Nojeim: Regulatory Agencies the New Front in Privacy Protection
One of the most striking aspects of the Petraeus-Broadwell fiasco is how quickly the government’s investigation ballooned.
Beginning with a half-dozen harassing emails, the case ultimately resulted in the FBI reviewing, according to reports, 20,000 to 30,000 pages of email, including some to or from Gen. John Allen.
Allen was never suspected of any wrongdoing. He came to the government’s attention because he corresponded with the person who received the first handful of questionable emails. Now, he is the subject of innuendo, and his career is on hold.
What other federal agencies have the power to conduct such sweeping investigations? Quite a few, it turns out. And what protection does anyone have against getting caught up in similar fashion? Not much, under current law, the Electronic Communications Privacy Act. Efforts are under way to reform the ECPA, but federal regulatory agencies are resisting because they want a power beyond even that exercised by the FBI in the Petraeus-Broadwell case.
Reports indicate that the FBI obtained a warrant from a judge to force service providers to turn over the contents of email of those swept into the vortex of that investigation. However, in a debate being played out in the Senate Judiciary Committee, federal regulatory agencies are seeking authority to issue their own subpoenas to compel disclosure of email, without going to the target of their investigation and without getting the approval of a judge.
Rather than the FBI getting a warrant from a judge in a case with at least some national security implications, imagine the National Labor Relations Board issuing its own subpoenas to obtain from service providers equally voluminous amounts of email of corporate officers involved in labor disputes with their employees.
This threat to privacy and basic dignity arises because of the confluence of several momentous developments.
We have all become dependent on the convenience and power of digital communications services — email, text, cellphone, social networking and others. The sheer volume of data we each generate electronically is unprecedented. We inevitably intermingle our personal and professional lives.
Most significantly, though, unlike postal letters or telephone calls, our digital communications are stored with service providers, in the middle of the Internet cloud. This opens up new potential for government agents to obtain our most private communications without ever going before a judge and without ever confronting us and giving us an opportunity to assert our rights.
Of course, the government has compelling needs for digital information in a wide range of investigations. The question comes down to one of checks and balances. The courts, however, have been slow to translate the protections of the Constitution to the Internet.
And the ECPA, adopted in 1986, is woefully out of date. The law’s author, Sen. Patrick J. Leahy, D-Vt., is pushing for changes. He wants to establish a simple rule: If the government wants to read someone’s email, it should get a warrant, except in emergencies, just like it does to read postal mail or tap phones, or it should serve a subpoena on the person at issue, so that person can respond.
The Justice Department may be willing to live with the warrant standard. In fact, prosecutors and FBI agents already get warrants when they want service providers to disclose the contents of email. The U.S. Court of Appeals for the 6th Circuit has held that the Constitution requires a warrant for disclosure of email, and most observers believe the 9th Circuit would rule the same way.
Major companies, including Google Inc., Facebook and Microsoft Corp., insist that investigators present a warrant to compel disclosure of the contents of stored communications.
Ironically, major opposition to reform is coming from federal regulatory agencies, supposed champions of consumer rights. Instead of serving subpoenas on the targets of their investigations, as they always used to do, these agencies want the authority to demand email and other documents from the online service providers to which we’ve entrusted our digital lives. And the agencies want to get this data without the approval of a judge.
The Occupational Safety and Health Administration, the Securities and Exchange Commission, the Federal Trade Commission, and the Consumer Financial Protection Bureau are among the regulatory agencies with subpoena power. In this Internet age, allowing them to compel the service providers that hold so much information about us to disclose that information without judicial authorization could fundamentally change the relationship between the government and its citizens.
Gregory T. Nojeim is a senior counsel at the Center for Democracy and Technology and director of its Project on Freedom, Security and Technology.