ECPA Reform Closer to Reality
As I have testified before Congress on multiple occasions, the Electronic Communications Privacy Act is in need of reform to bring the privacy protections for both transactional and stored communications in to the modern age. Today, Senator Leahy introduced the Electronic Communications Privacy Act Amendments Act of 2011, which is designed to do just that. According to Leahy, the new bill seeks to “carefully balance the interests and needs of consumers, law enforcement, and our nation’s thriving technology sector.” As such, the proffered bill proposes additional protection for user location information and data stored in the cloud, while also permitting new voluntary disclosures by service providers to address cybersecurity issues.
One criticism of the current version of ECPA is the statute’s differing treatment of information based on the amount of time it has been in storage. For example, email stored for less than 180 days is currently afforded full Fourth Amendment protection, while email maintained for 180 days or more can be compelled by a subpoena under the dictates of Section 2703. This distinction is not only nonsensical, but was recently found to be unconstitutional by the Sixth Circuit in United States v. Warshak, et al., where the court held that all email stored by Internet Service Providers (ISPs) is subject to Fourth Amendment protection and “[t]he government may not compel a commercial ISP to turn over the contents of a subscriber’s emails without first obtaining a warrant based on probable cause.” Leahy’s bill as proposed would remove the 180 day distinction and bring the Section 2703 in line with the holdings of the Sixth Circuit. Specifically, the bill would amend Section 2703 to provide that governmental entities may not access the contents of email communications stored in the cloud, no matter its age, without a warrant.
Even more important, the bill removes the distinction between electronic communications, like email or IM, and other types of stored content, like uploaded files. Under the new legislation, all stored content would be treated similarly, and all would require a warrant and notice to the account owner (subject to provisions for delayed notice).
Through suggested amendments to Section 2703 and the addition of Section 2713, the bill also sets forth a brand new statutory framework for accessing geolocation information now available through mobile devices , GPS or other electronic communications devices. Specifically, it provides that law enforcement may not access real-time (or future) geolocation information from a third party provider without a warrant, except in the instance of user emergencies, such as an E911 call. Historical location information, however, would be available to law enforcement with a warrant, consent of the user or a court order based on “specific and articulable facts showing that there are reasonable grounds to believe that the records are relevant and material to an ongoing criminal investigation.” Additionally, the bill provides in Section 2713 that law enforcement may not access or use an electronic communications device to acquire geolocation information without a warrant or court order except for in certain exigent circumstances.
Finally, in order to address concerns regarding recent cyberattacks and data breaches, the legislation adds an exception permitting service providers to voluntarily disclose customer records to the government that are pertinent to addressing a cyberattack. It also recommends oversight of these voluntary disclosures through a reporting provision added to Section 2702, which provides that the Attorney General must report the number of cybersecurity disclosures made and the basis for disclosure in those instances where criminal charges were not filed, to the Committee on the Judiciary of the House of Representatives and the Committee on the Judiciary of the Senate.
While not everyone will be happy with the balance of the new bill, the proposed changes, especially the change to the rules for acquiring stored content and the increased statutory protection for contemporaneous and future geolocation data , are commendable as they would provide much needed reform of the aging ECPA and the development of a statutory framework that can continue to keep pace with constantly evolving technology, while protecting the privacy of consumers and providing necessary access to law enforcement and service providers.
My guess is, however, that there is a lot more work to do and compromises to be made before a bill like this one becomes law.