February 7, 2017

The U.S. House of Representatives on Monday approved a bill that would update the nation’s email surveillance laws so that federal investigators are required to obtain a court-ordered warrant for access to older stored emails. Under the current law, U.S. authorities can legally obtain stored emails older than 180 days using only a subpoena issued by a prosecutor or FBI agent without the approval of a judge.

cloudprivacyThe House passed by a voice vote The Email Privacy Act (HR 387). The bill amends the Electronic Communications Privacy Act (ECPA), a 1986 statute that was originally designed to protect Americans from Big Brother and from government overreach. Unfortunately, the law is now so outdated that it actually provides legal cover for the very sort of overreach it was designed to prevent.

Online messaging was something of a novelty when lawmakers were crafting ECPA, which gave email moving over the network essentially the same protection as a phone call or postal letter. In short, it required the government to obtain a court-approved warrant to gain access to that information.

But the U.S. Justice Department wanted different treatment for stored electronic communications. Congress struck a compromise, decreeing that after 180 days email would no longer be protected by the warrant standard and instead would be available to the government with an administrative subpoena and without requiring the approval of a judge.

HR 387’s sponsor Kevin Yoder (R-Kan.) explained in a speech on the House floor Monday that back in when the bill was passed, hardly anybody stored their personal correspondence “in the cloud.” He said the thinking at the time was that “if an individual was leaving an email on a third-party server it was akin to that person leaving their paper mail in a garbage can at the end of their driveway.”

“Thus, that individual had no reasonable expectation of privacy in regards to that email under the Fourth Amendment,” Yoder said.

Lee Tien, a senior staff attorney with the Electronic Frontier Foundation (EFF), said a simple subpoena also can get law enforcement the following information about communications records (in addition to the content of emails stored at a service provider for more than 180 days):

-name;
-address;
-local and long distance telephone connection records, or records of session times and durations;
-length of service (including start date) and types of service utilized;
-telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and
-means and source of payment for such service (including any credit card or bank account number), of a subscriber to or customer of such service when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena.

The Email Privacy Act does not force investigators to jump through any additional hoops for accessing so-called “metadata” messaging information about stored communications, such as the Internet address or email address of a message sender. Under ECPA, the “transactional” data associated with communications — such as dialing information showing what numbers you are calling — was treated as less sensitive. ECPA allows the government to use something less than a warrant to obtain this routing and signaling information.

The rules are slightly different in California, thanks to the passage of CalECPA, a law that went into effect in 2016. CalECPA not only requires California government entities to obtain a search warrant before obtaining or accessing electronic information, it also requires a warrant for metadata.

Activists who’ve championed ECPA reform for years are cheering the House vote, but some are concerned that the bill may once again get hung up in the Senate. Last year, the House passed the bill in an unanimous 419-0 vote, but the measure stalled in the upper chambers of the Senate.

The EFF’s Tien said he’s worried that the bill heading to the Senate may not have the support of the Trump administration, which could hinder its chances in a Republican-controlled chamber.

“The Senate is a very different story, and it was a different story last year when Democrats had more votes,” Tien said.

Whether the bill even gets considered by the Senate at all is bound to be an issue again this year.

“I feel a little wounded because it’s been a hard fight,” Tien said. “It hasn’t been an easy fight to get this far.”

The U.S. government is not in the habit of publishing data about subpoenas it has requested and received, but several companies that are frequently on the receiving end of such requests do release aggregate numbers. For example, Apple, FacebookGoogleMicrosoft and Twitter all publish transparency reports. They’re worth a read.

For a primer on protecting your communications from prying eyes and some tools to help preserve your privacy, check out the EFF’s Surveillance Self-Defense guide.


33 thoughts on “House Passes Long-Sought Email Privacy Bill

  1. IRS iTUNE cards (real)

    It’s actual good seeing Congress doing something for a change instead of just collecting a paycheck.

    1. treFunny

      dont worry they will get back to… doing nothing very soon

    2. peter

      It ain’t over ’till it’s over.

      The Senate has to vote on it, and then the President has to sign it (or let it become law without his signature).

      No-one knows how those two cycles will go.

      But I AM heartened by having it pass the House. That is indeed good.

  2. JCitizen

    Glad I saw this article, I’ll have to call my Senator to support this bill. Thanks Brian!

  3. Mike

    Just something to further confuse people.

    Email is not private. It never was. It never will be. There is absolutely nothing about it that can be.

    1. Robert.Walter

      So you’re saying that* the government will only get warrants to legally get copies of emails they have already read? (Which wouldn’t surprise me.)

      * assuming this bill passes the Senate and is signed by the president.

      1. Mike

        I’m not saying what the government will do. I have no idea what the government will do. I do know that ‘the government’ is run by politicians and politicians don’t generally care about the finer points of how IT gets done. They hire someone else to handle that (a friend of a friend of a friend who’s uncles’ next door neighbor knows someone). It keeps distance between the law makers and the ones that do their bidding. The left hand does not know what the right hand does (and vise versa).

        It should be obvious to the world that ‘the Washington Establishment’ understands nothing about technology. They just want to use it to gain and maintain power.

        Don’t get caught up in the minutia.

    2. Emmanual J

      Yet, many e-mail providers nowadays encrypt mail sent between servers using ESMTPS or similar technologies, leaving the mails only readable to the e-mail providers’ servers and not to any eavesdroppers in between these.

      1. Mike

        Think about that for a moment. By law (or by hacking/infection…..take your pick), the email providers’ servers are already compromised. Encryption makes little to no difference when the code is backdoored.

        Your using other peoples’ computers. not machines that you own or control. The only thing the end user has is whatever level of ‘faith’ they might place in the advertised functionality of the system.

        All email should be treated as insecure just as every gun should be treated as loaded just as every website should be treated as suspect. Most especially when so much of it comes in through cloud servers that is owned by a contractors vendor that has been contracted out by another vendor.

    3. Catwhisperer

      The only way it can be private is if it is encrypted before sending and decrypted after reception. But the reason it isn’t commonly used is that it is relatively hard to implement for the non-technical user, and it requires both sender and recipient to have the capability. It also isn’t that strong, at least PGP. A good article with respect to Windows is here: http://lifehacker.com/how-to-encrypt-your-email-and-keep-your-conversations-p-1133495744

      Just Google “email encryption” for other methods. Different versions of Outlook support email encryption, but you still have swap certificates with your recipients…

      1. Mike

        If few people are going to use it, then it isn’t worth much. Considering how many emails the average person gets in their in-box per day.

        That doesn’t even take into account that so many emails get sent and received using infected/compromised equipment. What good is encryption when your infected with a key logger (local or cloud based)? Even on a fully updated and patched machine, there are still any number of potential issues with any one of the websites you have pulled up or apps your currently running.

        Encryption might be alright for message content but you still have meta data that must be read in order to direct the email properly. For many people, this entire argument isn’t about anything but the meta data.

        When it’s all said and done, I place no real value on encryption. Encryption was given to wifi and it still got cracked. It just isn’t much more than a panacea. which might explain why so few people are motivated enough to actually use it.

  4. Mark

    Just use protonmail or any other similar service and you don’t need to worry about your email being read easily.

    1. Ryan

      Don’t get me wrong that while this is a good point, it should be noted for the novice readers that simply using an encrypted email service such as ProtonMail doesn’t protect email sent to non-encrypted users. To elaborate, if you send me an email at my aol.com email address and I choose to keep that email, I could be subpoenaed and it’s almost a moot point then basically.

      Now if only everyone would use encrypted email and it was easier to setup for the less savvy user, it’d be a different story of course.

  5. Zeno

    What if at an airport the agents asks to enter the device password to a cellphone to get access to the gmail app?
    Or what if they open a browser and force the cellphone owner to enter e-mail password?
    As far as I know, they treat the custom area as a no-land zone where privacy laws (and only them) do not apply.
    Probably will be the same also for this one. Innit?

    1. Catwhisperer

      Insure that the phone doesn’t turn on. Sorry sir, the battery is dead… 😉 Personally, that doesn’t appear to be a problem for a majority of travelers unless they are crossing from certain suspect countries.

      1. JOhn

        I suspect that such a response to CBP will result in a much longer stay with them.

  6. hou

    What a heckk ???
    I dont undestood not a single words here ????
    Old times ago was simple yes money or no money
    cash and to pocket. Then to western union or mongram location
    do share profit with coworkers but now all that tech stufff
    old school guys cant do nothing anymore you need 10 years universty to undestood nowdays bs.
    its tooo complicated people can you please make life much easier
    old scholl people not undestood nothing anymore

  7. InfoTechAngel

    So when this bill goes to the Senate, to which committee will it go? I want to know which Senators to contact.

    1. InfoTechAngel

      I just found out that it goes to the judiciary committee. It’s not on their calendar yet.

    2. petepall

      In my experience, if your zip code isn’t in the Senator’s state, you cannot contact him/her. Only constituents can. Having said that, there may be a way to communicate with a given Senate Committee, like Judiciary,

      1. Clovis

        You can communicate with any official. Just put your zip code in. It will go through. Will the (likely) scumbag official care if you aren’t a contstituent? Not as much. The zip code thing is meant to make you think they won’t get it, THEY WILL.

        You can do what I did and tell the head of the Senate Select Committee on Intelligence that someone is going to jail for the crimes Snowden revealed. They you get FOXACID attacked or refered to a lowly drone working at US Cyber Command who tries to attack you when you send email to said scumbag. They lost their moral standing with their actions, they lost the argument even more with these tactics, so jail is definitely in some of their futures.

        I am no super fan of everything about Sen. Wyden, but he made them vote on telling the Amercian people in 2013 BEFORE the revelations. They voted to lie to us (Clapper should be in jail for lying) and Snowden went over them to us.

        It is not that the emperors have no clothes, it’s that they are not even emperors at all.

  8. Winston

    Great, one small step forward. How many tens of steps have we taken backward? Headline:

    Obama expands the NSA’s ability to share data with other agencies
    The NSA can more easily disseminate “raw signals intelligence information” among the CIA, FBI and others
    Jan 12, 2017

    1. The Phisher King

      Raw SIGINT is unprocessed Collect purtaining to specified targets of interest and for the most part includes little to no email (unless it is transmitted over a carrier that the NSA has access to).
      Ways to become a target of interest:
      1. A judge issues a warrant for your comms to be intercepted
      2. Be on a terror watchlist
      3. Make threats against an elected official
      4. Be in the US (either permanently or temporarily), but not be a citizen or permanent resident (think foreign diplomats etc)
      5. Be reported for making pro-terror, anti-American statements on your social media
      6. Have previously worked, or currently work, for a foreign intelligence agency
      7. Have left or attempted to leave the US to go fight for a foreign terror group
      8. Be in a relationship with someone who meets the requirements for one or more of 2-7 above
      So if you meet any of these conditions then congratulations, the government is probably recording your phone calls, your social media and email (whne they can get it).
      Most SIGINT is never processed (less than 30%), i.e. while recorded no-one ever reads it or listens to it. This is because it is not humanly possible to go through that amount of raw data unless you had many tens of thousands of people to do it.
      Hence the desire for the NSA to allow foregin access to raw SIGNIT – they simply miss so much of potential value by not having enough eyeballs and earballs to do anything useful with it.

  9. Relevant

    The Google Transparency report that you linked to had a table in the “Detailed Data” section that would be enlighting for the readers of this article. For example, there were over 16k subpoenas for users/accounts from January to June 2016, that is compared to 8k search warrants for the same time period. The table clearly shows authorities are relying on subpoenas to do the heavy lifting in their investigations.

    1. anonymous

      No, we get to see the 2 million that Cheney deleted

  10. Stratocaster

    I presume you will inform us when Steve Bannon signs the bill into law or vetoes it.

  11. SeymourB

    “The Senate is a very different story, and it was a different story last year when Democrats had more votes,” Tien said.

    Last year Democrats had fewer Senators, not more. They picked up seats in 2016.

    Is he referring to seats on the Judiciary committee?

  12. Liz

    Let’s hope this is passed by both houses and becomes law. However, citizens still need to take steps to protect themselves by encrypting their email with a service like StartMail.com!

  13. Bill

    Our new SecureMyEmail service https://www.securemyemail.com is also a nice encryption option. PGP at its core but dead simple with easy use on other devices and inviting of contacts. Just like setting up any other email app. The advantage is that it provides end-to-end encryption for *any* email address so you can encrypt your gmail, Yahoo mail, work email, etc.

Comments are closed.