Update: On June 22, the Senate narrowly defeated this amendment, but a repeat attempt is expected in July.
Take Action to oppose the expansion of National Security Letters here.
As previously reported, the Email Privacy Act seeks to amend the Electronic Communications Act of 1986 (ECPA) by eliminating a loophole that allows law enforcement to use a subpoena and not a warrant when accessing emails that are over 180 days old. The House unanimously approved of the bill in May, and sent the bill to the Senate Judiciary Committee. A debate is now raging as to whether or not amendments should be added, with many privacy-oriented senators and civil liberties organizations pushing for a clean bill.
Despite opposition, nine amendments have been filed by various Republican senators. Two of these amendments, one from John Cornyn and one from Jeff Sessions, have been met with significant backlash from privacy proponents and tech companies.
Cornyn Amendment: National Security Letters
Senator Cornyn’s amendment would broaden the scope of data the FBI can request from tech companies through national security letters or NSLs. Cornyn’s amendment would allow the FBI to use NSLs to view Internet browsing history and email headers.
An NSL is a document that allows the FBI to demand customer records and information from a company (particularly banks, telephone providers, and Internet service providers). NSLs do not require a court order, and are therefore not subject to judicial oversight and review. NSLs also often come with a gag order, which means that companies cannot disclose to anyone that they have received the NSL or that they are providing customer information to the FBI. According to the Electronic Frontier Foundation, the FBI has used NSLs over 300,000 times in the last ten years and has repeatedly been caught using NSLs to solicit information illegally.
In 2015, Dissent NewsWire explained the psychological intimidation involved with NSLs by telling the story of Calyx Internet Access CEO Nicholas Merrill. Merrill was required to provide the FBI with the personal information of his clients (IP addresses, online purchases) and then had to wage an 11 year long legal battle to overturn his gag order. Merrill’s story clearly illustrates how the FBI is using mandated secrecy and a complicated statute to access consumer information.
Cornyn has defended his amendment by arguing that it is FBI Director James Comey’s “number one priority” and that the FBI only intends to use NSLs sparingly. Comey has gone as far as to say that this amendment would merely “fix a typo” in the ECPA and reinstate a power that the FBI was always intended to have. The FBI is pushing this amendment in order to override a 2008 opinion from the Justice Department that instructed them to stop using NSLs when procuring browser histories and email metadata.
Cornyn has also argued that metadata is not content, and reveals little about overall online behavior. Senator Mike Lee was not impressed by this argument, and explained that an abundance of personal information can still be gleaned from metadata.
Everything about us is in our browser search histories. It contains where we get our news, our shopping preferences, the profiles we frequent on Facebook and how we communicate with our loved ones. Metadata needs to stop being dismissed as inconsequential, since it reveals just as much as content.
Sessions Amendment: Emergency Disclosure Requirement
The Sessions amendment is as grievous as the Cornyn amendment, as it would undermine the Email Privacy Act’s warrant requirement if enacted.
The primary purpose of the Email Privacy Act is that it will require law enforcement to get a warrant before accessing the content of customer communications, regardless of how long ago the communication occurred. The Sessions amendment would allow the government to ignore this warrant requirement in times of “emergency”, and would require that telephone and Internet providers hand over data whenever an emergency is declared.
The amendment is being criticized for not explicitly defining what constitutes an emergency (only that one can be declared by law enforcement officials at the local, state and federal levels) and for not including any mandatory judicial oversight. American University law professor Jennifer Daskal explains that this lack of judicial oversight contradicts the Wiretap Act and the Foreign Intelligence Surveillance Act, which both mandate review by a court. Daskal also points out that companies have never failed to provide law enforcement with data in times of emergency, so the amendment is seeking to address a nonexistent problem.
Future of the Email Privacy Act
At the time of writing, the co-sponsors of the bill have withdrawn it from consideration. Senators Lee and Leahy are attempting to get all amendments removed from the bill, and still hope to pass the same version of the bill that was approved overwhelmingly by the House.