Congress could blow an opportunity to fix a major email privacy issue

Email privacy
Email privacy

Congress could fix this email privacy issue, but might not. ˉ\_(ツ)_/ˉ

The 114th Congress’ time is running out, but there’s still time for it to fix an obsolete email privacy law that almost everybody agrees is broken. But even though the privacy-reform bill to fix those problems, H.R. 699, otherwise known as the “Email Privacy Act,” won unanimous passage in the House back in April, you can’t rule out Congress failing to finish the job, because that’s what tends to happen on Capitol Hill when tech policy comes up.

The ‘80s relic that is “ECPA”

The broken law in question is the Electronic Communications Privacy Act of 1986, and it’s aged about as well as that year’s hairstyles. The worst of its provisions is one that allows law-enforcement investigators to demand email stored online for more than 180 days with only a subpoena — instead of having to get a judge to issue a warrant specifying the records to be produced.

Even in 1986, it shouldn’t have been a foreign concept that people would keep mail on a remote computer instead of only on their own machines. There were such things as dial-up bulletin-board systems, which allowed users to store and download their messages on a central server, but not that too many people near Congress would have been using them.

But the thinking behind ECPA held that anything left to linger on a server for more than 180 days might as well be abandoned property, unworthy of the traditional protections accorded to messages saved on your own computer, or paper letters in your own home.

The only meaningful dent in that policy came in 2010, when the U.S. Court of Appeals for the Sixth Circuit held that ECPA’s 180-day rule was unconstitutional. Although that ruling was only binding in that circuit’s territory — Kentucky, Michigan, Ohio and Tennessee — major webmail providers began holding investigators to that standard nationwide, insisting on a warrant for stored email.

The crazy thing is, these companies (including Google and Yahoo Finance’s publisher Yahoo) didn’t think to tell their users about this stronger defense of their privacy until January of 2013. That was several months after ECPA began showing up in news stories about the Gen. David Petraeus sex scandal.

It’s now been over three and a half years since the mass-market irrelevance of that part of ECPA has become common knowledge, and the law remains on the books unaltered.

Not for lack of trying

After several years of having attempts to fix ECPA in Congress run aground, we’re now closer than ever. The Email Privacy Act passed the House by a vote of 419 to zero in late April.

So Senate passage in the remaining weeks of this session should be a sure thing, right?

Advocates of ECPA reform are not overflowing with confidence.

“Given the fact that the bill has passed out of the House overwhelmingly, and there is strong support in the Senate… I think there’s certainly a path for ECPA reform,” said Michael Petricone, vice president of government affairs of the Consumer Technology Association.

“It’s certainly possible that the House’s strong support could mean it gets included in some year-end package,” said Chris Calabrese, vice president of public policy at the Center for Democracy & Technology. “Is that super likely? Probably not, but it’s also certainly a possibility.”

The alternative is that the bill won’t get out of the Judiciary Committee, where it’s been stuck since April as some lawmakers have sought to amend it to give the government more investigative powers — a common reflex after terrorist attacks.

For instance, after June’s mass shooting at a nightclub in Orlando, a measure that would have let the Federal Bureau of Investigation inspect a person’s Internet use in detail without a court order barely failed to clear the 60-vote threshold needed to avoid a Senate filibuster.

Change is hard

If the Email Privacy Act gets dragged to the trash, it will at least have good company there.

Congress also looks increasingly likely to do nothing on patent reform, once again preserving the market “patent trolls” that make nothing and instead buy up patents so they can then shake down random companies with threats of lawsuits for allegedly infringing them.

A comprehensive patent-reform bill has once again stalled, and things don’t look much better for a narrower measure that would require patent-infringement lawsuits to be contested where the involved companies actually do business. That would help keep trolls from filing suits in the notoriously plaintiff-friendly Eastern District of Texas.

The last best hope for tech-policy action may come in a bill that just cleared the House: The Consumer Review Fairness Act would strike down clauses in contracts between merchants and customers that allow businesses to punish consumers for saying mean things about them.

But meanwhile, an older bill that would extend nationwide consumer protections against lawsuits filed by companies and businesses to shut down public criticism looks to finish the year in a Congressional penalty box.

Change does take time. Congress did not vote to limit the National Security Agency’s bulk surveillance of American citizens until two years after Edward Snowden’s disclosures of such activity.

So tech-policy advocates promise that if they can’t make things happen in 2016, there’s always next year. As CDT’s Calabrese said about ECPA reform: “If it doesn’t happen in this Congress, we’re also teed up for action in the next Congress.” Or, presumably, the one after that.

Email Rob at [email protected]; follow him on Twitter at @robpegoraro.

More from Rob:

Advertisement