Documents obtained by the ACLU reveal that government policy on email snooping is confusing.
FORTUNE — Newly released documents show that the FBI and some U.S. Attorney’s offices have created justifications to support their contention that they don’t need a warrant to read citizens’ private emails.
The American Civil Liberties Union published the documents on Wednesday. They “paint a troubling picture of the government’s email surveillance practices,” the ACLU said, especially given that a federal appeals court ruled in 2010 that the government peeking at private emails without a warrant is a clear violation of Fourth Amendment protections against unreasonable searches and seizures.
That case, however, applies only in the Sixth Judicial Circuit, which comprises four states. That got the ACLU wondering whether the FBI and other agencies believe, despite that ruling, that they can peek at emails in the other 46 states. Apparently so. The ACLU’s Freedom of Information Act request yielded portions of the FBI’s “Domestic Investigations and Operations Guide” (DIOG). It states that agents need warrants only when emails are unopened and less than 180 days old. Everything else is fair game, and can be obtained with a subpoena — which is issued not by a judge, but by a prosecutor.
The government here is relying on the Electronic Communications Privacy Act, which was enacted long before the use of email was widespread, and certainly before the existence of “the cloud,” where many of us now store our electronic data. It deems email and other data stored on the server of a third-party (such as an ISP) to be “abandoned” and hence fair game for law enforcement. In 1986, when the law was enacted, that was a reasonable assumption. It no longer is.
The 2012 version of the DIOG doesn’t even mention the 2010 case,
United States vs. Warshack
. It simply refers back to ECPA — which Warshack supersedes, at least within the Sixth District — as justification for demanding data. “We would have thought that by 2012, the FBI would have updated its policy to require a warrant for all private electronic communications,” the ACLU says. “Our FOIA request was the FBI’s chance to produce any policy documents, manuals, or other guidance stating that a warrant is always required, but they failed to do so. Instead, the documents we received strongly suggest that the FBI doesn’t always get a warrant.”
The group also cites evidence from court proceedings that the FBI has, in fact, seized emails without a warrant since Warshack.
The ACLU also obtained documents from six U.S. Attorneys’ offices — in California, Florida, Illinois, Michigan, and New York — which it said “paint a confusing picture of federal policy.” Some offices seem to rely on the ECPA rules, while others hew to the Warshack decision. “If nothing else,” the ACLU stated, “these records show that federal policy around access to the contents of our electronic communications is in a state of chaos.”
The chaos only grows when the policies of other government agencies are thrown into the mix. The Internal Revenue Service had been operating on the theory that citizens have “generally no privacy” (the agency’s words) when it comes to email, and that its investigators could peek at data without a warrant. The IRS backed down from that stance last month and said it would now seek warrants in all cases — but only for email, not necessarily for, say, data on social media sites.
To eliminate all the confusion, Congress will have to rewrite ECPA to make it fit the current state of technology, as well as the Constitution. There is action in the Senate to reform ECPA, but given the current woeful state of the legislative branch, it’s impossible to tell what, if anything, might be done.