Chairwoman Mary Jo White said the commission isn’t using subpoenas to acquire emails from ISPs, despite a long-running defense of the practice.
The head of the Securities and Exchange Commission admitted Wednesday her agency has not recently used subpoenas to obtain Americans' email records from Internet services providers—a disclosure that stunned privacy advocates who have accused the agency of defending the practice to block reforms to a decades-old digital-privacy law.
SEC Chairwoman Mary Jo White made the revelation during testimony before the House Appropriations financial-services subcommittee.
"We've not, to date, to my knowledge, proceeded to subpoena the ISPs," White said. "But that is something that we think is a critical authority to be able to maintain, done in the right way and with sufficient solicitousness."
White reiterated that SEC is still worried about what information it was missing by not using the subpoena authority to aid its investigations into financial fraud, but she said that the commission has not engaged in the practice while debate over its use has been ongoing.
The quiet acknowledgment was quickly hailed by privacy advocates, who have long derided SEC for single-handedly obstructing efforts to update the 1986 Electronic Communications Privacy Act, or "ECPA."
"With this revelation, we may have cleared a major hurdle in digital-privacy reform, as the SEC was the lone government-agency holdout engaging in this practice," Rep. Kevin Yoder, a Kansas Republican, said in a Facebook post after the hearing.
Federal law does not require law enforcement to obtain a warrant to read emails or other forms of online communication—such as documents saved on a cloud service—if they are more than 180 days old. For such messages, only a subpoena, which requires a lower threshold of judicial approval, is required.
House and Senate lawmakers reintroduced bipartisan legislation earlier this year that would change that standard. The legislation would require law enforcement to obtain a search warrant before accessing the content of Americans' emails. The House version of the bill, authored by Yoder and Rep. Jared Polis, has racked up 261 cosponsors.
But while the Justice Department and other agencies have been supportive of changing the law, SEC has for years cautioned against changes that would limit its subpoena authority.
Because of its posturing, many lawmakers and privacy groups had assumed that SEC currently engages in subpoena-powered email grabs. An aide said Yoder was "taken aback" by White's testimony on Wednesday when she indicated that was not the case. "He was quite surprised by that."
SEC did not immediately respond to a request for comment regarding its current policy governing subpoena use.
Indeed, White's acknowledgment appears to be inconsistent—or at least more forthcoming—than earlier testimony and public comments about the matter. A letter she wrote in 2013 to Sen. Patrick Leahy, then the chairman of Senate Judiciary Committee, defended the use of ISP subpoenas as vital to SEC investigations.
"Because persons who violate the law frequently do not retain copies of incriminating communications or may choose not to provide the emails in response to commission subpoenas, the SEC has often sought the contents of electronic communications directly from Internet service providers," White wrote at the time.
White's letter did not explicitly state whether SEC was still obtaining email records from ISPs with only a subpoena, though she did say the commission had "historically" relied on the ECPA authority to do so.
White's revelation "really casts doubt on the whole idea that this is a critical authority," said Chris Calabrese, senior policy director at the Center for Democracy & Technology. "The chairwoman of the SEC just admitted that she hasn't used the power that has been holding up ECPA reform. … That's a pretty significant admission."
The U.S. Sixth Circuit Court of Appeals ruled in 2010 that the Fourth Amendment generally protected email communications, even when those conversations were stored on a server owned by a third-party provider, such as Google or Microsoft. But SEC has requested an exemption from the warrant requirement, arguing that because it is a civilian agency and not a law-enforcement entity, it should retain subpoena powers.