Tumblr announced on Monday it was being bought by tech giant Yahoo! for $1.1 billion in one of the largest social media buyouts in years, but while the purchase will make Tumblr’s founders rich, it may bode poorly for the privacy protections of Tumblr users.

In a recent report card from the Electronic Frontier Foundation (EFF), comparing which tech companies protect user’s data from government snooping, Yahoo received one of the lowest scores with only one out of five stars. Tumblr performed significantly better, receiving three stars for requiring a warrant for content, fighting for users’ privacy rights in Congress, and publishing law enforcement guidelines.

A Yahoo spokesperson told reporters in January that the company was requiring warrants for email content data on fourth amendment grounds, joining Google others tech giants. It’s not yet clear how Yahoo will integrate Tumblr into the company, although Yahoo has promised “not to screw it up” in a press statement and said Tumblr will be independently operated as a separate business with David Karp remaining as CEO.

Online privacy law has lagged significantly behind technology advancements. Under the statute governing law enforcement access to digital communications — including private messages over Tumblr’s Fanmail and Yahoo email — the Electronic Privacy Communications Act (ECPA) of 1986, content data over 180 days old stored remotely only requires an administrative subpoena to access, which has a lower threshold of proof than a probable cause warrant.

There are a number of current legislative proposals to update ECPA, one of which was approved by the Senate Judiciary Committee in late April. The U.S. Court of Appeals for the Sixth Circuit ruled email providers cannot be compelled to turn over the content of messages without a probable cause warrant no matter how long the information has been stored in the cloud in United States v. Warshak. That ruling only applies to the four states in the court’s jurisdiction.

(Credit: Wikipedia)

“In enacting the [Electronic Communications Privacy Act of 1986 (ECPA)], Congress concluded that customers may not retain a “reasonable expectation of privacy” in information sent to network providers…[I]f the contents of an unopened message are kept beyond six months or stored on behalf of the customer after the e-mail has been received or opened, it should be treated the same as a business record in the hands of a third party, such as an accountant or attorney. In that case, the government may subpoena the records from the third party without running afoul of either the Fourth or Fifth Amendment.”

ECPA, the law governing access to email and cloud stored data, was passed at a time when the cost of online storage was so high it seemed unthinkable that anyone would store data there indefinitely, so anything left on networked storage for longer than 180 days was considered abandoned and required only an administrative subpoena to access. But in the time since it became law, the price of online storage went down and many people started to rely on free cloud based email solutions like Gmail or Yahoo! Mail as digital storage lockers.

There have been numerous efforts to update ECPA to be more in line with current consumer behavior and the Fourth Amendment, which protects against unwarranted searches and seizures, but none as of yet have succeeded. The most recent attempt to update the law to clearly require a probable cause warrant hit a major milestone in April when S.B. 607, a standalone fix, was approved by the Senate Judiciary Committee. Rep. Matt Salmon (R-AZ) introduced a companion bill to the House on Tuesday, although a similar proposal was already introduced by Reps. Zoe Lofgren (D-CA), Ted Poe (R-TX) and Suzan DelBene (D-WA) earlier this year.

But while the law has not yet been updated, the courts and tech companies are adapting to the way consumers use these services in the modern era. In the 2010 case United States v. Warshak, a Sixth Circuit Court of Appeals panel including two Republican-appointed judges ruled email providers cannot be compelled to turn over the content of messages without a probable cause warrant regardless of how long it has been stored in the cloud, but that ruling only applies to the four states in the Sixth Circuits’ jurisdiction. Earlier this year a number of tech companies including Google, Microsoft, Facebook, and Yahoo announced they go beyond ECPA and require warrants for email content data on Fourth Amendment grounds.

One of the backbones of computer privacy law was written almost 30 years ago, when virtually no one stored massive amounts of personal information on remote computer servers. The computing world looked nothing like it does today, when our credit card information, love letters, health data and personal finances can often be found on Gmail’s servers or elsewhere in the computing ‘cloud.’

While technology and the way we have used it has changed, computer privacy law has not — but a bill that just passed the Senate Judiciary Committee today hopes to change that. The Senate Judiciary Committee just approved S.B. 607, the Electronic Communications Privacy Act Amendments Act of 2013, legislation updating the Electronic Communications Privacy Act of 1986 (ECPA) to require probable cause warrants before accessing the content of private communications and files stored in the cloud.

The bill was introduced by Sen. Patrick Leahy (D-VT) and Sen. Mike Lee (R-UT) earlier this year after a similar proposal was attached to bill loosening regulation on sharing of video watching habits over social networks last winter, but dropped without notice over the holiday break. Due to the expense of networked storage when the legislation was written, the law did not prepare for how most current email and cloud storage hosting options function — rather it assumed anything left in online storage over 180 days was abandoned, and such should only require an administrative subpoena rather than a warrant to obtain from internet service providers (ISPs).

Stakeholders including tech companies, civil liberties groups, and think tanks have advocated updating the law via groups like the Digital Due Process coalition, arguing it has not adapted with the technology, leaving a pathway for law enforcement to access most archived email without the same level of due process expected for other forms of personal communications under the Fourth Amendment. Many companies including Google, Facebook, Microsoft, and Yahoo announced earlier this year they are requiring warrants for email content data on Fourth Amendment grounds, and the most relevant case law is U.S. v. Warshak, a 2010 U.S. appeals court judgment that ruled strongly in favor of probable cause warrants from a court as a requirement before forcing service providers to turn over email content no matter the amount of time it was stored in the cloud.

Documents released by the American Civil Liberties Union (ACLU) just before tax day reveal that the Criminal Tax Division at the IRS stated “the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server” in a 2009 handbook. However, an IRS spokesman flatly responded to reports about the release: “Contrary to some suggestions, the IRS does not use emails to target taxpayers. Any suggestion to the contrary is wrong.”

The bill still must pass the full Senate, the House, and be signed by the President for the law to be updated, but there are signs of ECPA movement on the House side. A similar cloud data warrant requirement proposal was introduced by Reps. Zoe Lofgren (D-CA), Ted Poe (R-TX) and Suzan DelBene (D-WA) earlier this year, and this morning the House Judiciary held a hearing on ECPA as it relates to geolocation privacy and surveillance.