Enforcement doubts aside, US Senate panel passes bill imposing new standards on email access by US

From the Barclays LIBOR rate-rigging to Standard Chartered’s Iran transactions, HSBC’s long-term money laundering and sanctions violations and Wall Street’s insider trading cases, the biggest financial crime cases of the year share one common element.

In all of them, US prosecutors, enforcement agents and regulators have mined troves of e-mails, instant messages and other “electronically stored information” to build their cases. This electronic evidence has played a major role in securing settlements, deferred prosecution agreements and other enforcement orders.
But a bill in the United States Senate, which has now been approved by the Senate Judiciary Committee, will make it more difficult for law enforcement agencies to access the electronic communications that have become a staple in financial crime cases.

Supporters of the bill, whose principal sponsor is Committee Chairman Senator Patrick Leahy (D-VT), say it enhances the privacy of persons in their online activities. The proposed legislation may also shield these activities from government scrutiny, or at least require enforcement agents in certain cases to show a federal judge that probable cause exists to warrant issuance of a search warrant for certain e-mails and other e-communications.

The Senate Judiciary Committee last week approved a bill that would amend the Electronic Communications Privacy Act (ECPA) that regulates government access to electronic information stored on third-party servers. This 1986 law has been criticized for setting few restrictions on the ability of federal agents to demand personal email and for having been outpaced by technology. The committee approved the bill by a voice vote.

In essence, the bill would require government agents in federal cases to obtain a search warrant from a federal judge before accessing individual email accounts. A companion bill that is not a mirror image was passed in the House of Representatives on December 6, 2011.

The bill would close a loophole that allows enforcement agents, without judicial review, to mine the content of emails residing in remote servers for more than 180 days. Under present law, these messages are considered abandoned, even though most users now store email in “the cloud” indefinitely.

‘Unwelcome intrusions into our private lives in cyberspace,’ says Leahy

“Like many Americans, I am concerned about the growing and unwelcome intrusions into our private lives in cyberspace. I also understand that we must update our digital privacy laws to keep pace with the rapid advances in technology,” said Leahy at the committee’s mark-up session on November 29. He also authored the ECPA.

The bill is not expected to reach a Senate vote this year, and will undoubtedly be reintroduced by Leahy in the new Congress that opens on January 3. Rep. Bob Goodlatte (R-VA), who is the incoming chairman of the House Judiciary Committee, said in a statement that he “agrees that the ECPA is something that Congress should look at closely….”

“It’s important to note, as Senator Leahy [has said], that the current law is confusing and inconsistent and the constitutional challenges to the law bring uncertainty and risk to criminal investigations,” Jessica Brady, an aide to Sen. Leahy, told ACFCS.

“There is a crucial need to update this law and that is what Sen. Leahy is working to do,” she added. “I can’t speculate about how future talks in a Congress that hasn’t even convened might go.”

Bill would impose ‘probable cause’ standard

Presently, if law enforcement wants access to emails that are more than 180 days old, it need only to show a court that it has “reasonable grounds to believe” that the information it seeks is relevant to the investigation. In other instances, agents obtain these emails with administrative subpoenas, which require no judicial approval and are said by critics to sidestep constitutional protections against unreasonable searches and seizures.

Some have likened the process to allowing a police officer without a warrant to open an envelope containing a personal letter and read it, if it has sat on its recipient’s desk for more than six months.

The Leahy bill, which has bipartisan support, would generally require prosecutors to obtain a search warrant after showing probable cause to compel service providers to disclose email and other information. Staunch privacy advocates say these reforms leave shortcomings in the present situation.

For example, the bill is silent on user location information, which cloud providers are increasingly requesting and storing. It is also tied to proposed changes in the Video Privacy Protection Act that would allow companies, like Netflix, to share video rental histories after users provide consent once. That law, enacted in 1988 after the video rental history of US Supreme Court nominee Robert Bork was leaked to the press, is considered one of the strongest for protecting privacy.

Bill could weaken investigators, critics say

The bill may have serious repercussions for US enforcement agencies investigating financial crime. Fraud and insider trading cases, where intent and mental state are important, often benefit much from captured e-mails.

For example, in securing a $435 million penalty against Barclays for fixing the Libor rate, US and UK regulators relied on e-mails and instant messages between traders to help show collusion to fix rates. The US Securities and Exchange Commission has used e-mails as crucial evidence in dozens of insider trading enforcement actions in 2012 alone, including the Galleon Group case that brought down high-flying hedge fund manager, Raj Rajaratnam, this year.

The Leahy bill delicately seeks to weigh privacy considerations against law enforcement concerns. Liberal access to personal email and other e-communications, such as social media and call logs, is crucial to monitoring and uncovering criminal activity, investigators say.

Grassley has doubts about bill

Senator Charles Grassley (R-IA), the Judiciary Committee’s ranking Republican and a respected authority on financial crime issues, warned that changing the standard of proof for accessing emails could hinder government investigations of child abductors, pornographers and other criminals.

“I am prepared to report this bill out of committee today, but I have a number of reservations with the… substance of the legislation,” he said at the mark-up.

The road to this point has been long and bumpy. Leahy first held a hearing on possible changes to the ECPA in September 2010. Government agencies, which also raise national security concerns, have pushed back and delayed the bill’s movement.

Enforcement concerns aside, supporters say bill strikes right balance

In response to a request for comment, US Justice Department spokesman, Dean Boyd, cited the April 2011 testimony of James A. Baker, Associate Deputy Attorney General, before the Senate Judiciary Committee.

“[We] think it is important that any changes to ECPA be made with full awareness of whether, and to what extent, the changes could adversely affect the critical goal of protecting public safety and the national security,” Baker said.

“If an amendment were unduly to restrict the ability of law enforcement to quickly and efficiently determine the general location of a terrorist, kidnapper, child predator, computer hacker, or other dangerous criminal, it would have a very real and very human cost,” he added.

Others say the bill strikes the right balance and preserves and protects key investigative tools, such as access to metadata.

Expert says present standard for paper records would apply to email

In a letter to the committee provided by Leahy’s office, former Justice Department attorney Marc Zwillinger, who worked in the Computer Crime and Intellectual Property Section of the Criminal Division, said the bill maintains lower legal standards for the investigative building blocks law enforcement agents seek to construct.

“Subscriber identifying information (such as name, address, email address and temporarily assigned IP addresses) would still be available with subpoena, and transactional data revealing with whom a person had communicated, when, and for how long, would still be available with a court order issued on a lesser standard than probable cause,” Zwillinger wrote.

The ECPA also includes emergency exceptions for law enforcement, Mark Jaycox, Policy Analyst for the Electronic Frontier Foundation, told ACFCS.

“The bill creates the same standards that apply to your papers and personal effects for your email, yet the government hasn’t said that the current probable cause… standard for your papers and personal effects is ‘soft on crime,’” Jaycox said.

Leahy denies bill would harm privacy protections

Prior drafts of the bill were not as comprehensive. In response to reports that his bill would weaken privacy protections, Leahy issued a press release on November 20 with section-by-section details.

“The rumors… are incorrect,” the release said. “The whole thrust of my bill is to remedy the erosion of the public’s privacy rights under the rapid advances of technology that we have seen since ECPA was first enacted thirty years ago.”