Last week saw action on two fronts regarding the Stored Communications Act (SCA) – the US federal statute regulating government searches of online accounts in criminal investigations. In Congress, a proposal to reform the SCA advanced in the House; and in the courts, Microsoft sued to challenge a provision of the SCA as unconstitutional. Although the reform bill has been portrayed as a major piece of privacy legislation, the version now under consideration is quite modest and would not substantially change how the SCA is applied in practice. However, the Microsoft lawsuit, if successful, could significantly reshape and restrict how the SCA is used by law enforcement.
What is the Stored Communications Act?
The SCA sets forth the procedures by which US law enforcement authorities can compel electronic communications service providers to disclose the contents of (and other records pertaining to) user accounts. While the SCA is applied most often in the context of email accounts, it applies equally to social-networking accounts, cloud-storage accounts, web-hosting accounts, and any other type of account where a user may store electronic communications. Like everyone else, criminals are increasingly communicating over the Internet, and as a result the SCA is now routinely used by law enforcement to obtain the contents of online accounts used by criminal suspects to communicate and do business.
Email Privacy Act
On April 13, 2016, a bill to reform the SCA, titled the Email Privacy Act, H.R. 699, was unanimously voted out of the House Judiciary Committee. The bill was originally introduced in December 2013 and again last year, but, despite having widespread support, never previously garnered a hearing. With last week’s vote, it is now headed for full consideration by the House.
The Email Privacy Act would amend the SCA so as to always require law enforcement to obtain a search warrant in order to compel a provider to disclose the contents of an online account. By contrast, the SCA in its current form requires a warrant only in limited circumstances – where law enforcement seeks content that (a) has been stored with the provider for less than 180 days and (b) has not yet been “received” by the user (e.g., unopened emails). All other content, i.e., any messages that are older than 180 days or that have already been opened by the user, may be obtained under the SCA with a mere subpoena – which, unlike a warrant, may be issued by the government without prior judicial approval and without probable cause.
What’s the rationale for the lines drawn by the statute? They may seem arbitrary now, but when the SCA was originally enacted in 1986, users typically downloaded emails onto their local machines after opening them, rather than storing them indefinitely with third-party providers. Thus, at the time, Congress viewed emails that a user chose to store with a provider as “back-up copies,” akin to business records placed in storage. For that reason, it did not consider them entitled to the same level of Fourth Amendment protection as unopened emails held for a shorter time period, which Congress analogized to letters still in transit.
On its face, the extension of the SCA’s warrant requirement to all stored electronic content would seem to be a momentous change, but in actuality it would simply track current practice. Ever since the Sixth Circuit’s 2010 decision in United States v. Warshak, which held that email accounts maintained by third-party service providers are protected by the Fourth Amendment, Department of Justice policy has been for federal law enforcement authorities to obtain a warrant before seeking any email content from service providers – even in situations where the SCA would allow the content to be obtained only with a subpoena. By the same token, the Warshak decision prompted many service providers to refuse to provide email content absent a search warrant, and state and local officials have typically respected this stance rather than attempting to compel production based on a subpoena. So, as a practical matter, the Email Privacy Act would not substantially increase email privacy; it would essentially codify, rather than modify, the status quo.
Notably, the initial version of the Email Privacy Act included a more consequential – and controversial – provision, which would have required law enforcement to notify users when they were subjected to search under the SCA. Specifically, the provision would have required law enforcement to the notify the holder of an online account within 10 business days after obtaining the account contents pursuant to an SCA warrant. That requirement would have significantly departed from the SCA as it currently stands, which specifically states that the government need not provide such notice to an affected user. However, the proposed notice provision was dropped from the version of the bill voted out of the House Judiciary Committee last week, as part of a compromise struck between the bill’s sponsor and the committee chairman.
Enter the Microsoft lawsuit, which seeks to expand user notification under the SCA in a different way. Not only does the SCA currently permit law enforcement to obtain the contents of an account without notifying the user, it also authorizes law enforcement to get a judicial order barring the provider from notifying the user. The SCA requires a judge to issue such a non-disclosure order whenever there is “reason to believe” that notifying the user would result in destruction of evidence, flight from prosecution, or other consequences that would seriously jeopardize the underlying investigation.
On April 14, 2016, Microsoft sued the Department of Justice in federal district court in Seattle, challenging the SCA’s non-disclosure provision as facially unconstitutional, on both Fourth Amendment and First Amendment grounds. The essence of Microsoft’s argument is that the user of an online account is entitled to know when the government has obtained its contents just as much as a homeowner is entitled to know when the government has searched their house. “People do not give up their rights when they move their private information from physical storage to the cloud,” Microsoft asserts; and any deviation from the right to be notified if one’s information is searched, the argument continues, must be narrowly tailored to serve compelling interests. Microsoft’s complaint contends that the SCA’s non-disclosure provision is overly broad in two respects: first, nothing in the provision requires the requisite “reason to believe” to be grounded in specific facts of the investigation (as opposed to generalized law enforcement concerns); and second, the provision contains no time limit and is being used to obtain orders of lengthy or indefinite duration.
Microsoft’s broad attack on the SCA’s non-disclosure provision, if successful, could force considerable changes in the way that law enforcement uses electronic search warrants in criminal investigations. The SCA’s non-disclosure provision currently enables law enforcement to use SCA warrants as covert investigative tools, to gather information about investigative targets without tipping them off to the fact that they are under investigation. Indeed, as Microsoft alleges in its complaint, law enforcement agencies routinely seek non-disclosure orders when they obtain SCA warrants, and those orders often last for lengthy periods of time while the investigation continues. In this respect, SCA warrants differ from physical search warrants, which are almost always used as overt investigative tools. When law enforcement searches a target’s home, for example, it is not done in secret; the occupant of the property must be promptly notified. So-called “sneak and peak” searches, executed without notice, are the rare exception. For this reason, physical search warrants are often reserved for the late stages of an investigation when the target of the search is already aware of the investigation or when the arrest of the target can be executed simultaneously with the search.
If prompt notification to targets becomes the norm for SCA warrants just as it is in the context of physical search warrants, law enforcement authorities are likely to scale back their reliance on SCA warrants, reserving them, like physical search warrants, for situations where an investigation is overt rather than covert. That, of course, would be a welcome development for service providers seeking to limit government access to their data and to provide greater transparency to their customers. But expect the Department of Justice to argue that law enforcement cannot follow digital trails effectively if it has to knock and announce every step of the way.
In any event, the Microsoft lawsuit will test just how far the courts will go in analogizing electronic searches to physical searches, and how far they will extend to online accounts the same protections that apply to the home. The case could have potentially far-reaching implications for law enforcement agencies and online service providers alike.