The Email Privacy Act is moving forward in the Senate. S.356, which currently has 28 cosponsors, would require a warrant for stored content -- essentially codifying current law and practice over the last six years. The House passed H.R. 699 overwhelmingly with 314 cosponsors, passing unanimously by a vote of 419-0. But now that the bill has moved to the Senate, some want to create new and expansive exceptions that simply overreach and are bad for user privacy. For example, the Securities and Exchange Commission is back at it again, seeking a civil exception to the warrant requirement to require providers to disclose content in civil investigations -- a backdoor to content as I explained here. But the proposed mandatory emergency disclosure rule is a sink-hole of an exception that superficially appeals but may be even worse than the SEC backdoor.
For the last 15 years, providers have routinely assisted law enforcement in emergency cases by voluntarily disclosing stored content and transactional information as permitted by section 2702 (b)(8) and (c)(4) of Title 18. Providers recently began including data about emergency disclosures in their transparency reports and the data is illuminating. For example, for the period January to June 2015, Google reports that it received 236 requests affecting 351 user accounts and that it produced data in 69% of the cases. For July to December 2015, Microsoft reports that it received 146 requests affecting 226 users and that it produced content in 8% of the cases, transactional information in 54% of the cases and that it rejected about 20% of the requests. For the same period, Facebook reports that it received 855 requests affecting 1223 users and that it produced some data in response in 74% of the cases. Traditional residential and wireless phone companies receive orders of magnitude more emergency requests. AT&T, for example, reports receiving 56,359 requests affecting 62,829 users. Verizon reports getting approximately 50,000 requests from law enforcement each year.
So what’s the problem with voluntary disclosure? Law enforcement plainly receives cooperation from providers in response to emergency requests. Well, to a hammer, everything looks like a nail. To law enforcement, most criminal investigations look like “emergencies,” especially if there is any delay engendered by the requirement of getting legal process. Therein lies the biggest problem with the mandatory emergency disclosure exception to the Email Privacy Act being pushed in the Senate (which the House Judiciary Committee recognized and rejected in their version already).
There have been complaints that not all providers “volunteer” to make disclosures or do so promptly. For example, a law enforcement representative testified on September 16, 2015, before the Senate Judiciary Committee in its hearing on “Reforming the Electronic Communications Privacy Act,” that some providers “make a decision never to provide records in the absence of legal process, no matter the circumstances.” This is a canard of the first order and when pressed, the agent could not name a provider who in fact refused to make emergency disclosures in the face of life-threatening circumstances. As the evidence shows, the current system works extremely well, but it is important to recognize that providers serve as a safeguard against abuse.
Remember, in an emergency, there is no court oversight or legal process in advance of the disclosure. For over 15 years, Congress correctly has relied on providers to make a good faith determination that there is an emergency that requires disclosure before legal process can be obtained. Providers have procedures and trained personnel to winnow out the non-emergency cases and to deal with some law enforcement agencies for whom the term “emergency” is an elastic concept and its definition expansive.
Part of the problem, and the temptation, is that there is no nunc pro tunc court order or oversight for emergency requests or disclosures. Law enforcement does not have to show a court after the fact that the disclosure was warranted at the time; indeed, no one may ever know about the request or disclosure at all if it doesn’t result in a criminal proceeding where the evidence is introduced at trial. In wiretaps and pen register emergencies, the law requires providers to cut off continued disclosure if law enforcement hasn’t applied for an order within 48 hours. But if disclosure were mandatory for stored content, all of a user’s content would be out the door and no court would ever be the wiser. At least today, under the voluntary disclosure rules, providers stand in the way of excessive or non-emergency disclosures.
A very common experience among providers when the factual basis of an emergency request is questioned is that the requesting agency simply withdraws the request, never to be heard from again. This suggests that to some, emergency requests are viewed as shortcuts or pretexts for expediting an investigation. In other cases when questioned, agents withdraw the emergency request and return with proper legal process in hand shortly thereafter, which suggests it was no emergency at all but rather an inconvenience to procure process. In still other cases, some agents refuse to reveal the circumstances giving rise to the putative emergency. This is why some providers require written certification of an emergency and a short statement of the facts so as to create a record of events -- putting it in writing goes a long way to ensuring an emergency exists that requires disclosure. But when all is in place, providers respond promptly, often within an hour because most have a professional, well-trained team available 7x24.
Some in law enforcement have complained that a certification or written request is a burden or can hinder an emergency investigation, but it is no different than the procedure that Congress requires to obtain a telephone warrant from a judge to conduct a search under Rule 41 of the Rules of Criminal Procedure. One might ask why anyone would want a mandatory emergency disclosure rule without any provider review or legal oversight when, in every federal judicial district, a search warrant is a telephone call away to a federal magistrate who is on duty 7x24x365. And law enforcement agents can reach a prosecutor at any time as well when the investigation requires it.
Put aside law enforcement anecdotal concerns, however, and ask whether we even know how many emergency disclosures are requested by law enforcement and made by providers each year? We have provider transparency reports that suggest well over a hundred thousand requests are made every year and the vast majority of them are complied with, but we still don’t know the exact numbers. Section 2702(d) of Title 18 should have helped answer the question before Congress mandated compelled disclosure without legal process or oversight upon law enforcement requests. It requires the Department of Justice to report to the Judiciary Committees of the House and Senate each year, as follows:
Reporting of Emergency Disclosures.—On an annual basis, the Attorney General shall submit to the Committee on the Judiciary of the House of Representatives and the Committee on the Judiciary of the Senate a report containing—
- the number of accounts from which the Department of Justice has received voluntary disclosures under subsection (b)(8);
- a summary of the basis for disclosure in those instances where—
(a) voluntary disclosures under subsection (b)(8) were made to the Department of Justice; and
(b) the investigation pertaining to those disclosures was closed without the filing of criminal charges; and
- the number of accounts from which the Department of Justice has received voluntary disclosures under subsection (c)(4).
To the extent these reports have been made, they have not been made public. But in all likelihood, the numbers would under-report the facts because state authorities -- the source of most requests -- are not required to make reports at all.
Have there been some cases in the past where providers have been cautious in making an emergency disclosure? Undoubtedly and justifiably, because providers may have liability if they make a disclosure without a good faith basis, which most understand to require more than an agent calling to say “I have an emergency.” In hindsight, the facts can be debated in any particular case, but the current rule exists because users expect providers to protect their information against involuntary production to government agencies, particularly in the absence of legal process. Under this proposal, there are several thousand federal, state and local governmental agencies that would get the power to compel disclosure of content and other information without court oversight or even post hoc legal review. In short, mandatory emergency disclosure of user data is a sinkhole exception that ought to be roundly rejected. Congress already struck the right balance when it codified the voluntary emergency disclosure exception 15 years ago and placed providers in the position of protecting user data and vetting emergency requests for compliance with the law.