I have a Gmail account for personal use. You likely do too. And nearly every one of my clients has one. In fact, Google owns about 43% of the email market. Gmail has about 1.8 billion users and about 306 billion emails are sent and received daily in 2020.
Who cares about Gmail this much? The federal government does.
That’s because people still send a lot of interesting things via email. The government wants to use those emails to build their criminal cases, particularly in white-collar cases. We think about wiretaps as electronic surveillance since they happen in real time, but gathering email is a key part of how the government investigates potential crimes.
Sure, a lot happens by text these days. Plus, many businesspeople are significantly savvier about using encrypted messaging services like Signal and Telegram. Our firm’s engagement letter includes a provision informing clients that if they want to communicate more securely, we will use one of those encrypted services instead of email. I get the sense that there is a lot less stigma to using them as well. In the past, using one of those services may have felt a little . . . sneaky. But now? It’s just good IT security hygiene.
Email remains a mainstay though. We just can’t quit it. It’s still an easy, cheap, fast way to communicate.
How the Government Will Request Your Email
The primary federal statute governing how the government can obtain your email is the Electronic Communications Privacy Act (ECPA). The ECPA was passed to protect your privacy. Really, though, it provides the government with the tools to invade your privacy.
Also, there are a bunch of later statutes that affect/amend/expand the ECPA. Not surprisingly, since the ECPA was enacted in 1986, law enforcement exceptions to its privacy rules have expanded quite a bit.
There are two basic methods the government can use to get email information. They vary in how difficult they are to obtain and what data the government receives in response.
The chart below is from the excellent Electronic Privacy Information Center (EPIC):
First, the government can issue a grand jury subpoena. This is easy to do, a we explained in our earlier post. With a subpoena, however, the government can get basic subscriber information and some IP addresses, as well as some email that is sitting in remote storage that has not been opened or unopened and more than 180 days old.
For example, under 18 U.S.C. § 2703(c)(2), the email provider “shall disclose” to the government the name, address, telephone connection records, types of service, and “means and source of payment for such service,” when the government has a subpoena.
Second, the government can obtain a search warrant. A search warrant is more difficult to obtain and requires the government to explain to a magistrate judge why there is probable cause that a crime has been committed. A warrant allows the government to obtain the content of emails themselves, including for recent emails (that is, within the last 6 months). Warrants are routinely sealed, meaning that you cannot access them or the application for them because they are not available on a court docket somewhere like most court filings are.
It’s worth noting that courts have not widely held that you have a privacy interest under the Fourth Amendment when your emails are stored somewhere other than your home—such as on the cloud. That’s why EPIC chart above shows that the Fourth Amendment only protects your emails in your home. But everyone knows that Google stores our emails on its own servers, not just in that little box on our desk at home, right?
Will Google Tell You if the Government Requests Your Email?
Google publishes limited information about how it will respond to government requests. As a general matter, it says
When we receive a request from a government agency, we send an email to the user account before disclosing information. If the account is managed by an organization, we’ll give notice to the account administrator.
However, there are a few caveats in Google’s policy:
We won’t give notice when legally prohibited under the terms of the request. We’ll provide notice after a legal prohibition is lifted, such as when a statutory or court-ordered gag period has expired.
And another few limitations:
We might not give notice if the account has been disabled or hijacked. And we might not give notice in the case of emergencies, such as threats to a child’s safety or threats to someone’s life, in which case we’ll provide notice if we learn that the emergency has passed.
It’s not surprising that the government has broad powers when national security interests are at stake. The government can issue a National Security Letter (NSL) to obtain information from Google. An NSL will prohibit Google (or anyone) from telling you about the request.
More broadly, though, the government can – and does – seek “gag orders” that prevent Google from notifying the user of a request for information. Section 2705 permits a court to grant this request to delay notification using a very low standard. The court must grant the request “if it determines that there is reason to believe that notification of the existence of the warrant, subpoena, or court order will result in” any of the following (italics mine):
(A) endangering the life or physical safety of an individual;
(B) flight from prosecution;
(C) destruction of or tampering with evidence;
(D) intimidation of potential witnesses; or
(E) otherwise seriously jeopardizing an investigation or unduly delaying a trial.
The “reason to believe” standard is extremely low. A simple affidavit from an agent saying that telling the account owner about the subpoena could result in deleting emails could satisfy it, since the deletion of emails would be “destruction of or tampering with evidence” and could “seriously jeopardiz[e] an investigation.”
And although Section 2705 says a judge should grant a notification delay “for such period as the court deems appropriate,” the government can seek an indefinite delay and some judges will grant that request. This means you may never find out that your email had been obtained and reviewed by the government.
Should You Be Worried?
In a word, yes. That’s because the requests to Google are on the rise. Google, to its credit, publishes the number of requests it receives
To give you as sense of the scale, here are the numbers for the last bar on the chart (six months from July 2019 to December 2019):
- Preservation requests (brown): 11,856
- Pen registers (purple): 401
- Emergency requests (light green):1,225
- Other court orders (dark green): 1,960
- Search warrants (orange): 10,498
- Subpoenas (red): 12,101
That’s about 400 search warrants a week. And about 465 subpoenas a week. Just to Google in the United States!
Part of the increase in requests may be due to the increased use of Gmail generally. As its market share increases, the government knows that the likelihood that a subpoena to Google will reveal that any particular person has an email account there. That starts the ball rolling towards a search warrant.
All in all, you can see how often the federal government obtains emails and why this type of electronic surveillance is a key part of building a criminal case.
Just for kicks, here’s the link to Telegram and Signal. Ya know, just in case. And if you find out that the Department of Justice has obtained your emails, give us call. There’s likely a criminal investigation, and you need some help.
Another interesting article Sara! I had no idea that so many had email accounts! Or that the government can so easily get access to them. Thanks!
[…] written about the EPCA before in the context of the government’s ability to obtain emails. The EPCA allows requests for […]