Everything You Need to Know About Congress' New Email Privacy Bill

A privacy bill five years in the making just passed overwhelmingly through the House of Representatives, where privacy advocates and tech companies like Google and Dropbox are challenging a decades-old law that allows the government to get emails without a warrant.

That law, the Electronic Communications Privacy Act (ECPA) of 1986, is coming up on its 30th anniversary, and it hasn't aged well. ECPA allows warrantless searches of email and other communications stored by third party cloud providers. Basically, as long as the messages are considered "abandoned"—meaning they're older than 180 days or have been opened—the Feds can force companies to hand them over without getting a warrant from a judge.

That might've made sense back in 1986, when storage capacity was severely limited and the web didn't exist yet. But with today's bottomless cloud storage, it effectively allows police and government agencies to rifle through the archives of someone's life with zero judicial approval.

This would finally change under the Email Privacy Act, a bipartisan ECPA reform bill that passed overwhelmingly (419-0) in the House on Wednesday. The bill would eliminate the "abandoned" email loophole and prevent warrantless searches on all other types of communications and data stored in the cloud.

Email #Privacy Act will be voted on tomorrow! Emails should be protected from unwarranted government intrusion #ECPA pic.twitter.com/gvWOaZ2Evg
— Rep. Jared Polis (@RepJaredPolis) April 26, 2016

If that sounds familiar, it's because ECPA reform has been proposed multiple times by various members of Congress over the past five years. Despite wide support in both parties, it has repeatedly stalled in committee, never making it to a floor vote in either house.

The first attempts began in 2011 and 2012 with the ECPA Modernization Act, reviving time and again in each successive year. The efforts were inspired by US vs. Warshak, a major court decision in 2010 in which the Sixth Circuit Court of Appeals ruled against ECPA's rules for "abandoned" email, saying that compelling a company to hand over a user's data requires a warrant based on probable cause.

Advocates say the loophole is used thousands of times per day by all levels of government. The Internal Revenue Service, for example, has been exploiting it quite a lot to find tax discrepancies, according to documents obtained by the ACLU back in 2013.

So, what's different this time?

For one, the Email Privacy Act is the first of its kind to be voted on in either house of Congress. Advocates say support for the bill has simply grown too big to ignore, with a whopping 314 co-sponsors in the House.

The tech industry is also coming out in full force. On Tuesday, a massive coalition of privacy advocates and tech companies including Google, Yahoo, Microsoft, Twitter, and Facebook filed an open letter to Congress supporting the bill.

"This is the furthest it's ever gotten. It's now literally the most popular bill in the House," said Chris Calabrese, senior policy director at the Center for Democracy and Technology, which is one of the groups that signed the letter. "The political will builds to a point where you need to address it."

To some extent, companies like Google and Twitter have been fighting back against these warrantless data requests, according to their Transparency Reports tracking government demands. But advocates are worried about smaller companies that may not have the resources to fight the government every time they get handed a subpoena.

"We don't really know how those little guys are handling requests for content," Calabrese told Motherboard.

Like the previous ECPA reform bills, both the IRS and the Securities and Exchange Commission have objected to the new Email Privacy Act. They argue that since they're civil law enforcement agencies without the power to obtain warrants, requiring warrants would block their investigations from getting emails and cloud data.

"Thus, if the bill becomes law without modifications, the SEC and other civil law enforcement agencies would be denied the ability to obtain critical evidence, including potentially inculpatory electronic communications from ISPs, even in instances where a subscriber deleted his emails, related hardware was lost or damaged, or the subscriber fled to another jurisdiction," the SEC said in testimony before the House Judiciary Committee last December.

But advocates say that's sort of the whole point.

"We are particularly pleased that the bill does not carve out civil agencies from the warrant requirement, which would have expanded government surveillance power and undermined the very purpose of the bill," the coalition of tech companies and advocacy groups wrote in their letter.

The FBI has also objected to ECPA reform on similar grounds, having used the warrantless search loophole extensively. But while the Bureau has previously claimed it doesn't need a warrant to access online content, it has since adopted internal policies that make warrants mandatory to get email content, according to Congressional testimony from FBI and Department of Justice officials.

That means the Email Privacy Act would simply codify existing policy for federal law enforcement, something advocates hope will help finally push this bill forward as it heads to the Senate.