The SEC Play for a Backdoor to Your Email

The FBI demand for access to a locked iPhone by compelling Apple to write new software to undo its security features has sucked the oxygen out of the surveillance-privacy debate over the last few weeks.  So much is this the case that coverage of the markup of H.R. 699, the Email Privacy Act, tentatively scheduled for March 22, seems sure to be lost in the oral argument on Apple’s case, which is scheduled to be heard the same day.  But the Email Privacy Act is incredibly important and it deserves attention.

The bill enjoys significant bipartisan support-- S. 356 currently has 25 co-sponsors and H.R. 699 has 312 co-sponsors, obviously more than the votes needed to pass the House. But the Securities and Exchange Commission (SEC) has bottled up the legislation for almost two years and continues to oppose the bill unless it gets a backdoor to all email content in civil cases on less than a probable cause showing.  

The Email Privacy Act would update the Electronic Communications Privacy Act (ECPA) to require a search warrant for access to user content regardless of how long that content has been stored with third party providers.  ECPA always required a warrant based on probable cause for government access to user content stored with a third party provider for less than 180 days.  But email or other content stored longer than 180 days -- something that seemed improbable in 1986 when ECPA was enacted -- requires only a subpoena for disclosure.  

In 2010, the United States Court of Appeals for the SIxth Circuit held in United States v. Warshak that the government violated the Fourth Amendment when it obtained emails stored by an online service provider without a warrant.  Since that time, providers have required search warrants for email and the Department of Justice likewise has required federal law enforcement to obtain a search warrant to access any email in criminal cases.  

Despite the broad support for the bill in Congress, the SEC has been able to stymie the bill.  Why? The SEC argues that their investigations will be hindered if the bill passes by limiting access to email evidence.  But the SEC does not currently have access from third party providers to email stored less than 180 days. The SEC chairwoman has testified that the agency has not even used its existing administrative subpoena authority to obtain any email stored by service providers since she joined the agency.  In short, the SEC claim appears to be largely speculative.

Indeed, despite Congress and others asking, the SEC has yet to identify a single case where they declined to investigate or enforce the law due to a lack of access to email.  To the contrary, the agency touts its successful record of enforcement each year to Congress, never once identifying a case that they lost or failed to bring due to the lack of access to email.  Warshak has been the law for six years now so one would think that the SEC could make the case easily if its contentions were true.  

The simple truth of the matter is that email, while it certainly can help make a case, is seldom the only or the best evidence of a violation of the law.  Securities cases in particular are complex and rely on a broad array of financial and other information to prove the case.  Email may provide a shortcut to showing intent or knowledge in rare cases, but it seldom will be the only evidence, which is why the SEC has had such a successful record on enforcement over the last decade.  

Still, the SEC persists in arguing that codification of Warshak and the warrant standard for all stored email would seriously impact their investigations. The SEC testified in December 2015 before the House Judiciary Committee:  “the subpoena recipient may have erased emails, tendered only some emails, asserted damaged hardware, or refused to respond – unsurprisingly, individuals who violate the law are often reluctant to produce to the government evidence of their own misconduct.  In still other instances, email account holders cannot be subpoenaed because they are beyond our jurisdiction.”  

But that makes no sense. There are judicial remedies that exist today for recalcitrant witnesses or parties in civil litigation. Spoliation can result in adverse inferences at trial and serious sanctions.  Every civil litigant deals with these same issues and courts punish discovery abuses severely today. And unlike civil parties in litigation, ECPA also allows government agencies to issue preservation orders without court approval or notice to witnesses, directing service providers to prevent deletion, destruction or alteration of information in a user’s account.

The SEC’s demand is all the more extraordinary when put in the context of civil litigation.  The SEC seeks a unilateral right to access the email of any person stored with a third party provider while denying parties to a civil investigation or action the same access.  In other words, the SEC would get an uber-discovery right, and a party to litigation would not be able to procure evidence important to its own case through the same process.  Even if the SEC position didn’t violate the 4th Amendment, it would be patently unfair to litigants before the agency.  

Another problem with the SEC position is that there is no obligation on the SEC (or the hundreds of other agencies who would get the same powers) to limit the scope of access.  The agency could obtain years of stored emails, including attorney-client privileged material, on a lower showing.  Indeed, the SEC has no written “taint team” procedures for reviewing email subject to attorney-client privilege.  

Finally, and most problematic, the SEC is one of several federal agencies that has dual civil and criminal authority. There are many more civil violations in the securities laws than criminal laws, but the same set of facts may trigger either track.  Obviously, the system would be ripe for abuse if the agency could get a person’s email on the predicate of a civil investigation while avoiding the burdens of getting a warrant in a criminal matter.  Further, because the standard for seeking information in a civil matter generally is relevance, and investigative powers of agencies are broad, the breadth of email and other content that could be obtained under the SEC’s proposal is far greater than the government should be able to get on a warrant where particularity matters. And once obtained, it would be free to share seized email with any other agency and even non-U.S. enforcement agencies. And it could do all of this without the user ever knowing the email had been shared more broadly.

The SEC, however, believes that its proposal for a back door to email is more protective of user privacy than a search warrant.  It says it would subpoena the user first, if possible, and if it did not obtain full cooperation, it would go to court for an order after giving the user notice to obtain an order that would compel a service provider to make the desired production.  

But what is the standard for determining full cooperation?  When will the SEC ever trust that a witness or target has fully produced information?  How hard will the SEC try to give notice, and what about those cases where it contends notice will endanger an investigation?  There will be an entirely new body of discovery law created by the SEC proposal and users will bear the expense.  Providers likewise will be caught in the middle of these disputes or worse, become routine discovery agents for stored content.  But all of this is just procedural gerrymandering around the Fourth Amendment.  In the end, if the government wants to seize and search a person’s email, it should get a warrant.

As Justice Roberts observed in Riley v. California:

Cell phones have become important tools in facilitating coordination and communication among members of criminal enterprises, and can provide valuable incriminating information about dangerous criminals. Privacy comes at a cost. Our holding, of course, is not that the information on a cell phone is immune from search; it is instead that a warrant is generally required before such a search, even when a cell phone is seized incident to arrest.

Substitute a provider’s email server for a cell phone and you get the same result.  This is one backdoor that Congress should slam shut tightly, and let’s hope that the markup doesn’t get lost in the Apple litigation.  It is time to pass the Email Privacy Act.

Add new comment