The ECPA Modernization Act: reforming data privacy laws for the modern web

Texas Governor Rick Perry has signed a bill into law that mandates law enforcement get a warrant to access emails. The bill (HB 2268), addresses the outdated 1986 Electronic Communications Privacy Act (ECPA), which allows law enforcement to obtain emails without a warrant if they are marked as "read" or if they are over 180 days old. In those situations, authorities only require a subpoena to gain access because they are considered abandoned. The bill signed into law today only covers Texans at the state and local levels from this dated understanding of digital communications, but it is said to be the first such law on the books in the US. Work is underway at the federal level, however, to modernize the ECPA: back in April a bipartisan Senate committee unanimously voted to bring the ECPA Amendments Act to the Senate floor for a vote.

The FBI still holds that it can access private emails without a warrant, according to a 2012 internal document released today by the American Civil Liberties Union. The practice has been in question since a 2010 federal court ruling found that Fourth Amendment rights extend to emails stored in the cloud. But while the ruling offers legal guidance on how to obtain digital communications during an investigation, it only applies to four states because of the court's jurisdiction.

Rather than following the ruling's guidance, the FBI is still including an Electronic Communications Privacy Act (ECPA)-granted ability within its Domestic Investigations and Operations Guide, which would allow the organization to obtain relevant, opened emails more than 180 days old without a warrant. It's unclear whether the organization has used this ability, but it claims to be operating within applicable legal rules. According to CNET, the FBI said in a statement that it obtains all evidence in accordance with US laws and regulations.

A bipartisan Senate committee just voted unanimously to advance a privacy reform bill that would tighten the restrictions on how the government and law enforcement can access user email and other electronic messages in investigations. Called the ECPA Amendments Act, the bill would modify the 1986 Electronic Communications Privacy Act (ECPA) to require government and law enforcement agencies to get a warrant for all types of electronic communications regardless of whether or not they had been read by the user, and no matter how old they are.

Internal IRS employee manuals and memos released by the American Civil Liberties Union last week suggested that the Internal Revenue Service may be reading private email without a warrant, but the tax agency today denied the claims in a Congressional hearing. As The Hill reports, IRS Commissioner Steven Miller told senators that the agency "is not taking that position," and that the IRS obtains a search warrant before requesting emails from an ISP in criminal investigations.

The ACLU's Freedom of Information Act request to the IRS uncovered a 2009 handbook in which the IRS stated that the Fourth Amendment does not protect emails — a symptom, critics claim, of the outdated Electronic Communications Privacy Act (ECPA). While the ECPA has neared reform in recent months, the current guidelines were established in 1986, allowing law enforcement officials to search emails without a warrant provided they've been stored in the cloud for at least 180 days and are declared "relevant" to an investigation.

The US Justice Department says it's now willing to consider getting search warrants to access almost all types of user emails, a stark change from its previous arguments that it could use a less-strict subpoena for reading emails that users had already opened or that were older than 180 days. "We agree [...] that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old," said Justice Department attorney Elana Tyrangiel in her testimony before House lawmakers today, later adding that her agency would also support changing federal laws to treat opened and unopened emails the same way, too.

The move comes after privacy advocates and companies including Google have spent the past several years urging Congress to reform the current law, the Electronic Communications Privacy Act of 1986 (ECPA), to require search warrants for all emails. Google also testified in the same hearing as the Justice Department this morning, saying that ECPA "fails" to protect user privacy, and that the inconsistencies in how courts have applied the law across the US have made it difficult for it and other cloud-based companies to respond to legal requests appropriately.

Google's legal director Richard Salgado is due to testify before a committee at the House of Representatives this morning on reforming email privacy law to help both users and Google. In prepared remarks published on Google's Public Policy Blog today, Salgado says the 1986 Electronic Communications Privacy Act (ECPA) was good when it was enacted, but that times have changed and so much user content is now cloud-based that the law has created "inconsistent, confusing, and uncertain standards" and that "the law fails to preserve the reasonable privacy expectations of Americans today."

Privacy advocates in Congress have introduced another bi-partisan bill attempting to amend decades-old legislation that has allowed police and government to search private data without a warrant. The bill, called the Online Communications and Geolocation Privacy Act, looks to fix the severely outdated Electronic Communications Privacy Act of 1986 so that email and location data stored by third parties like Google or AT&T receive the same warrant protections as data stored on a personal computer.

"Fourth Amendment protections don’t stop at the Internet. Americans expect Constitutional protections to extend to their online communications and location data," Rep. Zoe Lofgren (D-CA), one of the bill's co-sponsors, said in an email statement. "Establishing a warrant standard for government access to cloud and geolocation provides Americans with the privacy protections they expect, and would enable service providers to foster greater trust with their users and international trading partners." Lofgren, one of the key voices in the fight against SOPA and PIPA, has been especially vocal on the issue, and is pressing the legislation with the support of Ted Poe (R-TX) and Suzan DelBene (D-WA).

Google's bi-annual Transparency Reports have sought to provide users with detailed information on how frequently governments request and gain access to their private data through search warrants and court subpoenas. But there's one highly secretive, often misused, and increasingly common method that members of law enforcement use to get data which has never been included in the reports: the National Security Letter, or NSL.

Google, Microsoft, Yahoo, and Facebook all say that they require full warrants in order to provide the contents of emails and messages to government entities, The Hill reports. That's a higher standard than currently required by US law, which as of now is largely defined by the Electronic Communications Privacy Act (ECPA). The ECPA was passed in 1986 and sets a relatively low bar for accessing private data — but Senator Patrick Leahy has been trying to pass a revision that would require warrants, though the bill stalled out in the last Congress.

While the update for the ECPA is pending, those four companies all gave The Hill variations on the same statement, that they have policies that require a warrant before providing the content of messages. Those policies aren't backed by the force of law yet, however, and there are other reasons for users to still be concerned about how much data government entities can get from these companies without a warrant.

The US Senate Judiciary Committee today approved a bill that would require authorities to produce warrants illustrating probable cause before retrieving email records and other data stored on the web. Though the committee voted overwhelmingly in favor of the measure, which would amend the Electronic Communications Privacy Act, the changes face a rocky road to becoming law as they'll need to gain passage among the full Senate and House of Representatives. Sponsoring the bill is Senator Patrick Leahy, who just last week was the fixture of a controversy that alleged lawmakers were planning to loosen such privacy restrictions for federal agencies — a rumor that the senator quickly denied.

Instead, the amendments will eliminate the "180-day rule" that permits authorities to obtain email records without a warrant so long as they've been stored online for that designated period of time. The government gains some new levels of secrecy thanks to the bill, however, as it grants them the power to delay alerting individuals whose data has been disclosed for 90-days — an interval that can be repeated if deemed appropriate. The government also maintains the right to subpoena ISPs for select customer records. Unfortunately more compromises will likely need to be made for the amendments to rally the necessary support, with law enforcement agencies continuing to push back against tighter procedures. The privacy changes were attached to measures with widespread support that will allow Netflix to publish user viewing data on Facebook after customers opt in.

On Thursday, the Senate Judiciary Committee will vote on HR 2471: a bill that will update a 1986 law called the Electronic Communications Privacy Act (ECPA). The original law was written years before the World Wide Web became a real thing that millions of people around the world use, and its authors didn't anticipate the explosion of mobile technologies or consumer data giants like Google and Facebook. As our own Joshua Kopstein pointed out, the sole reference point for our government's guidelines on data privacy is more than two decades old. While that doesn't seem like a lot of time up against the entire span of American civilization, it's an eternity in the age of the internet — a gap that's caused problems for citizens and law enforcement agencies trying to deal with a world that's very different from the one the bill was born into.

For starters, electronic searches are not settled as a matter of law. As the Electronic Frontier Foundation tells The New York Times, "the courts are all over the place. They can't even agree if there's a reasonable expectation of privacy in text messages that would trigger Fourth Amendment protection." In recent years, only limited cases have been decided definitively: the Supreme Court ruled in January that law enforcement agents need warrants to track criminal suspects with GPS, but the case left other questions surrounding electronic surveillance unsettled. And considering the proliferation of government requests for private data from companies like Google and Twitter, there's a very clear need for new legislation to deal with electronic privacy.

CNET reports that an update to the Electronic Communications Privacy Act (ECPA) re-authorization bill would completley reverse the intended protections of the original bill by allowing more than 22 federal agencies, including law enforcement agencies and the FCC, to read email and access other electronic files without a search warrant. The original ECPA, passed in 1986, is the only source of current federal guidelines on data privacy in the US and is in need of an update — and the ECPA Modernization Act originally would have required that law enforcement requests for cloud data be accompanied by a warrant. But if Senate Judiciary Committee Chairman Patrick Leahy (D-VT) has his revised bill passed, American citizens could lose an important defense against secret electronic surveillance.

CNET says the revised bill would allow law enforcement and other federal agencies to access cloud data like email, Facebook posts, and Twitter messages simply by issuing a subpoena — or by claiming that an "emergency" situation exists. The report says that the bill would allow state and local law enforcement groups to access data stored on private systems like university networks. Additionally, the bill would keep warrantless spying secret for longer: it reportedly would require ISPs to notify law enforcement before telling customers that they are the target of a search, and allow notification for customers whose accounts have been accessed to be postponed for up to 360 days.