Representatives Yoder and Polis in the House and Senators Leahy and Lee in the Senate. These bills would update ECPA to require that law enforcement obtain a warrant prior to requesting the content of any electronic communications from service providers.
The current version of ECPA allows service providers some discretion over whether to turn requests made under its provisions over to the government in those circumstances where a judge has not approved the request. This includes emergency situations (governed by 18 U.S.C. 2702(b)(8)), where death or physical injury may occur if the information requested is not turned over and the government does not have time to obtain a warrant from a magistrate.
This discretion would be preserved under the clean Email Privacy Act bill, for sound reasons. The first is that companies readily respond to almost all emergency requests from the government under current law. Per Google’s most recent transparency report, the company received a total of 171 emergency disclosure requests for user data in the last 6 months of 2014, which affected 272 total users or accounts. This is a miniscule portion of the 900 million active Gmail users in 2015. Google produced some data in response to 80% of those requests, leaving just 34 requests that did not yield data for the government.
Service providers can determine not to provide data in response to an emergency request from the government for a range of reasons, including that they simply may not have any responsive records. The discretionary determination also allows service providers to appraise whether a particular request meets the exigency threshold required by the ECPA. If insufficient facts are alleged, service providers are loathe to violate their users’ privacy. Nothing prevents the government from seeking mandatory disclosure pursuant to a warrant in the uncommon instances in which they do not receive responsive data.
This discretionary function on the part of online service providers is important to maintain in any ECPA reform legislation for another key reason: the FBI’s propensity for abuse of emergency exception authorities. In 2010, the Inspector General of the Department of Justice issued a report on the FBI’s use of “exigent” letters and other informal emergency records requests. The IG report found that were was widespread use of exigency authorities that did not comply with legal requirements, which includes those with insufficient factual bases, inaccurate or false statements about the existence of an emergency, or a failure to specify a date range for requested data. In circumstances where there is no judicial oversight of law enforcement requests for user data, it falls to the service provider to balance users’ privacy rights with the government’s need for information. The IG report makes evident that service provider discretion is particularly necessary to protect privacy rights in the context of emergency law enforcement requests.
Under the existing emergency exception in ECPA, the vast majority of law enforcement requests are complied with. Only a small number of requests are sent back, and even then, only in instances where the government has not met the statutory burden or has issued a potentially abusive request. Affording service providers some discretion in responding to emergency requests is a necessary tool for protecting users’ privacy while ensuring that truly exigent situations receive immediate action. The current system is effective given these competing interests, and should remain intact as ECPA reform efforts pick up steam in Congress.