Hill Takes Another Crack at ECPA Reform
Senate Judiciary Committee Chairman Pat Leahy, D-Vt., and Sen. Mike Lee, R-Utah, introduced a bill Tuesday aimed at modernizing the 27-year-old Electronic Communications Privacy Act (ECPA). The ECPA Amendments Act seeks to update privacy laws to improve protections for electronic communications stored or maintained by third party service providers, according to a review of the legislation (http://1.usa.gov/WBxwf7). The bill drops a provision in Leahy’s 2011 ECPA Amendments bill (S-1011) that would have required the government to obtain a warrant or a court order to access or use an individual’s geolocation information from smartphones or other electronic communications devices, Leahy’s spokesman confirmed. Privacy advocates generally supported the aims of the bill, but some House lawmakers acknowledged it may be difficult to increase online privacy protections without hampering law enforcement investigations.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Leahy’s new bill requires federal agencies to obtain search warrants, based on probable cause, in order to compel a provider of “remote computing service or electronic communications service” to disclose the content of a subscriber’s electronic communications, the legislation said. The bill would prohibit service providers from voluntarily disclosing their users’ communications to any governmental entity and eliminate the “180 day rule” in the current law for federal access to email content. Under the bill, law enforcement agencies would have to notify an individual whose email content is obtained and provide a copy of the search warrant within ten business days of their receipt of the communications. The legislation permits notice to be delayed for 180 days if the requester is a federal entity and 90 days for a civil or administrative enforcement agency. The bill would require service providers to notify the government if they plan to inform a subscriber that their electronic communications have been disclosed to the government. The government would be able to use an administrative or grand jury subpoena to request subscriber data like names addresses, and browsing data, the bill said. Any communications obtained through the Wiretap Act or the Foreign Intelligence Surveillance Act would not be subject to any of the provisions of the legislation.
Privacy laws “written in an analog era are no longer suited for privacy threats we face in a digital world,” said Leahy, who sponsored ECPA in 1986, in a press release. “The 113th Congress has an important opportunity to address the digital privacy challenges that Americans face today,” he said. “We should do so by enacting the commonsense privacy reforms contained in this bill.” Earlier this year, Leahy said privacy would be at the forefront of his technology priorities for the committee during this Congress (CD Jan 17 p3). Lee said the bill takes an “essential step toward ensuring that the private life of Americans remains private.”
ACLU Legislative Counsel Chris Calabrese said he was pleased to see bipartisan support for the bill, which he said “closes loopholes that allow the government to access years and years of Americans’ communications without any need to prove to a judge that a person is suspected of a crime.” Calabrese told us Leahy likely dropped the geolocation provision from the bill in order to increase its likelihood of passage. “It has become clear that location and content bills are both moving but they are moving on different tracks,” he said. “We clearly want to do both. We are supportive of both a content fix and a warrant for location tracking. But we are not going to stand in their way of getting a content bill passed.”
The balancing act required to modernize and reform ECPA will be a “tough nut to crack,” said Rep. James Sensenbrenner, R-Wis., the chairman of the House Judiciary Subcommittee on Crime, Terrorism, Homeland Security and Investigations. The difficulty is crafting legislation that protects the privacy of Americans while serving the needs of law enforcement officials to investigate those who use the Internet for criminal purposes, he said at Tuesday’s subcommittee hearing. Witnesses testified that changes to modernize the law should be considered, but Justice department officials said the changes should not hamper law enforcement investigations.
Sensenbrenner minced no words about his disappointment with the current protections in the law: “The different standards between a warrant and a subpoena are outdated and probably unconstitutional. I think we are going to have to require more probable cause on most of the stuff that you can get from a subpoena, at least in criminal investigations,” he said. “I also think 180 days is too short to require the retention of material.”
House Judiciary Committee Chairman Bob Goodlatte, R-Va., acknowledged that ECPA was intended to regulate a technological environment that would seem “ancient” compared with today’s marketplace. Nevertheless the original tenets of the law to establish a balance between privacy and law enforcement and advance the goal of supporting technological advancement must be preserved in any reform effort, he said. “ECPA reform must be undertaken so that despite the evolution of technology and its use in the world, the constitutional protections reinforced under ECPA will endure,” he said. Subcommittee Ranking Member, Bobby Scott, D-Va., said greater clarity is required to “provide the protection of the privacy rights expected by our citizens.” House Judiciary Committee Ranking Member John Conyers, D-Mich., said ECPA does not “adequately protect communications” saved into the cloud by third parties and said the government needs to show probable cause in order to access individual’s email content.
Elana Tyrangiel, acting assistant attorney general for the office of legal policy, told lawmakers their reform efforts can best enhance privacy by requiring law enforcement officials to obtain a warrant based on probable cause to compel service providers to disclose individual email or other online content. She said there’s “no principled basis to treat email less than 180 days old differently than email more than 180 days old.” She said “it makes sense that the statute not accord lesser protection to opened emails than it gives to emails that are unopened.” Sensenbrenner said he thought Tyrangiel was “ill-prepared” for the hearing and said he was disappointed by what he thought was her failure to provide adequate responses to his colleagues’ questions.
ECPA reform is a “top priority” for TechAmerica, said Kevin Richards, the group’s senior vice president-federal government affairs. “This legislation presents a big step toward making sure that the information Americans store in the cloud receives the same level of protection as the information stored in the physical world,” he said. Center for Democracy & Technology Senior Counsel Greg Nojeim called the legislation “common sense reform,” which would “help extend Fourth Amendment rights in the Internet age,” according to a press release following the bill’s introduction.