Skip to main content

Filed under:

The ECPA Modernization Act: reforming data privacy laws for the modern web

The Electronic Communications Privacy Act was passed in 1986 — long before smartphones and cloud computing would take off — but our private data continues to be governed by it. The proliferation of offsite storage has made it easy for law enforcement to access data without a warrant. Now, recent legislation aims to overhaul the ECPA, for better or for worse. Follow along here to see the latest updates on the ECPA Modernization Act.

  • Dante D'Orazio

    Jun 17, 2013

    Dante D'Orazio

    Texas first state to mandate warrants for email surveillance

    SHUTTERSTOCK Texas flag
    SHUTTERSTOCK Texas flag

    Texas Governor Rick Perry has signed a bill into law that mandates law enforcement get a warrant to access emails. The bill (HB 2268), addresses the outdated 1986 Electronic Communications Privacy Act (ECPA), which allows law enforcement to obtain emails without a warrant if they are marked as "read" or if they are over 180 days old. In those situations, authorities only require a subpoena to gain access because they are considered abandoned. The bill signed into law today only covers Texans at the state and local levels from this dated understanding of digital communications, but it is said to be the first such law on the books in the US. Work is underway at the federal level, however, to modernize the ECPA: back in April a bipartisan Senate committee unanimously voted to bring the ECPA Amendments Act to the Senate floor for a vote.

    Read Article >
  • FBI maintains it can access emails without a warrant, internal document reveals

    FBI2
    FBI2

    The FBI still holds that it can access private emails without a warrant, according to a 2012 internal document released today by the American Civil Liberties Union. The practice has been in question since a 2010 federal court ruling found that Fourth Amendment rights extend to emails stored in the cloud. But while the ruling offers legal guidance on how to obtain digital communications during an investigation, it only applies to four states because of the court's jurisdiction.

    Rather than following the ruling's guidance, the FBI is still including an Electronic Communications Privacy Act (ECPA)-granted ability within its Domestic Investigations and Operations Guide, which would allow the organization to obtain relevant, opened emails more than 180 days old without a warrant. It's unclear whether the organization has used this ability, but it claims to be operating within applicable legal rules. According to CNET, the FBI said in a statement that it obtains all evidence in accordance with US laws and regulations.

    Read Article >
  • Carl Franzen

    Apr 25, 2013

    Carl Franzen

    Senate committee passes ECPA bill to increase email privacy, full floor vote next

    Senator Patrick Leahy
    Senator Patrick Leahy

    A bipartisan Senate committee just voted unanimously to advance a privacy reform bill that would tighten the restrictions on how the government and law enforcement can access user email and other electronic messages in investigations. Called the ECPA Amendments Act, the bill would modify the 1986 Electronic Communications Privacy Act (ECPA) to require government and law enforcement agencies to get a warrant for all types of electronic communications regardless of whether or not they had been read by the user, and no matter how old they are.

    Read Article >
  • T.C. Sottek

    Apr 16, 2013

    T.C. Sottek

    Internal Revenue Service denies searching email without a warrant

    Washington Monument
    Washington Monument

    Internal IRS employee manuals and memos released by the American Civil Liberties Union last week suggested that the Internal Revenue Service may be reading private email without a warrant, but the tax agency today denied the claims in a Congressional hearing. As The Hill reports, IRS Commissioner Steven Miller told senators that the agency "is not taking that position," and that the IRS obtains a search warrant before requesting emails from an ISP in criminal investigations.

    The ACLU's Freedom of Information Act request to the IRS uncovered a 2009 handbook in which the IRS stated that the Fourth Amendment does not protect emails — a symptom, critics claim, of the outdated Electronic Communications Privacy Act (ECPA). While the ECPA has neared reform in recent months, the current guidelines were established in 1986, allowing law enforcement officials to search emails without a warrant provided they've been stored in the cloud for at least 180 days and are declared "relevant" to an investigation.

    Read Article >
  • Carl Franzen

    Mar 19, 2013

    Carl Franzen

    Justice Department changes stance, now supports search warrants to access user email

    DOJ11
    DOJ11

    The US Justice Department says it's now willing to consider getting search warrants to access almost all types of user emails, a stark change from its previous arguments that it could use a less-strict subpoena for reading emails that users had already opened or that were older than 180 days. "We agree [...] that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old," said Justice Department attorney Elana Tyrangiel in her testimony before House lawmakers today, later adding that her agency would also support changing federal laws to treat opened and unopened emails the same way, too.

    The move comes after privacy advocates and companies including Google have spent the past several years urging Congress to reform the current law, the Electronic Communications Privacy Act of 1986 (ECPA), to require search warrants for all emails. Google also testified in the same hearing as the Justice Department this morning, saying that ECPA "fails" to protect user privacy, and that the inconsistencies in how courts have applied the law across the US have made it difficult for it and other cloud-based companies to respond to legal requests appropriately.

    Read Article >
  • Carl Franzen

    Mar 19, 2013

    Carl Franzen

    Google testifies to Congress calling for more email privacy, says current law 'fails'

    US Capitol 5 (Verge Stock)
    US Capitol 5 (Verge Stock)

    Google's legal director Richard Salgado is due to testify before a committee at the House of Representatives this morning on reforming email privacy law to help both users and Google. In prepared remarks published on Google's Public Policy Blog today, Salgado says the 1986 Electronic Communications Privacy Act (ECPA) was good when it was enacted, but that times have changed and so much user content is now cloud-based that the law has created "inconsistent, confusing, and uncertain standards" and that "the law fails to preserve the reasonable privacy expectations of Americans today."

    Read Article >
  • Janus Kopfstein

    Mar 7, 2013

    Janus Kopfstein

    Privacy bill would ban police from getting email and location data without a warrant

    Google Congress
    Google Congress

    Privacy advocates in Congress have introduced another bi-partisan bill attempting to amend decades-old legislation that has allowed police and government to search private data without a warrant. The bill, called the Online Communications and Geolocation Privacy Act, looks to fix the severely outdated Electronic Communications Privacy Act of 1986 so that email and location data stored by third parties like Google or AT&T receive the same warrant protections as data stored on a personal computer.

    "Fourth Amendment protections don’t stop at the Internet. Americans expect Constitutional protections to extend to their online communications and location data," Rep. Zoe Lofgren (D-CA), one of the bill's co-sponsors, said in an email statement. "Establishing a warrant standard for government access to cloud and geolocation provides Americans with the privacy protections they expect, and would enable service providers to foster greater trust with their users and international trading partners." Lofgren, one of the key voices in the fight against SOPA and PIPA, has been especially vocal on the issue, and is pressing the legislation with the support of Ted Poe (R-TX) and Suzan DelBene (D-WA).

    Read Article >
  • Janus Kopfstein

    Mar 5, 2013

    Janus Kopfstein

    Google begins offering vague estimates on secret FBI surveillance

    google transparency report 1020
    google transparency report 1020

    Google's bi-annual Transparency Reports have sought to provide users with detailed information on how frequently governments request and gain access to their private data through search warrants and court subpoenas. But there's one highly secretive, often misused, and increasingly common method that members of law enforcement use to get data which has never been included in the reports: the National Security Letter, or NSL.

    Read Article >
  • Dieter Bohn

    Jan 26, 2013

    Dieter Bohn

    Google, Microsoft, Yahoo, and Facebook say they require warrants to give over private content

    Google, Microsoft, Yahoo, and Facebook all say that they require full warrants in order to provide the contents of emails and messages to government entities, The Hill reports. That's a higher standard than currently required by US law, which as of now is largely defined by the Electronic Communications Privacy Act (ECPA). The ECPA was passed in 1986 and sets a relatively low bar for accessing private data — but Senator Patrick Leahy has been trying to pass a revision that would require warrants, though the bill stalled out in the last Congress.

    While the update for the ECPA is pending, those four companies all gave The Hill variations on the same statement, that they have policies that require a warrant before providing the content of messages. Those policies aren't backed by the force of law yet, however, and there are other reasons for users to still be concerned about how much data government entities can get from these companies without a warrant.

    Read Article >
  • Chris Welch

    Nov 29, 2012

    Chris Welch

    Senate Judiciary Committee approves bill requiring authorities to obtain warrants for email records

    Senator Patrick Leahy
    Senator Patrick Leahy

    The US Senate Judiciary Committee today approved a bill that would require authorities to produce warrants illustrating probable cause before retrieving email records and other data stored on the web. Though the committee voted overwhelmingly in favor of the measure, which would amend the Electronic Communications Privacy Act, the changes face a rocky road to becoming law as they'll need to gain passage among the full Senate and House of Representatives. Sponsoring the bill is Senator Patrick Leahy, who just last week was the fixture of a controversy that alleged lawmakers were planning to loosen such privacy restrictions for federal agencies — a rumor that the senator quickly denied.

    Instead, the amendments will eliminate the "180-day rule" that permits authorities to obtain email records without a warrant so long as they've been stored online for that designated period of time. The government gains some new levels of secrecy thanks to the bill, however, as it grants them the power to delay alerting individuals whose data has been disclosed for 90-days — an interval that can be repeated if deemed appropriate. The government also maintains the right to subpoena ISPs for select customer records. Unfortunately more compromises will likely need to be made for the amendments to rally the necessary support, with law enforcement agencies continuing to push back against tighter procedures. The privacy changes were attached to measures with widespread support that will allow Netflix to publish user viewing data on Facebook after customers opt in.

    Read Article >
  • T.C. Sottek

    Nov 27, 2012

    T.C. Sottek

    Important federal privacy law set for Senate committee vote on Thursday

    constitution2
    constitution2

    On Thursday, the Senate Judiciary Committee will vote on HR 2471: a bill that will update a 1986 law called the Electronic Communications Privacy Act (ECPA). The original law was written years before the World Wide Web became a real thing that millions of people around the world use, and its authors didn't anticipate the explosion of mobile technologies or consumer data giants like Google and Facebook. As our own Joshua Kopstein pointed out, the sole reference point for our government's guidelines on data privacy is more than two decades old. While that doesn't seem like a lot of time up against the entire span of American civilization, it's an eternity in the age of the internet — a gap that's caused problems for citizens and law enforcement agencies trying to deal with a world that's very different from the one the bill was born into.

    For starters, electronic searches are not settled as a matter of law. As the Electronic Frontier Foundation tells The New York Times, "the courts are all over the place. They can't even agree if there's a reasonable expectation of privacy in text messages that would trigger Fourth Amendment protection." In recent years, only limited cases have been decided definitively: the Supreme Court ruled in January that law enforcement agents need warrants to track criminal suspects with GPS, but the case left other questions surrounding electronic surveillance unsettled. And considering the proliferation of government requests for private data from companies like Google and Twitter, there's a very clear need for new legislation to deal with electronic privacy.

    Read Article >
  • T.C. Sottek

    Nov 20, 2012

    T.C. Sottek

    Privacy bill reportedly rewritten to allow federal agencies to access your data without a warrant (updated)

    Senator Patrick Leahy
    Senator Patrick Leahy

    CNET reports that an update to the Electronic Communications Privacy Act (ECPA) re-authorization bill would completley reverse the intended protections of the original bill by allowing more than 22 federal agencies, including law enforcement agencies and the FCC, to read email and access other electronic files without a search warrant. The original ECPA, passed in 1986, is the only source of current federal guidelines on data privacy in the US and is in need of an update — and the ECPA Modernization Act originally would have required that law enforcement requests for cloud data be accompanied by a warrant. But if Senate Judiciary Committee Chairman Patrick Leahy (D-VT) has his revised bill passed, American citizens could lose an important defense against secret electronic surveillance.

    CNET says the revised bill would allow law enforcement and other federal agencies to access cloud data like email, Facebook posts, and Twitter messages simply by issuing a subpoena — or by claiming that an "emergency" situation exists. The report says that the bill would allow state and local law enforcement groups to access data stored on private systems like university networks. Additionally, the bill would keep warrantless spying secret for longer: it reportedly would require ISPs to notify law enforcement before telling customers that they are the target of a search, and allow notification for customers whose accounts have been accessed to be postponed for up to 360 days.

    Read Article >
  • Janus Kopfstein

    Aug 10, 2012

    Janus Kopfstein

    It's time to reformat data privacy for the 21st century, but does Congress want the upgrade?

    Google Congress
    Google Congress

    In 1986, years before the emergence of the World Wide Web, few people expected that the whole "internet" thing would take off. Nor did they anticipate the widespread use of cellphones, or that a good deal of our day-to-day activities would be mediated by monolithic info-vacuums like Google and Facebook, thus placing troves of our most sensitive information into private third party databanks.

    And yet it was during this time that the Electronic Communications Privacy Act (ECPA), the sole reference point for our current guidelines on data privacy, was written into law. For more than two decades, the ECPA has been American citizens' only defense against unchecked electronic surveillance. And since it was framed during a time when most peoples' email lived on local machines and ubiquitous cloud storage was nothing more than a pipe dream, ECPA's outdated text gives law enforcement broad and dangerous powers over private data that regularly collide with First and Fourth Amendment rights.

    Read Article >