During the long, hard fight to bring the outdated Electronic Communications Privacy Act (ECPA) into the 21st century, advocates have run into the most unlikely of opponents: the Securities and Exchange Commission (SEC). Yes, the SEC—the agency charged with regulating the securities industry—has brought the ECPA update to a screeching halt. Yesterday the ACLU, along with the Heritage Foundation, Americans for Tax Reform and the Center for Democracy and Technology, sent the agency a letter calling them out on their opposition.
ECPA, enacted in 1986, is the main statute protecting our online communications from unauthorized government access. Unfortunately, as our lives have moved online the law has remained stagnant, leaving dangerous loopholes in our privacy protections. A broad coalition including privacy and consumer advocates, civil rights organizations, tech companies, and members of Congress from both parties has been pushing for an update. Strong bipartisan legislation to update the law has over 200 sponsors and is making serious headway in Congress. Even the Department of Justice—the law enforcement agency with arguably the most to lose in such an update—testified that some ECPA loopholes need to be closed.
But the SEC is pushing back—essentially arguing that they should get to keep one of the loopholes that have developed as the law has aged. When ECPA was passed in 1986, Congress developed an elaborate framework aimed at mirroring existing constitutional protections. Newer email, less than 180 days old, was accessible only with a warrant. Based on the technology of the time, older email was assumed to be “abandoned” and was made accessible with a mere subpoena. Similarly, another category of digital records, “remote computing services,” was created for information you outsourced to another company for data processing. Seen as similar to business records, it could also be collected with a subpoena under the law.
Fast forward to the 21st Century. Now we keep a decade of email in our inboxes and “remote computing services” has morphed into Facebook keeping all our photos or Microsoft storing our Word documents in their cloud. Suddenly the SEC can access content in way it never could before.
But in 2010 the 6th Circuit, in United States v Warshak, ruled that email was protected by the Fourth Amendment. Since the SEC doesn’t have the power to get a search warrant, they lost the benefit of the loophole that they had been exploiting.. Up until now this hasn’t seemed like a big deal. They have never legally challenged this prohibition or been able to identify a case, pre- or post-Warshak, where they have really needed this authority; they already have a wide range of tools at their disposal.
So while the SEC is trying to frame the issue as a loss of authority, it is really a power grab—one that would apply not just to the SEC but all federal and state agencies, including the IRS, DEA, and even state health boards.
Civil agencies investigate a broad range of issues and they are allowed to do so without specific suspicion of wrongdoing. It makes no sense that we would demand law enforcement—handling our nation’s most serious crimes—to obtain a warrant to access sensitive data online, but allow civil agencies to conduct a warrantless search for something as simple as a health code violation. The exception would undercut the warrant requirement by allowing an agency that has both civil and criminal authority—such as the Department of Justice—to simply use the new authority as a backdoor to a criminal investigation.
The SEC has managed to successfully prosecute everyone from Enron to Martha Stewart without access to Americans’ most personal data. Their opposition to ECPA reform isn’t about supporting their mission; it is nothing more than another clear-cut example of an agency power grab.
Originally posted on the American Constitution Society blog.
Visit VanishingRights.com to learn more about legislation to update ECPA and to make sure your Member of Congress is currently signed on to support it.