When Congress passed the Stored Communications Act (SCA) in 1986, storing e-mails on servers was very expensive. At that time, e-mail service providers generally deleted any stored content from their servers within 30 to 60 days to conserve storage space. As a result, Congress arguably viewed e-mails stored remotely for more than 180 days as essentially abandoned property.[1] In turn, the law generally treats abandoned property as being unprotected by a reasonable expectation of privacy as far as law enforcement searches are concerned.
Ultimately, the SCA was enacted with a provision allowing law enforcement to obtain the content of electronic communications without a warrant so long as the content is at least 180 days old. These older communications—treated with lower due process protections ostensibly because the law considers them abandoned—could be obtained with less rigorous process, such as subpoenas issued by prosecutors or FBI agents. Law enforcement officials need not show “probable cause” to a judge to obtain a subpoena.
The problem with this treatment of our private e-mails is that most of our communications are now stored remotely—more commonly referred to as the “cloud.” Our web-based e-mail providers and social media platforms store our private messages on remote servers all the time because such storage is cheap and highly efficient. And because cloud storage is much cheaper, services can store e-mails on our behalf for much longer. Most of us probably feel as though our e-mails from 180 days ago are just as private as those we sent today. Although there may have been some logic to treating e-mails stored in the cloud as abandoned after six months in 1986, this logic no longer holds water.
To remedy this incongruity in the law, Rep. Kevin Yoder (R-KS) introduced the bipartisan Email Privacy Act for the first time in 2013, during the 113th Congress. Although its first iteration never made it through subcommittee, we are pleased that this year’s version (H.R. 387) passed the House last night unanimously, by voice vote. The Email Privacy Act would subject stored communications to the warrant standard, regardless of how long the communications have been stored on a remote server. If the legislation becomes law, our private emails from June 2016 would have the same protections as our emails from last month. You may not know they are subject to different levels of protection, and that’s precisely why this bill should be enacted—to bring legal safeguards in line with our common privacy expectations.
Despite enjoying unanimous support in the House of Representatives, there are senators on both sides of the aisle who continue to have concerns with the bill. These policymakers are particularly sympathetic to law enforcement concerns and would be more comfortable with certain exceptions built in for exigent situations or when a service provider gives notice that it shares information with law enforcement without being served a warrant. The version of the Email Privacy Act that the House sent to the Senate last night may very well be the high water mark. Nonetheless, we are hopeful that the two chambers can come to an agreement so that the law meets reasonable, 21st-century privacy expectations while preserving law enforcers’ ability to keep us safe.
[1] See Patricia L. Bellia, Surveillance Law Through Cyberlaw’s Lens, 72 Geo. Wash. L. Rev. 1375, 1422 (2004) (“For unopened communications held for more than 180 days, the theory appears to be that such communications have been abandoned.”).