Chairman Sensenbrenner, Ranking Member Scott, and Members of the Subcommittee, thank you for the opportunity to testify on behalf of the Department of Justice regarding the Electronic Communications Privacy Act (ECPA). This topic is particularly important to the Department because of the wide-ranging impact the statute has on public safety and both criminal and civil law enforcement operations. We are pleased to engage with the Subcommittee in discussions about how ECPA is used and how it might be updated and improved.
ECPA includes the Pen Register Statute and the Stored Communications Act (SCA), as well as amendments to the Wiretap Act. These statutes are part of a set of laws that control the collection and disclosure of both content and non-content information related to electronic communications, as well as content that has been stored remotely. Although originally enacted in 1986, ECPA has been updated several times since, with significant revisions occurring in both 1994 and 2001.
I intend to focus the majority of my testimony on the SCA, which contains three primary components that regulate the disclosure of certain communications and related data. First, section 2701 of Title 18 prohibits unlawful access to certain stored communications: anyone who obtains, alters, or prevents authorized access to those communications is subject to criminal penalties. Second, section 2702 of Title 18 regulates voluntary disclosure by service providers of customer communications and records, both to government and non-governmental entities. Third, section 2703 of Title 18 regulates the government’s ability to compel disclosure of both stored content and non-content information from a service provider; it creates a set of rules that all governmental entities must follow in order to compel disclosure of stored communications and other records.
Since its inception, the SCA has served multiple purposes. It provides the rules governing how providers of communications services disclose stored information—including contents of communications, such as the body of an email, and non-content information—to a wide variety of government entities. In doing so, it imposes requirements on the government and providers to ensure that the privacy of individuals is protected. The statute thus seeks to ensure public safety and other law enforcement imperatives, while at the same time ensuring individual privacy. It is important that efforts to amend the SCA remain focused on maintaining both of these goals.
I. The Stored Communications Act Has a Broad Scope
Any consideration of the SCA must begin with an understanding of the statute’s extremely broad scope. The paradigm that generally comes to mind in discussions of the SCA is a law enforcement agency conducting a criminal investigation and seeking a target’s email from a service provider that makes its services available to the public. And, indeed, the SCA is critical to all sorts of criminal investigations into murder, kidnapping, organized crime, sexual abuse or exploitation of children, identity theft, and more. As technology has advanced, appropriate governmental access to certain electronic communications, including both content and non-content information, has become even more important to upholding our law enforcement and national security responsibilities.
Even within these criminal investigations, it is important to understand the kind of information that the government obtains under the SCA as well as how that information is used. Under the SCA, the government may compel service providers to produce both content and non-content information related to electronic communications. It is clear that the contents of a communication—for example, a text message related to a drug deal, an email used in a fraud scheme, or an image of child pornography—can be important evidence in a criminal case. But non-content information can be equally important to building a case.
Generally speaking, service providers use non-content information related to a communication to establish a communications channel, route a communication to its intended destination, or bill customers or subscribers for communications services. Non-content information about a communication may include, for example, information about the identity of the parties to the communication, and the time and duration of the communication. During the early stages of an investigation, it is often used to gather information about a criminal’s associates and eliminate from the investigation people who are not involved in criminal activity. Importantly, non-content information gathered early in investigations is often used to generate the probable cause necessary for a subsequent search warrant. Without a mechanism to obtain non-content information, it may be impossible for an investigation to develop and reach a stage where agents have the evidence necessary to obtain a warrant.
For example, the SCA has been critical to tracking down violent criminals. In one case, a suspected serial killer who had killed more than ten people sent an anonymous letter to a newspaper reporter that identified the location of a victim’s body with an “X” drawn on a map. Investigators recognized the mapping website on which the serial killer generated the map. They obtained from that website the IP address of the user who had generated the map and then used ECPA process served on the user’s internet service provider to obtain the physical address of the subscriber who had visited the mapping website. Using this information, the FBI and local police were able to arrest the suspect and stop his killing spree. ECPA process thus allowed law enforcement to trace an anonymous printout from the Internet back to the physical location of the target, in an extremely time-sensitive setting.
The SCA has broad effect in other ways as well. The statute applies not only to public and widely accessible service providers but also to non-public providers, such as companies or governments that provide email to their employees. Moreover, criminal investigations are only a subset of the circumstances in which the SCA applies. The statute applies to all government entities—federal, state, and local—when they seek to obtain content or non-content information from a service provider. This means that the statute also applies when the government is acting as a civil regulator—or even as an ordinary civil litigant. For instance, the SCA applies in all of the following circumstances that could arise, just within the Department of Justice:
· Civil Rights Enforcement: DOJ’s Civil Rights Division brings a civil suit against a landlord who is sending racially harassing text messages to tenants. The target of the messages deletes them, and the landlord denies ownership of the account from which they were sent. The SCA governs the Division’s ability to obtain those messages from the provider during civil discovery.
· False Claims Act: The DOJ Civil Division investigates a business for submitting fraudulent claims to the Federal government. The Division has reason to believe that the defendant’s employees used email messages sent via the business’s customer service email accounts to orchestrate the fraud. However, the defendant claims that it did not use email for business purposes. The SCA governs the ability of the Division to compel the internet service provider that hosted the company’s website to disclose the contents of the business’s email account.
· Environmental Litigation: The Department’s Environment and Natural Resources Division brings a civil enforcement suit under the Superfund statute, a company relevant to the litigation has gone bankrupt, and the company’s cloud provider has the only copies of that company’s relevant corporate email. The SCA governs the Division’s ability to obtain that email during civil discovery.
· Antitrust Investigations: The Department’s Antitrust Division is conducting a civil investigation of several companies for engaging in an unlawful agreement to restrain trade. During the course of the investigation, DOJ attorneys discover that executives of those companies are using their personal email accounts to continue communications about the agreement. The SCA governs the Division’s ability to obtain that email from the service provider.
· Tax Enforcement: The DOJ Tax Division investigates a tax preparation service that advertises via social networking sites. The company fraudulently inflates the amount of refunds due to the taxpayer and profits from taking a significant share of the fraudulent refund. Based on complaints about the preparer, the social networking site closes the company’s account. The SCA governs the Tax Division’s ability to obtain the posts advertising the company’s tax preparation services.
During any discussions of possible changes to the SCA and ECPA more broadly, it is important to keep in mind its wide-ranging application and scope.
II. Modernizing the Rules for Compelled Disclosure of Email and Other Similar Stored Content Information
As I mentioned, ECPA was originally enacted in 1986—a time when the internet was still a nascent technology and landline telephones predominated. Although ECPA has been updated several times since its enactment, the statute—and specifically the portion of the SCA addressing law enforcement’s ability to compel disclosure of the stored contents of communications from a service provider—has been criticized for making outdated distinctions and failing to keep up with changes in technology and the way people use it today.
Many have noted—and we agree—that some of the lines drawn by the SCA that may have made sense in the past have failed to keep up with the development of technology, and the ways in which individuals and companies use, and increasingly rely on, electronic and stored communications. We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old. Similarly, it makes sense that the statute not accord lesser protection to opened emails than it gives to emails that are unopened.
Acknowledging that the so-called “180-day rule” and other distinctions in the SCA no longer make sense is an important first step. The harder question is how to update those outdated rules and the statute in light of new and changing technologies while maintaining protections for privacy and adequately providing for public safety and other law enforcement imperatives.
Personal privacy is critically important to all Americans—including those of us who serve in the government. It is also of increasing importance to individuals around the world, many of whom use communications services provided by U.S. companies. All of us use email and other technologies to share personal and private information, and we want it to be protected appropriately. We also know that companies in the United States and elsewhere depend on privacy as a driver of innovation and competitiveness. Some have suggested that the best way to enhance privacy under the SCA would be to require law enforcement to obtain a warrant based on probable cause to compel disclosure of stored email and similar stored content information from a service provider. We appreciate the appeal of this approach and believe that it has considerable merit, provided that Congress consider contingencies for certain, limited functions for which this may pose a problem.
For example, civil regulators and litigators do extremely important work. But they typically are investigating conduct that, while unlawful, is not a crime. Criminal search warrants are only available if an investigator can show probable cause that a crime has occurred. Lacking warrant authority, civil investigators enforcing civil rights, environmental, antitrust, and a host of other laws would be left unable to obtain stored contents of communications from providers. As increasing amounts of information are stored electronically, the amount of information that would be unobtainable to government regulators and litigators will only increase. It is also not the case that these civil regulators and litigators can ask criminal law enforcement officers to obtain a warrant on their behalf. For them to do so would be inappropriate because it would require the opening of a criminal investigation—a step that would be impermissible unless the underlying conduct appeared to be criminal in nature.
Nor could civil litigators and regulators reliably obtain email and other content information solely by serving a subpoena directly on a subscriber (rather than a provider). As several of the examples described above demonstrate, serving a subpoena on a provider may be the only way for civil law enforcement to obtain certain stored communications. For example, where the subscriber no longer exists—as in the case of a bankrupt corporation or a deceased individual—or a purported subscriber denies ownership of the communications and therefore refuses to comply with a subpoena, civil litigators and investigators without the ability to subpoena a provider would be unable to obtain relevant evidence. Moreover, many individuals who violate the law may be tempted to destroy their communications rather than turn them over. Serving a subpoena on the individual, rather than the provider, could serve to encourage such illegal obstruction of justice. Thus, it is important that any proposed changes to ECPA take into account the ability of civil regulators and litigators to compel disclosure of information from providers.
Reform efforts must also account for existing practices as to entities, such as corporations, that provide email to their employees. Investigations of corporate malfeasance—both civil and criminal—have long been conducted by subpoena. For example, it is settled law that a government investigator may use a subpoena to obtain corporate records such as memoranda, letters, or even printed emails. It would be anomalous for the SCA to afford greater protection to electronic corporate records than to the identical records in hard copy. In fact, the voluntary disclosure provision of the SCA already recognizes that this context is different: non-public providers may voluntarily disclose user communications without restriction. To be clear, it is decidedly not our view that subpoenas are blanket substitutes for warrants. But, in the narrow context of corporate investigations, it is important to remember that subpoenas are the norm for obtaining business records, and creating a different standard for different means of communications would hamper many such investigations.
Efforts to update ECPA can account for these considerations and, at the same time, incorporate strong mechanisms that protect individual privacy and ensure appropriate judicial oversight of government access to individual’s communications.
III. The Need for Additional Updates to the SCA and ECPA
Although discussions about updating ECPA have often focused on the standard for governmental access to stored content information, we also believe there are a number of other parts of the statute that may merit further examination during any process updating and clarifying the statute.
(A) Clarifying Exceptions to the Pen Register Statute
First, Congress could consider clarifying the exceptions to the Pen Register statute. The Pen Register statute governs the real-time collection of non-content “dialing, routing, addressing, or signaling information” associated with wire or electronic communications. This information includes phone numbers dialed as well as the “to” and “from” fields of email. In general, the statute requires a court order authorizing such collection on a prospective basis, unless the collection falls within a statutory exception. The exceptions to the Pen Register statute, however, are not coextensive with the exceptions to the Wiretap Act. This creates an unnecessarily complicated scheme where non-content information associated with a communication is subject to more extensive protection than the content itself. Congress could consider harmonizing the exceptions in these two sections of the statute. Moreover, the Pen Register Act’s consent provision could helpfully be clarified to allow the user to provide direct, express consent for implementation of a pen/trap device by the government.
(B) Clarifying the Standard for Issuing 2703(d) Orders
Second, Congress could consider clarifying the standard for the issuance of a court order under § 2703(d) of the SCA, which can be used by criminal law enforcement authorities to compel disclosure of various types of stored records. According to that provision of the statute, “[a] court order for disclosure . . . may be issued by any court that is a court of competent jurisdiction and shall issue only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the [records] sought are relevant and material to an ongoing criminal investigation.”
Until recently, no court had questioned that the United States was entitled to a 2703(d) order when it made the “specific and articulable facts” showing specified by § 2703(d). However, the Third Circuit has held that because the statute says that a § 2703(d) order “may” be issued if the government makes the necessary showing, judges may choose not to sign an application even if it provides the statutory showing. See In re Application of the United States, 620 F.3d 304 (3d Cir. 2010). The Third Circuit’s approach makes the issuance of § 2703(d) orders unpredictable and potentially inconsistent; some judges may impose additional requirements, while others may not.
(C) Treating Civil Discovery Subpoenas Like Other Subpoenas
Third, Congress could consider ensuring that—where and to the extent subpoenas are already an acceptable means of obtaining information—courts treats civil discovery subpoenas just like they already treat grand jury subpoenas, trial subpoenas, and administrative subpoenas, in order to avoid unnecessarily impeding the government’s ability to conduct civil litigation.
(D) Making the Standard for Non-content Records Technology-Neutral
Fourth, Congress could consider modernizing the SCA so that the government can use the same legal process to compel disclosure of addressing information associated with modern communications, such as email addresses, as the government already uses to compel disclosure of telephone addressing information. Historically, the government has used a subpoena to compel a phone company to disclose historical dialed number information associated with a telephone call, and ECPA endorsed this practice. However, ECPA treats addressing information associated with email and other electronic communications differently from addressing information associated with phone calls. Therefore, while law enforcement can obtain records of calls made to and from a particular phone using a subpoena, the same officer can only obtain “to” and “from” addressing information associated with email using a court order or a warrant, both of which are only available in criminal investigations. This results in a different level of protection for the same kind of information (e.g., addressing information) depending on the particular technology (e.g., telephone or email) associated with it. Congress could consider updating the SCA to set the same standard for addressing information related to newer technologies as that which applies in traditional telephony.
(E) Clarifying that Subscribers May Consent to Law Enforcement Access to Communications Content
Fifth, Congress could consider clarifying the consent provision of the SCA. Under section 2702, a provider may disclose the contents of communications with the consent of a user or customer, but the provider is not required to do so. This has the impact of allowing the provider to overrule its customer’s direction to disclose content associated with the customer’s account. Thus when the victim of a crime seeks to share his or her own emails or other messages that may provide evidence, providers can refuse to disclose that information to law enforcement, even when provided with a written release from the account owner or subscriber.
(F) Appellate Jurisdiction for Ex Parte Orders in Criminal Investigations
Sixth, Congress could consider clarifying that higher courts have appellate jurisdiction over denials of warrants or other ex parte court orders in criminal investigations. Under existing law, the government may have no mechanism to obtain review of the denial of a court order or search warrant, even when the denial is based primarily on questions of law rather than questions of fact. Congress may wish to consider clarifying that these denials are appealable so that the disagreements among courts are resolved and the law becomes standardized.
In conclusion, I would like to reemphasize that in discussing any efforts to modernize ECPA, it is important to take into account the statute’s broad application. As technology continues to advance, ECPA’s importance to both criminal and civil law enforcement will only increase.
The Department of Justice stands ready to work with the Subcommittee as it considers potential changes to ECPA. We appreciate the opportunity to discuss this issue with you, and we look forward to continuing to work with you.
This concludes my remarks. I would be pleased to answer your questions.