Last Friday the United States Court of Appeals for the First Circuit ruled a warrantless search of a cell phone during the arrest of a Boston man that contributed to his conviction on drug and weapon charges was unconstitutional. The decision adds to a growing court divide on whether access to digital devices and the personal information they often contain requires judicial oversight.

The court concluded:

Since the time of its framing, “the central concern underlying the Fourth Amendment” has been ensuring that law enforcement officials do not have “unbridled discretion to rummage at will among a person’s private effects.” Gant, 556 U.S. at 345; see also Chimel, 395 U.S. at 767-68. Today, many Americans store their most personal “papers” and “effects,” U.S. Const. amend. IV, in electronic format on a cell phone, carried on the person. Allowing the police to search that data without a warrant any time they conduct a lawful arrest would, in our view, create “a serious and recurring threat to the privacy of countless individuals.”

Brima Wurie was convicted by a jury in February 2010 of distribution of crack cocaine, possessing additional crack cocaine with intent to distribute, and being a felon-in-possession of a firearm. Officers allegedly observed Wurie engaging in a drug sale in a car, picked him up, and used information from one of the two cell phones on his person to discover his home address and obtain a warrant to search it, resulting in the additional weapon and drug charges. The government argued that Wurie’s phone was “indistinguishable from other kinds of personal possessions, like a cigarette package, wallet, pager, or address book” which are subject to the search incident to arrest exception to Fourth Amendment protections.

The U.S. Supreme Court ruled searches at the time of arrest without a warrant are permissible in United States v. Robinson, but that was before advent of mobile computing technology. There is significant legal question surrounding whether digital devices like cell phones and laptops can be searched in the course of an arrest because, as the opinion in the Wurie case notes, “individuals today store much more personal information on their cell phones than could ever fit in a wallet, address book, briefcase, or any of the other traditional containers” and the Fourth Amendment specifically guarantees papers and effects not be subject to warrantless searches.

The Florida Supreme Court ruled 7-2 that a similar police search of an arrested person’s phone without a warrant was unconstitutional earlier this month, but four other federal appeals court have ruled searching a cellphone found on someone arrested is fair game. In 2012 the United States Court of Appeals for the Ninth Circuit shut down suspicionless unwarranted searches of computers and other similar digital devices at the border, noting they served as “simultaneously offices and personal diaries.”

Tumblr announced on Monday it was being bought by tech giant Yahoo! for $1.1 billion in one of the largest social media buyouts in years, but while the purchase will make Tumblr’s founders rich, it may bode poorly for the privacy protections of Tumblr users.

In a recent report card from the Electronic Frontier Foundation (EFF), comparing which tech companies protect user’s data from government snooping, Yahoo received one of the lowest scores with only one out of five stars. Tumblr performed significantly better, receiving three stars for requiring a warrant for content, fighting for users’ privacy rights in Congress, and publishing law enforcement guidelines.

A Yahoo spokesperson told reporters in January that the company was requiring warrants for email content data on fourth amendment grounds, joining Google others tech giants. It’s not yet clear how Yahoo will integrate Tumblr into the company, although Yahoo has promised “not to screw it up” in a press statement and said Tumblr will be independently operated as a separate business with David Karp remaining as CEO.

Online privacy law has lagged significantly behind technology advancements. Under the statute governing law enforcement access to digital communications — including private messages over Tumblr’s Fanmail and Yahoo email — the Electronic Privacy Communications Act (ECPA) of 1986, content data over 180 days old stored remotely only requires an administrative subpoena to access, which has a lower threshold of proof than a probable cause warrant.

There are a number of current legislative proposals to update ECPA, one of which was approved by the Senate Judiciary Committee in late April. The U.S. Court of Appeals for the Sixth Circuit ruled email providers cannot be compelled to turn over the content of messages without a probable cause warrant no matter how long the information has been stored in the cloud in United States v. Warshak. That ruling only applies to the four states in the court’s jurisdiction.

You may think your email is private, but federal investigators may not agree. Documents uncovered via Freedom Of Information Act requests by the American Civil Liberties Union (ACLU) suggest the FBI is not obtaining warrants to read email, citing an outdated federal computing law from the 1980s. According to an excerpt from the 2012 FBI Domestic Investigations and Operations Guide:

“In enacting the [Electronic Communications Privacy Act of 1986 (ECPA)], Congress concluded that customers may not retain a “reasonable expectation of privacy” in information sent to network providers…[I]f the contents of an unopened message are kept beyond six months or stored on behalf of the customer after the e-mail has been received or opened, it should be treated the same as a business record in the hands of a third party, such as an accountant or attorney. In that case, the government may subpoena the records from the third party without running afoul of either the Fourth or Fifth Amendment.”

ECPA, the law governing access to email and cloud stored data, was passed at a time when the cost of online storage was so high it seemed unthinkable that anyone would store data there indefinitely, so anything left on networked storage for longer than 180 days was considered abandoned and required only an administrative subpoena to access. But in the time since it became law, the price of online storage went down and many people started to rely on free cloud based email solutions like Gmail or Yahoo! Mail as digital storage lockers.

There have been numerous efforts to update ECPA to be more in line with current consumer behavior and the Fourth Amendment, which protects against unwarranted searches and seizures, but none as of yet have succeeded. The most recent attempt to update the law to clearly require a probable cause warrant hit a major milestone in April when S.B. 607, a standalone fix, was approved by the Senate Judiciary Committee. Rep. Matt Salmon (R-AZ) introduced a companion bill to the House on Tuesday, although a similar proposal was already introduced by Reps. Zoe Lofgren (D-CA), Ted Poe (R-TX) and Suzan DelBene (D-WA) earlier this year.

But while the law has not yet been updated, the courts and tech companies are adapting to the way consumers use these services in the modern era. In the 2010 case United States v. Warshak, a Sixth Circuit Court of Appeals panel including two Republican-appointed judges ruled email providers cannot be compelled to turn over the content of messages without a probable cause warrant regardless of how long it has been stored in the cloud, but that ruling only applies to the four states in the Sixth Circuits’ jurisdiction. Earlier this year a number of tech companies including Google, Microsoft, Facebook, and Yahoo announced they go beyond ECPA and require warrants for email content data on Fourth Amendment grounds.

One of the backbones of computer privacy law was written almost 30 years ago, when virtually no one stored massive amounts of personal information on remote computer servers. The computing world looked nothing like it does today, when our credit card information, love letters, health data and personal finances can often be found on Gmail’s servers or elsewhere in the computing ‘cloud.’

While technology and the way we have used it has changed, computer privacy law has not — but a bill that just passed the Senate Judiciary Committee today hopes to change that. The Senate Judiciary Committee just approved S.B. 607, the Electronic Communications Privacy Act Amendments Act of 2013, legislation updating the Electronic Communications Privacy Act of 1986 (ECPA) to require probable cause warrants before accessing the content of private communications and files stored in the cloud.

The bill was introduced by Sen. Patrick Leahy (D-VT) and Sen. Mike Lee (R-UT) earlier this year after a similar proposal was attached to bill loosening regulation on sharing of video watching habits over social networks last winter, but dropped without notice over the holiday break. Due to the expense of networked storage when the legislation was written, the law did not prepare for how most current email and cloud storage hosting options function — rather it assumed anything left in online storage over 180 days was abandoned, and such should only require an administrative subpoena rather than a warrant to obtain from internet service providers (ISPs).

Stakeholders including tech companies, civil liberties groups, and think tanks have advocated updating the law via groups like the Digital Due Process coalition, arguing it has not adapted with the technology, leaving a pathway for law enforcement to access most archived email without the same level of due process expected for other forms of personal communications under the Fourth Amendment. Many companies including Google, Facebook, Microsoft, and Yahoo announced earlier this year they are requiring warrants for email content data on Fourth Amendment grounds, and the most relevant case law is U.S. v. Warshak, a 2010 U.S. appeals court judgment that ruled strongly in favor of probable cause warrants from a court as a requirement before forcing service providers to turn over email content no matter the amount of time it was stored in the cloud.

Documents released by the American Civil Liberties Union (ACLU) just before tax day reveal that the Criminal Tax Division at the IRS stated “the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server” in a 2009 handbook. However, an IRS spokesman flatly responded to reports about the release: “Contrary to some suggestions, the IRS does not use emails to target taxpayers. Any suggestion to the contrary is wrong.”

The bill still must pass the full Senate, the House, and be signed by the President for the law to be updated, but there are signs of ECPA movement on the House side. A similar cloud data warrant requirement proposal was introduced by Reps. Zoe Lofgren (D-CA), Ted Poe (R-TX) and Suzan DelBene (D-WA) earlier this year, and this morning the House Judiciary held a hearing on ECPA as it relates to geolocation privacy and surveillance.

BlackBerry 10 users who like to enjoy adult entertainment on their devices may want to think twice about opting into the device’s music sharing feature. While at first glance the “Show What I’m Listening To” feature sounds like it would merely share your music listening habits with your BlackBerry Messenger (BBM) contacts, what it actually does is record all activity in the media player and tells your friends and colleagues about it, regardless of content type. So many users turned this feature on thinking they would broadcast fairly benign information about what kind of music they enjoy, and instead wound up revealing something they would have preferred to keep private:

“BBM records any usage of the phone’s media player and can push these visits and downloads to all messenger contacts, much like a status update. So your grandmother might be notified that you’ve been listening to the new Justin Timberlake album, or she might know that you have a fetish for, uh, granny porn.“

BlackBerry users unwittingly sharing porn preferences is not just an unfortunate (if funny) accident, it’s an example of how a lack of transparency about what information we are sharing online creates a wide gap between the experiences users want and what the ones they get. Facebook’s controversial Beacon advertising system revealed user purchases to friends with only an opt out mechanism, in some cases ruining big events like engagements. One of Google’s early forays into social media, Google Buzz, created the wrong kind of buzz by auto-populating the network with users’ most used private gmail contacts without asking. In at least one case, this breach of privacy revealed a woman’s location, workplace and several interactions with a current boyfriend to her abusive ex-husband. Google Buzz’s privacy breaches eventually resulted in a Federal Trade Commission settlement.

These incidents are wildly out of line with Internet users’ preferences. As early as 2000, 86 percent of internet users favored “opt-in” privacy policies requiring sites to ask people for permission to use their personal information and 54 percent believed that tracking of users on websites was harmful because it invades their privacy. A more recent 2012 survey found that 73 percent of search engine users would not be okay with a search engine tracking their searches and using that information to personalize future search results because it feels like “an invasion of privacy,” but that is almost exactly how Google’s Personalized Search works when users are logged in.

It should be noted that users’ stated preferences do not always match their actions. While asking directly about user privacy preferences gets very straightforward answers, behavioral economists have shown that the way privacy disclosure is framed can leave consumers unaware of the trade-offs they are making, even though they place an inherent value on remaining in control of their personal data. Consumers believe they deserve privacy and control over their data, but the Internet is so riddled with seemingly unintrusive requests to give up personal information a small bit at a time, that users often wind up doling out little pieces of their privacy without fully understanding the implications. Entire industries have sprung up devoted to piecing together the zip code we gave to our supermarket, the things we searched for online, and even key words that appear in our emails, in order to build detailed profiles of who we are.

And while consumers feel strongly they should have the right to be left alone, current regulatory protections do not guarantee that. Online privacy protections are a “patchwork” in the United States with different protections for different sectors and are significantly less strict than in Europe. While the Obama administration suggested a new broader approach to privacy more than a year ago, a draft of legislation has yet to materialize.

Senator Patrick Leahy (D-VT) and Senator Mike Lee (R-UT) introduced a bipartisan bill Tuesday to reform the Electronic Communications Privacy Act (ECPA) that would grant new privacy protections for email and other cloud stored data. Under current ECPA standards the government doesn’t need a warrant to access the content of emails that are more than 180 days old — instead all it requires is an administrative subpoena — although some companies including Google, Microsoft, Yahoo and Facebook have challenged that assertion on Fourth Amendment grounds.

Sen. Leahy,  the author of the original 1986 law, commented on how much times have changed since then:

“No one could have imagined just how the Internet and mobile technologies would transform how we communicate and exchange information today[...] Privacy laws written in an analog era are no longer suited for privacy threats we face in a digital world. Three decades later, we must update this law to reflect new privacy concerns and new technological realities, so that our Federal privacy laws keep pace with American innovation and the changing mission of our law enforcement agencies.”

A similar proposal was introduced by Reps. Zoe Lofgren (D-San Jose), Ted Poe (R-TX) and Suzan DelBene (D-WA) earlier this month, and the House Judiciary committee heard testimony on reforming ECPA this morning. In written testimony submitted before that hearing by acting assistant attorney general and former White House lawyer Elana Tyrangiel, the Obama administration dropped its claim that police should be able to look at Americans’ email content without warrants for the first time, but promoted a number of other expanded government surveillance powers.

These expansions include giving federal agency’s civil attorneys warrantless access to American’s electronic communications and eliminating some of the privacy protections currently applying to company records in order to reveal who is sending or receiving email, Facebook, Twitter, and other similar types of messages.

When the ECPA legislation was first passed in 1986, most people couldn’t imagine that online data storage would approach the point where it was so inexpensive people would leave their data online, so it was assumed that email left in networked storage over 180 days could be considered abandoned — like garbage on the curb. But with the rise of cheap, or in many cases free, storage in the cloud the 180 days rule has essentially become a way for law enforcement to access most archived email without the same level of due process expected for personal communications. Civil liberties advocates advocated for ECPA reform for years due to these technological and social changes and came very close to succeeding last year when it was almost passed as an amendment to a video-sharing bill backed by Netflix, but the amendment was inexplicably dropped over the Christmas break.

Just earlier this week, the American Civil Liberties Union, Americans for Tax Reform, and Center for Democracy & Technology announced a new coalition called the Digital 4th that, along with other broader groups including the Digital Due Process coalition, will advocate for privacy-driven ECPA reform, among other Fourth Amendment based privacy protections for current generation tech.