ECPA Reform Bill to Modernize Electronic Privacy Protections
Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., introduced a bill that would modernize the Electronic Communications Privacy Act (ECPA). Leahy, who helped write the 25-year-old law that restricts federal access to private electronic communications, announced the Electronic Communications Privacy Act Amendments of 2011 (S-1011) via Twitter early Tuesday afternoon. Privacy groups called the bill a “good first step” but some questioned whether it can sufficiently address location-based data concerns.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Leahy’s bill is intended to “fill the gaps” in existing electronic privacy laws and offers new privacy protections for cloud and location-based data as well as enhanced protections for e-mail, text messages, social networking messages and other electronic communications, the legislation said. The bill also contains cybersecurity provisions that permit service providers to disclose content related to cyberattacks and enhanced law enforcement provisions.
The proposed ECPA amendments require federal agencies to obtain search warrants, based on probable cause, in order to compel a service provider to disclose the content of a customer’s electronic communications, the legislation says. With some exceptions, the bill also requires the government to obtain a warrant or a court order to access or use an individual’s geolocation information from smartphones or other electronic communications devices. These provisions would replace the “180-day rule” for federal access to e-mail content in the current law and prohibit service providers from disclosing customer content to the government without a warrant.
ECPA provisions are “significantly outdated and outpaced by rapid changes in technology and the changing mission of our law enforcement agencies after September 11,” Leahy said in a press release. “The balanced reforms in this bill will help ensure that our federal privacy laws address the many dangers to personal privacy posed by the rapid advances in electronic communications technologies.”
The current law is unwieldy, complex and difficult for judges to apply to modern technologies, according to a recently released Congressional Research Service report. The report said that the evolution and increased adoption of cloud computing pose particular challenges to the current ECPA framework. “When law enforcement officials seek data or files stored in the cloud, such as Web-based e-mail applications or online word processing services, the privacy standard that is applied is often lower than the standard that applies when law enforcement officials seek the same data stored on an individual’s personal or business hard drive,” the report said.
Federal agencies can delay notification of any access to an individual’s electronic communications in order to protect national security or “the integrity of a government investigation,” the bill said. Law enforcement agencies may seek a court order to delay notification for 90 days and may extend the delay for an additional 90 days with a subsequent court order. “I think it’s important for law enforcement because it finally gives them a clear standard,” said James Dempsey, the Center for Democracy and Technology’s vice president of public policy.
The bill also has important implications for mobile industry players, said Dempsey. Although the Leahy bill only deals with federal access to consumer information, the legislation establishes a “very clear legal standard to help [mobile service providers] assure their customers that the information is being carefully protected,” he told us after an ECPA event sponsored by the Brookings Institution. Last week Leahy said that ECPA provisions should apply more broadly to mobile providers and mobile applications, during a Senate Privacy Subcommittee hearing chaired by Al Franken, D-Minn. (CD May 11 p11).
But Leahy’s proposed amendments are insufficient to address the expansive ecosystem of location-based services, said Albert Gidari, a privacy attorney at Perkins Coie LLP and panelist at the event. Gidari represented Google in its successful motion to stop a Justice Department demand for its Web search queries. The legislation will “inevitably fall short because it does not encompass the whole framework of the location ecosystem that is out there today,” he said. Instead consumers will remain subject to “a hodgepodge of common law of the provider making the decisions” on what to do with location-based information.
The bill is a “good first step” toward modernizing a law that is in “desperate need of an update,” said Laura Murphy, director of the ACLU’s Washington legislative office. “It should be common sense that the information we store and share online should have the same level of Fourth Amendment protections from government intrusion as our offline papers and effects,” she said. The Software and Information Industry Association (SIIA) said the bill revising the current law is a “big step forward” in protecting the data that Americans store on cloud computing networks. “The legal framework provided by [the existing] ECPA leaves both providers and users of remote computing with a complex and baffling set of rules that are both difficult to explain and apply,” said SIIA President Ken Wasch.