Does the FTC need new tools to help it gain access to emails in civil cases?

31 January 2017 9:54am

6 October 2015. By Claude R. Marx.

While privacy supporters are often an eclectic bunch, a bill governing access to e-mails has triggered even more unusual alliances and divisions than normal. The proposed legislation is also raising concern in many circles about the danger of giving the federal government another power.

A coalition of privacy advocates, Internet service providers and software companies are fighting representatives of key government agencies such as the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission. To add to the drama, a Democratic FTC commissioner is opposing her own agency and the position of the Obama administration.

At issue are bills in the House and Senate to update an almost 30-year-old electronic privacy bill, the Electronic Communications Privacy Act (ECPA) first passed in 1986. The measure updating it would require government agencies or law enforcement to obtain a warrant in criminal cases in order to access e-mail or electronic records that have been stored longer than 180 days.

Both measures have bipartisan support. The Senate bill was introduced by Mike Lee, a Republican from Utah, and Patrick Leahy, a Democrat from Vermont. Representative Kevin Yoder, a Republican from Kansas, and Jared Polis, his Democratic colleague from Colorado, are the main sponsors of the House bill.

The agencies want a carve-out that would set up a separate process for them to obtain a warrant-like document that applies to civil cases, such as those handled by the FTC.

Last month, FTC lawyer Daniel Salsburg told the Senate Judiciary Committee (See FTC:WATCH, No. 880, Sept. 18, 2015) that the commission wants Congress to provide a mechanism that would authorize the agency to seek a court order directing an Internet service provider to produce the content if the FTC can establish that it has sought to compel it directly from a target of its investigation, but the target has failed to produce it.

FTC Commissioner Julie Brill has publicly disagreed with the agency’s request. In an e-mail response to questions from FTC: WATCH, Brill asserted that the agency’s ability to go after wrongdoing hasn’t been adversely affected without such a provision, because it has been able to accomplish those goals with existing tools. She also thinks the reform would encroach on privacy unnecessarily.

“The [c]ommission is highly effective in uncovering the identities and finding the locations of fraudsters and other targets by seeking basic identifying information under other provisions of ECPA that are not at issue in the ECPA reform discussions,” Brill wrote.

“We are also very often successful in tracing the flow of ill-gotten money and locating assets that may be used for consumer redress through authority that is entirely separate from ECPA. And we routinely obtain the contents of relevant documents, including nonpublic e-mails and other messages, either directly from targets or from third parties who are not subject to ECPA,” she wrote.

“We do encounter obstacles to our enforcement efforts — the largest ones being wasted assets and inability to satisfy judgments against foreign defendants. An inability to obtain content from ECPA providers is not one of our obstacles,” she wrote.

Brill, who has been the commission’s most vocal member on privacy issues, has at times been at odds with the business community on how to balance commercial interests and privacy.

But in this case, her views align with those of the Business Software Alliance. Victoria Espinel, the trade group’s president, has spoken out against the proposed government carve-out, and contends that privacy protection is economically beneficial.

“Ensuring that customers have faith in the security and privacy of their e-mail and other online data is vital to ensuring their trust in digital services. Simply put, if consumers do not trust technology they will not use it. That result would have damaging implications for general productivity and the continuing growth of the digital economy,” she told the Senate panel.

While Brill differs with the FTC on this issue, she declined to talk about how the agency came up with its opinion, and other agency officials declined comment.

One of the reasons that the ECPA needs to be updated is that in 2010, the U.S. Court of Appeals for the Sixth Circuit ruled in U.S. v. Warshak that the content of e-mails is protected by the Fourth Amendment and that the government erred in seeking and obtaining 27,000 e-mails from the plaintiff’s Internet service provider as part of an investigation without having first obtaining a warrant.

A three-judge panel of the Cincinnati-based court unanimously ruled that “an ISP is the functional equivalent of a post office or a telephone company” and it “would defy common sense to afford e-mails lesser Fourth Amendment protection.” The judges added that “to the extent the SCA [Stored Communications Act, a section of ECPA] purports to permit the government to obtain such e-mails warrantlessly, the SCA is unconstitutional.”

At issue is the modern-day interpretation of the Fourth Amendment to the Constitution, which states: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

U.S. v. Warshak was never reviewed by the Supreme Court and has been considered established law. The high court in recent years has taken an expansive view of privacy protection when it comes to data stored by technological equipment. Last year, the justices ruled unanimously in Riley v. California that police cannot search the cell phone of a criminal suspect without attaining a search warrant.

The court has evolved quite a bit when it comes to protecting private communications from government scrutiny. In a 5-4 decision in Olmstead v. United States in 1928, Chief Justice William Howard Taft wrote for the majority that “a standard which would forbid the reception of evidence, if obtained by other than nice ethical conduct by government officials, would make society suffer and give criminals greater immunity than has been known heretofore.”

The dissent of Justice Louis Brandeis previewed what would be the prevailing interpretation of the law. He wrote: “[I]f the government becomes a lawbreaker, it breeds contempt for law; it invites every man to become a law unto himself; it invites anarchy.”

It took 39 years for the high court to change its mind. The decision was reversed, 7-1, in 1967 in Katz v. United States. And today there is a heavy burden on government to prove that it needs access to communications.

But the jurisprudence in this area is not clear cut. Several Supreme Court decisions established a “third-party doctrine,” which states that people can’t necessarily expect the same level of privacy protection if they turn over information to a third party.

Privacy law scholar Susan Freiwald said that because of the varied court decisions and the fact that ECPA is 29 years old, Congress should update it. She urges lawmakers to strike a delicate balance when doing so.

“It is way out of date and way underprotective,” Freiwald, a law professor at the University of California, San Francisco, told FTC:WATCH. “There are privacy interests, but those have to be balanced with other concerns, like law enforcement. And there is the perennial problem of how you make a law passed today relevant to tomorrow’s problems.”