The documents, obtained by the ACLU under the Freedom of Information Act and published today, reveal that in 2009, the Criminal Tax Division at the IRS claimed in an internal handbook that in general “the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server.” This claim may have been rooted in a reading of a controversial loophole contained in the Electronic Communications Privacy Act, which enables agencies to obtain email older than 180 days without a search warrant.
In 2010, a significant appeals court judgment held in United States v. Warshak that email was protected by the Fourth Amendment, and that government agents should obtain a probable cause warrant from a court before compelling email providers to hand over users’ messages—regardless of whether they had been stored on a server for more than 180 days. This is the highest legal standard, requiring authorities to show there is “reasonable basis” for believing the search will yield evidence of a crime.
But despite that ruling, ECPA’s requirements have been “inconsistent, confusing, and uncertain,” as Richard Salgado, Google’s legal director of law enforcement and information security, has put it. IRS emails obtained by the ACLU demonstrate this, as they suggest that that the IRS avoided having to always obtain a warrant by continuing to exploit the ECPA loophole. The loophole enables authorities to get their hands on emails older than 180 days with an administrative subpoena—which requires merely showing that the information sought is “relevant” to an ongoing investigation. A special counsel for the IRS in one email exchange seems dismissive of the Warshak ruling, stating that “I have not heard anything related to this opinion. We have always taken the position that a warrant is necessary when retrieving e-mails that are less than 180 days old”—implying that emails more than 180 days old can still be obtained by other, easier means. (It’s possible that other agencies have adopted a similar position, given the confusion over ECPA. The ACLU says it has lodged FOIA requests with the FBI and other components of the Justice Department to find out.)
Last month, lawmakers proposed new legislation that aims to update ECPA by scrapping the contentious 180-days clause. Even the Justice Department—which rarely takes the same side as civil liberties advocates—is backing the change: In March, a DOJ representative admitted to the House judiciary committee that there is “no principled basis to treat email less than 180 days old differently than email more than 180 days old.” This marked a stark reversal for the DOJ, which had previously been aggressively opposed to privacy-enhancing reforms of ECPA.
The ACLU is criticizing the IRS for its lack of clarity on the issue and demanding that the agency “let the American public know whether it obtains warrants across the board when accessing people’s email.” The rights group is also calling on the IRS to “formally amend its policies to require its agents to obtain warrants when seeking the contents of emails, without regard to their age.”
It’s worth noting, though, that not all providers will play along if the IRS is still attempting to obtain emails without a warrant. Earlier this year, in a move lauded by privacy groups, Google said that it is effectively ignoring the 180-days ECPA loophole by always requiring a search warrant from authorities seeking to obtain user content stored using its Gmail, Google Drive, or other services. It is unclear whether other providers—such as Microsoft and Yahoo—have similar policies.
The IRS did not immediately respond to a request for comment. I’ll update this post as and when I receive anything.