Now the Securities and Exchange Commission, a civil regulatory agency, is proposing a dangerous hybrid of the two systems. It wants a power reserved for criminal justice agencies -- to force online companies to turn over private email accounts – but it wants to use anything it obtains in cases with only a civil burden of proof and civil protections. This would be a distortion of the U.S. justice system. And, if the SEC succeeds, other government regulators will demand similar powers, putting at even greater risk the rights of Americans.
The SEC is seeking to expand its powers by latching onto a bipartisan privacy bill, S. 607. Sponsored by Sens. Patrick Leahy (D-Vt.) and Mike Lee (R-Utah), S. 607 would update a nearly 30 year-old statute, the Electronic Communications Privacy Act of 1986. Currently, ECPA says that government agents can read a citizen’s email without a warrant. Leahy-Lee would correct this and make it clear that law enforcement agencies must get a warrant from a judge before requiring online providers to disclose private email and other personal material stored online. The bill would be an important advance in privacy protections for the average American, who has years’ worth of documents, photos, email and other content stored online. The Attorney General and the new FBI director have both testified recently that they have no objection to getting a warrant.
The SEC, as a civil regulatory agency, cannot apply for warrants. Nor can it tap our phones, seize our mail from the Post Office, and or search our homes or offices. Those are all criminal justice powers. But the SEC is pushing a poison pill amendment to the widely praised Leahy-Lee bill to give it a power always before reserved to criminal justice agencies.
Now the SEC is seeking the authority to by-pass the subjects of its investigations and go straight to their ISPs and demand disclosure even of private accounts. The proposal would fundamentally change the nature of federal regulatory proceedings, resulting in the disclosure of potentially huge amounts of privileged or irrelevant material to the government.
Currently, when the SEC serves a subpoena, it must go to the target, who is required to comb through all of his documents regardless of whether they are in a file cabinet, on an internal network, or stored with a third party, withholding any irrelevant or privileged documents. If the SEC believes that the target is hiding something relevant, it can use a subpoena to determine the existence of accounts. If it is worried that the person will destroy data before the dispute is resolved, it can require the service provider to freeze the contents of an account. This process ensures full production, but protects against disclosure of records that are irrelevant or privileged.
If the SEC were to gain the power to serve demands directly on service providers, those companies would have no way to know what is relevant to an investigation and what is not, and what is privileged. Instead, service providers would be forced to overproduce, turning over to the government all of the target’s documents. Especially in the age of cloud storage, this could result in huge amounts of irrelevant but sensitive data being disclosed to the government.
And by the way, if a case is serious enough to merit criminal justice powers, they are already available in securities cases, subject to the criminal due process protections: The SEC can and does work with the Justice Department on criminal investigations. In those criminal cases, warrants can be issued.
The SEC has important responsibilities and it has been under criticism for not doing enough against financial fraud. But it is not a criminal justice agency. The SEC does not have the authority to seize regular mail from the Post Office. There is no need to give it the authority to obtain electronic mail directly from ISPs and no reason to entangle the important privacy reforms of S.607 with an unreasonable power grab.
Harris is president and CEO of the Center for Democracy &Technology.