The Washington PostDemocracy Dies in Darkness

Why the FTC, America’s top privacy regulator, actually hates a privacy bill everyone else seems to want

(REUTERS/Tim Wimborne)

By now, Americans are all too familiar with the ways hackers can gain unauthorized entry into their personal accounts online. But did you know that the government can currently seize many of your e-mails without even getting a warrant?

That's the result of a gaping loophole in a nearly 30-year-old law known as the Electronic Communications Privacy Act. Despite its name, ECPA doesn't do as much to protect your information as you might think. E-mails that have been sitting in your inbox for more than six months can, under the law, be seized by federal officials with little more than a request to your e-mail provider. It's a holdover from the time before cloud storage made it easy to archive your entire life online.

Now, Congress is on the cusp of finally updating the law. But one unexpected critic of the proposed changes is the agency that's become the nation's biggest privacy watchdog, the Federal Trade Commission. It's the FTC that went after Snapchat last year for accidentally leaking 4.6 million account holders' information into the wild. In fact, the agency now has dozens of data security cases under its belt. The commission has even advised Congress on how to design privacy safeguards for commercial data brokers and facial recognition technology.

But in Senate testimony Wednesday, the FTC cautioned Congress against going too far with ECPA reform.

"The FTC is concerned that recent proposals could impede its ability to obtain certain information" from Internet companies, said Dan Salsburg, a senior agency lawyer.

If the FTC is worried about not being able to do its job as a result of the changes on the table, what does it have in mind instead? A series of carve-outs and exceptions that would still allow law enforcement to compel data from Internet companies under certain conditions, such as if the subject of an investigation refuses to hand over the information himself.

Privacy advocates Wednesday said that amounted to little more than the status quo, and accused the agencies of dragging their feet on meaningful reform.

"As someone who has long supported and worked closely with the FTC, it was really disappointing to see them attack a bill that actually has a chance to improve Americans' privacy," said Chris Calabrese, vice president for policy at the Center for Democracy and Technology and a witness who testified at Wednesday's hearing.

Internet companies piled on, arguing that e-mail inboxes deserve the same Fourth Amendment protections "as a letter in your mailbox," according to Noah Theran, a spokesman for the Internet Association.

The federal agencies insisted that their counterproposal would still strengthen ECPA over the current standard.

"We propose a judicial proceeding — to obtain a court order," said Andrew Ceresney, the SEC's director of enforcement. "The subscriber could come in and assert any objection they have."

Rep. Kevin Yoder (R-Kan.), who's co-sponsoring a major ECPA reform bill in the House known as the Email Privacy Act, pointed out that the agencies would only discuss the need for an exemption in the abstract.

"The agencies asking for a special carveout couldn't even articulate the [specific] special circumstances in which a carveout was necessary," Yoder told reporters Wednesday.

Nevertheless, law enforcement officials' argument has gained traction among senior House lawmakers who hold the fate of the Email Privacy Act in their hands, according to Yoder and Rep. Jared Polis (D-Colo.), another leading co-sponsor of the bill.

Although the Email Privacy Act has nearly 300 co-sponsors — enough for a super majority — that could change if Rep. Bob Goodlatte (R-Va.), the chairman of the powerful House Judiciary Committee, bends to the FTC and the SEC.

"It's really the world versus the SEC and a few government agencies on this," Polis said Wednesday.

To be sure, not everyone at the FTC agrees with the agency position. The judicial mechanism proposed by the agencies could easily lead to privacy abuses by the government and may even be unconstitutional, FTC Commissioner Julie Brill said in a dissenting statement Wednesday.

"The costs – in terms of privacy protections for consumers – of solidifying the Commission’s authority to obtain content through ECPA is real," Brill said.