California has officially passed a law requiring police to get a warrant before collecting citizens' emails, IP addresses, or other electronic information. The California Electronic Communications Privacy Act, signed by Governor Jerry Brown yesterday, has been lauded by organizations like the EFF and ACLU, with the latter calling it "a landmark win for digital privacy and all Californians." It raises the bar for just about any kind of digital surveillance, whether that involves police requesting user information from a company or collecting it themselves.
Under CalECPA, law enforcement will need to justify the data collection and describe its scope, getting either a search warrant or a court wiretap order. The broad rule covers requiring a service provider to give up information, as well as gathering any data "by means of physical interaction or electronic communication with the electronic device." As in most similar laws, exceptions are carved out for emergency cases.
As Ars Technica points out, this definition should apply to Stingrays, surveillance devices that capture information from phones by impersonating a cell tower. Both federal law enforcement and local police have used Stingrays for years, often with little transparency or oversight. The Sacramento County Sheriff's Department, for instance, has used them 500 times over 10 years without a warrant. Under pressure, the department later promised to get judicial review — but not specifically a warrant — before gathering data with them. Other states, including Washington, have passed new laws governing the use of Stingrays. And on a federal level, the Department of Justice vowed last month to obtain a warrant whenever deploying the technology.