Update to 1986 Electronic Communications Privacy Act would require police to demonstrate probable cause before accessing someone's email or stored cloud data.

Mathew J. Schwartz, Contributor

April 26, 2013

3 Min Read

The Senate has advanced legislation that would require law enforcement agencies to obtain a warrant from a judge before they could access someone's email or other data stored in the cloud.

Currently, under the Electronic Communications Privacy Act (ECPA), law enforcement agencies can subpoena any email that's been opened by a recipient or that's more than 180 days old; no warrant -- and accompanying requirement to first demonstrate probable cause -- required.

But the Leahy-Lee ECPA Amendments Act, approved Thursday by the Senate Judiciary Committee, would prohibit warrantless access to stored, online communications. "The bill would require law enforcement agents to obtain a warrant in order to gain access to the contents of email and of documents, pictures and other information stored in the cloud," said Greg Nojeim, senior counsel at the civil rights group Center for Democracy & Technology (CDT), in a blog post.

[ Why can't lawmakers seem to get privacy legislation right? Read CISPA 2: House Intelligence Committee Fumbles Privacy Again. ]

"I have long believed that our government should obtain a search warrant -- issued by a court -- before gaining access to private communications," Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) said earlier this month, reported The Hill. "I have worked over the last several years to update our federal privacy laws to better safeguard our privacy rights in the digital age."

The bill, co-sponsored by Leahy and Sen. Mike Lee (R-Utah), appears to enjoy strong bipartisan support, including that of ranking Senate Judiciary Committee member Sen. Chuck Grassley (R-Iowa).

Law enforcement, business and academic representatives have been urging Congress to revise the ECPA -- which was passed in 1986 and updated in 1994 and in 2001 -- for years, albeit not always in the same way. While civil rights groups have called for greater privacy protections to be extended to emails, for example, the Justice Department has lobbied Congress to leave ECPA unchanged.

Congressional efforts to reform ECPA seemed to gain renewed vigor last year, however, after the FBI's investigation into allegedly threatening emails sent anonymously to Jill Kelly, a friend of then-director of the CIA David H. Petraeus. The investigation revealed that Petraeus was having an extramarital affair with his biographer, Paula Broadwell. The pair coordinated their affair, at least in part, by saving draft emails to each other in a shared Gmail account, which the FBI would have been able to access without a warrant.

While ECPA was designed to balance people's privacy rights with the needs of law enforcement agencies investigating crimes, privacy rights groups have accused the Department of Justice of taking an overly broad interpretation to ECPA, based on the agency's reading that old emails aren't subject to the protection of the Stored Communications Act, which limits the ability of police to compel service providers to disclose data without a warrant.

After the Ninth Circuit Court of Appeals, which covers the western United States -- including California -- ruled that the Stored Communications Act did apply to emails, the Justice Department advised investigators that when accessing emails more than 180 days old without using a warrant, they should do so outside the court's jurisdiction.

A well-defended perimeter is only half the battle in securing the government's IT environments. Agencies must also protect their most valuable data. Also in the new, all-digital Secure The Data Center issue of InformationWeek Government: The White House's gun control efforts are at risk of failure because the Bureau of Alcohol, Tobacco, Firearms and Explosives' outdated Firearms Tracing System is in need of an upgrade. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights