WASHINGTON -- The Senate Judiciary Committee voted on Thursday to force cops to get a warrant to spy on your email. It was a first step toward beating back the "growing and unwelcome intrusion into our private life in cyberspace," as Sen. Patrick Leahy (D-Vt.), who offered the amendment, put it.
But the fact that the vote even needed to take place may surprise many Americans who assume their online inbox has the same protections as the one sitting on their desk at home.
Because of judicial precedent and a law that is more than 25 years old, however, the email accounts of anyone who uses webmail providers like Google, Yahoo, AOL or Microsoft can in many cases be accessed without a warrant. And while the exact mechanics of the investigation into former CIA Director David Petraeus' now-infamous emails are shrouded in mystery, that episode illustrates that much can be revealed, against our will, by a simple look into the inbox.
"I think that people can and do have an expectation that their email will be private and should require a search warrant -- but unfortunately the Department of Justice does not agree," said Kurt Opsahl, a senior staff attorney with the Electronic Frontier Foundation.
Email privacy protections are at their core shaped by two decisions made decades ago. One, made by the Supreme Court in a pair of rulings in the 1970s, holds that Americans cannot expect Fourth Amendment protections for information they have handed off to a third party. According to the Department of Justice's interpretation, any warrant requirement for law enforcement involving a third party -- in effect, anything transmitted across the Internet -- must be protected by an act of Congress.
The second is the Electronic Communications Privacy Act, which was passed by Congress in 1986 and based on the technology of the time. Users of the then-nascent Internet generally downloaded emails to their hard drive if they wanted to save them, and service providers deleted messages on their servers immediately to free up scarce storage space.
ECPA said that if an email was unopened and fewer than 180 days old, law enforcement would need to get a warrant to read it on a server. After six months or after the email was opened, however, the local police or the FBI would only need to swear out an administrative subpoena. They would essentially need to say only that the information in an email account was relevant to an investigation.
The Sixth Circuit Court has ruled that emails should be protected by the Fourth Amendment's warrant requirements after all. But the reach of the Sixth Circuit's ruling is unclear. Law enforcement generally assumes it only needs a subpoena -- its own say-so -- to download your messages.
These days, said Chris Calabrese, legislative counsel for the American Civil Liberties Union, "basically all the interesting stuff that you're saving is largely accessible without a warrant." That includes non-email content stored in the cloud.
"ECPA was passed in 1986," he said. "Hasn't been updated since then. So you've got 1986 law trying to track to 2012 technology -- and that's just very difficult to do."
Leahy, who helped pass ECPA in the first place, admitted in the Thursday Senate committee meeting that the 180-day rule was an "anachronistic distinction."
If Internet users want to protect the privacy of their email they should read it the old-fashioned way: downloading everything to their hard drive and deleting it off the server. As their own physical property -- bits and bytes on their hard drive -- it will be protected by the Fourth Amendment.
Leahy's amendment to ECPA would expand those protections to all emails, whether stored online or off. It would also protect information stored in the cloud like documents in Google Drive. But there were signs during the committee vote on Thursday that as the amendment winds its way through the Senate floor and the House, conservatives may object to the bill's limits on law enforcement.
Admitting that ECPA is "is in need of review," Sen. Charles Grassley of Iowa, the committee's ranking Republican, said that he was worried about objections from law enforcement, which prefers the current, lower standard. He also raised the prospect that an emergency exemption in the law might not be broad enough in cases of child kidnapping.
"It would be a travesty of justice if a child died and key information had been available in a child's account," Grassley said. His amendment for a broad exception in cases of child abduction, kidnapping, child pornography or violent crimes against women was voted down.
Even if email privacy law is eventually strengthened -- which Leahy acknowledged was not likely to happen this year -- wary email users should keep in mind that it might not just be domestic law enforcement spying on you. If you're sending an email to someone abroad, all bets are off. That's because intelligence agencies like the CIA and NSA monitor foreign Internet traffic under a completely different law called the Foreign Intelligence Surveillance Act.
As the warrantless wiretapping episode under the George W. Bush administration demonstrated, moreover, the limits of what the executive branch can and cannot do under FISA are ill-defined and open to interpretation by overeager spooks. There are supposedly policies in place to protect harmless emails from Americans caught up in the foreign dragnet -- but no one knows how stringent they are or how often they are violated.
"To the extent there are any protections for that regime, they've always been kept secret, and we have no idea how good they are," said Michelle Richardson, legislative counsel for the ACLU.