One of the backbones of computer privacy law was written almost 30 years ago, when virtually no one stored massive amounts of personal information on remote computer servers. The computing world looked nothing like it does today, when our credit card information, love letters, health data and personal finances can often be found on Gmail’s servers or elsewhere in the computing ‘cloud.’
While technology and the way we have used it has changed, computer privacy law has not — but a bill that just passed the Senate Judiciary Committee today hopes to change that. The Senate Judiciary Committee just approved S.B. 607, the Electronic Communications Privacy Act Amendments Act of 2013, legislation updating the Electronic Communications Privacy Act of 1986 (ECPA) to require probable cause warrants before accessing the content of private communications and files stored in the cloud.
The bill was introduced by Sen. Patrick Leahy (D-VT) and Sen. Mike Lee (R-UT) earlier this year after a similar proposal was attached to bill loosening regulation on sharing of video watching habits over social networks last winter, but dropped without notice over the holiday break. Due to the expense of networked storage when the legislation was written, the law did not prepare for how most current email and cloud storage hosting options function — rather it assumed anything left in online storage over 180 days was abandoned, and such should only require an administrative subpoena rather than a warrant to obtain from internet service providers (ISPs).
Stakeholders including tech companies, civil liberties groups, and think tanks have advocated updating the law via groups like the Digital Due Process coalition, arguing it has not adapted with the technology, leaving a pathway for law enforcement to access most archived email without the same level of due process expected for other forms of personal communications under the Fourth Amendment. Many companies including Google, Facebook, Microsoft, and Yahoo announced earlier this year they are requiring warrants for email content data on Fourth Amendment grounds, and the most relevant case law is U.S. v. Warshak, a 2010 U.S. appeals court judgment that ruled strongly in favor of probable cause warrants from a court as a requirement before forcing service providers to turn over email content no matter the amount of time it was stored in the cloud.
Documents released by the American Civil Liberties Union (ACLU) just before tax day reveal that the Criminal Tax Division at the IRS stated “the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server” in a 2009 handbook. However, an IRS spokesman flatly responded to reports about the release: “Contrary to some suggestions, the IRS does not use emails to target taxpayers. Any suggestion to the contrary is wrong.”
The bill still must pass the full Senate, the House, and be signed by the President for the law to be updated, but there are signs of ECPA movement on the House side. A similar cloud data warrant requirement proposal was introduced by Reps. Zoe Lofgren (D-CA), Ted Poe (R-TX) and Suzan DelBene (D-WA) earlier this year, and this morning the House Judiciary held a hearing on ECPA as it relates to geolocation privacy and surveillance.