Three bipartisan Senate bills are up for consideration in Congress that would attempt to modernize the legal standards under which the U.S. government can access communications electronically stored by email service providers and cloud computing companies.
The proposed bills, introduced July 27, 2017, each provide a different scheme in updating the Electronic Communications Privacy Act (ECPA), which has been criticized for being woefully outdated, given the rise of the Internet of Things and how people currently share, store, and use information. Accordingly, many have publicly called for Congress to completely overhaul the Reagan-era statute.
Current Framework: The ECPA
Although ECPA has undergone amendment since its passage in 1986, the most scrutinized aspects of the law, such as those related to email retention, remain unchanged from when it was passed more than 30 years ago.
ECPA currently requires law enforcement officials to obtain a warrant in order to access data less than 180 days old. A warrant requirement is a strict legal standard, requiring that any request be supported by probable cause – a reasonable suspicion of criminal activity based on articulable facts.
However, if the data is more than 180 days old, ECPA considers those older communications to be abandoned, and therefore not subject to a reasonable expectation of privacy. Thus, law enforcement officials are entitled to access those emails and other electronic communications without a warrant. Instead, government officials need only issue a subpoena for the information or obtain a court order.
This aspect of the law was drafted in the mid-1980s—a time when the World Wide Web did not exist and emails were temporarily stored by third-party email service providers, and typically deleted soon after transmission to the recipient’s mail client located on a computer hard drive because of storage constraints. With the rise of cloud computing technology and the wide subscription to online email services (or “webmail” services) like Gmail and Yahoo!, email service providers and cloud computing companies have massively increased the amount of data they store for longer periods of time.
This shift in how people collect and store data has left the U.S. government with broader access to electronic data stored by third parties—a result many argue runs counter to the spirit of the rule given ECPA’s original purpose: “to achieve a fair balance between the privacy expectations of citizens and the legitimate needs of law enforcement.” Thus, many have advocated for years that ECPA undergo a dramatic facelift.
The Proposed Bills
Each of the proposed Senate bills employs different policies to address certain criticisms about how the ECPA be should be modernized, such as gag rule reform and the elimination of arbitrary inconsistencies in the law.
The Email Privacy Act (S.B. 1654) was introduced July 27 by a bipartisan coalition of Senators Mike Lee (R-Utah), Pat Leahy (D-Vt.), Dean Heller (R-Nev.), Jeanne Shaheen (D-N.H.), Steve Daines (R-Mont.), Cory Gardner (R-Colo.), and Al Franken (D-Minn.). This Senate bill would update ECPA to require law enforcement agencies to obtain a search warrant before accessing consumer communications no matter how long they are stored. Commenting on the bill, Sen. Lee noted, “Americans now expect that their email communications will have the same privacy protections as their written communications. This bill would provide that common sense protection.”
The ECPA Modernization Act (S.B. 1657), also introduced by Sen. Lee and co-sponsored by Sen. Leahy, includes a warrant requirement for access to consumer communications, along with other Fourth Amendment protections for citizens, such as requiring government officials to obtain a warrant for historical and real-time geolocation data, a type of data technology companies are increasingly collecting.
Additionally, the bill orders gag rule reforms by requiring notice within 10 days to individuals whose electronic communications were sought under a warrant. This reform would allow companies that store user communications data to notify users about government requests for customer information. By shifting this information request process further in the public eye, additional onus would be placed on government agents to ensure that information requests are narrowly tailored in scope and duration.
Any use of communications and geolocation data obtained in violation of ECPA would be prohibited under S.B. 1657.
The International Communications Privacy Act (S.B. 1671) was introduced by another bipartisan team of Sens. Orrin Hatch (R-Utah) and Chris Coons (D-Del.). The text of the bill has not yet been released, but generally, the bill would modernize law enforcement’s access to data stored overseas. This law would provide protections to technology companies that have outsourced their data centers to colder environments like Alaska, Finland, and Sweden in order to reduce energy costs of cooling the servers. More detail about the contours of the ICPA is expected to be announced soon.
Public Support from Industry Leaders
Since the announcement of the ECPA reform bills last week, various technology and cloud computing industry groups have lauded their introduction and have banded together to publish letters of support advocating for swift action from Congress to make the proposed legislation into law.
In a joint letter to Sens. Hatch, Coons, and Heller, technology industry leaders voiced their support for the ICPA by explaining how the ECPA’s now-arbitrary inconsistencies are affecting America’s technology business abroad: “Now is the time to act . . . Today, U.S. companies face the challenge of conflicting laws. The uncertainty of our existing legal framework is causing other countries to be concerned about the privacy rights of their citizens. It is causing foreign governments, businesses and individuals to question whether they can trust American products and technologies.”
Other technology companies issued statements emphasizing how the ECPA Modernization Act would bring much-need transparency to governmental inquiries for information, and would conserve resources devoted to challenging them in court on behalf of their users. In a statement issued by Adobe’s privacy team, the company explained: “[I]t has become all too common for search warrants to be accompanied by permanent gag orders that would forever bar us from telling our customers about them. Adobe currently challenges in court permanent gag orders like these as an unconstitutional prior restraint on our speech to our customer and, if passed, this legislation would free up court and company resources to be better used elsewhere.”
The Senate bills were introduced July 27 and were referred to the Committee on the Judiciary. Swift passage of any of the bills through Congress is unlikely. Modernizing ECPA has been a long-fought battle. Legislation to reform the statute was first introduced in 2013 and various iterations have failed to pass into law. However, there has been some noted movement. Earlier this year, the House of Representatives passed companion legislation, the Email Privacy Act (H.R. 387), which codifies the Sixth Circuit’s ruling in U.S. v. Warshak, 631 F.3d 266 (2010), holding that the Fourth Amendment requires the government to obtain a warrant based on probable cause before obtaining emails stored with cloud computing service providers. Passage in the House may be just the push that the Senate needs to pass ECPA modernization legislation in 2017.