Testifying before the House Judiciary Committee on Wednesday, Attorney General Eric Holder declared his support for requiring the government to get a warrant before reading Americans' e-mail. It's about time.
When ECPA was written, storage was expensive and online services charged high per-minute fees. So users would log into their online services, download their e-mails, and log off. Congress assumed things would always work this way, so they didn't provide strong privacy protections for e-mail that was left on the server indefinitely.
A generation later, most people use cloud e-mail services, resulting in a crazy quilt of privacy protections. While an e-mail is "in transit," explains Julian Sanchez, a privacy researcher at Cato, the government needs a warrant to read it. But once the user of a cloud service such as Gmail opens the e-mail, the government can (with some exceptions) read it with a simple subpoena — no judicial approval required. And an e-mail is available without a warrant after 180 days whether or not it's been opened.
Believe it or not, that's the simplified version. Some e-mail providers have insisted that the government get something called a 2703(d) order, which the government can get merely by convincing a judge that email is "relevant" to an investigation (much easier to prove than the "probable cause" standard for a warrant), before they will hand over emails. The 9th Circuit Court of Appeals, which serves California and other Western states, has interpreted ECPA to effectively require a warrant even after it's been opened. But that protection still ends after 180 days. The Sixth Circuit Court of Appeals, which serves Ohio and nearby states, has ruled that warrantless e-mail searches violate the Fourth Amendment, no matter what the law says.
Even the Justice Department, which long defended the permissive status quo, now admits that it doesn't make sense.
"Some of the lines drawn by the SCA that may have made sense in the past have failed to keep up with the development of technology," a Justice Department official told the House Judiciary Committee in March. "There is no principled basis to treat e-mail less than 180 days old differently than e-mail more than 180 days old," she said. "Similarly, it makes sense that the statute not accord lesser protection to opened e-mails than it gives to e-mails that are unopened."
Now the question is whether Congress will do something about it. The Senate Judiciary Committee approved an e-mail privacy bill last month, but that bill has not passed the full Senate. E-mail privacy legislation is also under consideration in the House of Representatives.
Update: Sanchez tweets to add that after the Sixth Circuit ruled that a warrant was required in 2010, some email providers, including Google and Microsoft, started insisting on warrants nation-wide.