That was the most striking message with which U.S. Rep. Jared Polis, D-Colo., left a Boulder Startup Week crowd recently as he discussed the importance of the Email Privacy Act.
The proposed legislation would require federal law-enforcement agencies to acquire a probable-cause warrant before accessing citizens’ emails, text messages, photos and other content stored in the cloud by third-party providers.
Because of a loophole in the 1986 Electronic Communications Privacy Act, the law does not assume a reasonable expectation of privacy for such content that is more than 180 days old. Both criminal and civil agencies – such as the Internal Revenue Service and Securities and Exchange Commission – need only a subpoena to access that content when conducting investigations, leaving open the possibility of overly broad searches.
“As new technology is developed, the legal framework to protect people’s privacy has not kept up,” said Polis, lead Democratic sponsor of the Email Privacy Act.
As more awareness is raised around the issue, Polis said, it’s conceivable that informed consumers could start using email providers based in other countries if they believe privacy laws there are more robust, thus hurting American businesses.
“It causes global customers and American customers to doubt American service providers,” Polis said. “So, across the world, they’re seen as in league with the American government just as we all view Chinese service providers to be in league with the Chinese government.
“It’s not something that kills business overnight. But it starts. It’s 1 percent today and 3 percent next month.”
Introduced early in 2013, the Email Privacy Act – which does not cover the government’s secret agencies –soon was overshadowed by last summer’s revelations that the National Security Agency had been doing bulk collection of Americans’ electronic content from service providers without their knowledge. The Freedom USA Act was passed in the House on May 22 to rein in some of the NSA’s bulk-collection authority granted in the wake of the Sept. 11, 2001, terrorist attacks, although Polis, a co-sponsor of that bill, voted against it because of last-minute changes he felt left it too watered down.
While the Email Privacy Act, House Bill 1852, has yet to advance out of the House Judiciary Committee, it continues to gain steam by adding co-sponsors. The bill has 211 co-sponsors and wide bipartisan support. Seven more co-sponsors would give it a majority in the House of Representatives, meaning there would be enough signatures to file a discharge petition to force the bill through committee for consideration on the floor.
With both businesses and the privacy community on board, the bill has built momentum despite the objections of civil law enforcement agencies, most notably the SEC.
SEC officials have argued that the bill would significantly hamper its investigations because the agency does not have the authority to attain search warrants unless it is working in conjunction with a criminal prosecutor. That’s certainly not always the case given that not all of its investigations are criminal in nature.
Jerry Rome, Colorado’s Division of Securities commissioner, said his agency is in a similar situation as the SEC in that it already has to jump through certain hoops to subpoena people’s electronic content. Those include proving the investigation is for a lawfully authorized purpose, that the information sought is relevant to the inquiry, and that the subpoena is specific to documents only relating to the inquiry. There also is a requirement to serve notice to individuals whose content is being sought.
“We think there are protections for individuals in place now,” Rome said, “and the amendments could have a negative impact on some of our investigations.”
Paul Ohm, an associate professor at the University of Colorado’s law school, acknowledges that fishing expeditions by government agencies to snare broad swaths of content might be possible in theory but aren’t realistic because of service providers’ ability to go to court in an attempt to quash subpoenas they believe are overreaching.
But he also said the standards for subpoenas are much lower in some states than others, and the differences between subpoenas and warrants at the federal level are significant. And, Ohm said, even notice requirements can be circumvented or delayed if there is sufficient reason to believe that serving notice to the subject of an investigation would hinder the inquiry.
Often by the time notice is served, people’s data already has been mined, said Rich Stevens, a University of Colorado journalism professor who also specializes in privacy issues, meaning the only issue they can contest is whether that data is admissible in court.
Privacy experts believe a lack of knowledge by the public of government agencies’ abilities to access their information is one of the most important reasons measures such as the Email Privacy Act are needed. Especially as more civic functions are carried out online, Stevens said, he worries what would happen if, 10 years from now, procedures such as voting are carried out online without proper privacy protections in place.
As for Polis’ assertions that concerns about privacy could cost American service providers customers in a global marketplace, Ohm and Stevens have mixed feelings.
While privacy restrictions are more robust in some European countries, for instance, some of those restrictions have more to do with what companies can do with people’s private information rather than what the government can do.
Also, just because you’re storing your data in a server in a country where there are greater privacy restrictions, it doesn’t mean the American government couldn’t find other avenues for access as your data travels across the Internet to get to that foreign server. In that way, Stevens said, the Internet is “still kind of like the Wild West.”
Therefore, he said, there is still an important need for privacy reform in this country.
“It’s really a messy system,” Stevens said. “Most of us operate delusionally in a way that we trust that our data is being responsibly handled – even though it’s probably not.”
Joshua Lindenstein can be reached at 303-630-1943, 970-416-7343 or firstname.lastname@example.org. Follow him on Twitter at @joshlindenstein.