Reforming the ECPA would make FTC fraud investigations more difficult, officials claim.
In his testimony at a Wednesday hearing of the Senate Judiciary Committee on electronic privacy reform, an FTC official urged Congress not to change the Electronic Communications Privacy Act (ECPA) in a way that would make agency investigations harder.
The Electronic Communications Privacy Act Amendments Act of 2015, which has bipartisan support in both chambers of Congress, would require government agencies to get a warrant to request online communications, such as emails and chat messages, no matter how old that content is. Currently, the government can get messages older than 180 days without a warrant, using a lesser procedure known as an administrative subpoena.
The FTC has used ECPA, which Congress passed in 1986, to acquire evidence that helps it pursue cases against fraudulent businesses. The agency said in prepared testimony that it was “concerned that its robust anti-fraud program will suffer if copies of previously public commercial content that advertises or promotes a product or service cannot be obtained directly from the service provider.”
“Without further clarification to recent legislative proposals,” the agency said, “updates to ECPA would appear to prevent the FTC from compelling ECPA service providers to produce such previously public material.”
The FTC wants any ECPA reform bill to contain an exemption letting it and other civil law-enforcement agencies continue to acquire customers’ communications from companies without a warrant. But the FTC has been unable to point to specific cases where the powers threatened by ECPA reform legislation have been essential to its investigations.
“I can’t necessarily say it would produce emails that would dramatically further the investigation,” Daniel Salsburg, an FTC lawyer, said at the hearing.
In a separate statement sent to the committee, FTC Commissioner Julie Brill, an Obama administration appointee, disagreed with her agency’s formal request for an ECPA exemption.
“I am concerned that a judicial mechanism for civil law enforcement agencies to obtain content from ECPA providers could entrench authority that has the potential to lead to invasions of individuals’ privacy and, under some circumstances, may be unconstitutional in practice,” Brill wrote.
Sen. Chuck Grassley (R-Iowa), the chairman of the Judiciary Committee, sounded doubtful that warrant-free access to electronic records was as important as the FTC claimed.
Grassley grilled assembled officials from the FTC, Securities and Exchange Commission, and the Department of Justice’s Office of Legal Policy for evidence that warrant-free records requests were key investigative tools in their arsenals. At one point, he noted that the SEC has not presented any evidence that the current version of ECPA has stymied its regulatory work.
Sen. Mike Lee (R-Utah), a cosponsor of the ECPA reform bill, asked each of the government witnesses whether they disagreed with the idea that the government should need to get a warrant to get Americans’ electronic communications. No witness disagreed, but each noted his or her agency’s concerns about exceptions where ECPA reform could close off their avenues of investigation.
“The overwhelming majority of the American people would be disturbed that that question can’t be answered with a simple ‘no,'” Lee responded.
Privacy advocates quickly pounced on the FTC’s argument.
“This is the issue that has stalled ECPA reform for over five years, despite overwhelming bipartisan support,” said Berin Szoka, president of the libertarian group TechFreedom. “The FTC’s testimony is carefully crafted to sound reasonable, but the agency is simply helping to obstruct the major privacy reform of our generation.”
The FTC also said that it was worried about the reform bill’s provisions allowing agencies to request customer information with the customer’s consent. Amendments to ECPA would only allow agencies to acquire metadata—information about information—with customer permission; that would not cover the content of communications itself.
“A defendant may want to authorize the FTC to obtain documents directly from its cloud computing account, if the records are voluminous, or the defendant’s only copies of the records are maintained on that service,” the FTC said. “Under current legislative proposals, however, even if the customer or subscriber has consented, the agency could not compel the cloud computing service to release that customer or subscriber’s content.”
Sen. Richard Blumenthal (D-Conn.) skeptically asked Salsburg whether the FTC had actually run into these situations.
“There have been a couple of instances where this has occurred,” Salsburg said, “but it’s not common.”