Should the government meet the same legal standard when obtaining digital information stored on third party servers – including the contents of messages sent through web-based email providers – as when seizing information stored at a suspect’s physical home or office?
That question goes to the heart of recent legislation proposed by Senate Judiciary Committee chairman Patrick Leahy (D-Vermont).
Last week Leahy introduced new privacy protections to the Electronic Communications Privacy Act of 1986. Among other changes, the proposed legislation would require the government to get a probable-cause warrant in order to obtain information stored in the digital cloud.
“Since the Electronic Communications Privacy Act was first enacted in 1986, ECPA has been one of our nation’s premiere privacy laws,” said Leahy in a prepared statement. “But, today, this law is significantly outdated and out-paced by rapid changes in technology and the changing mission of our law enforcement agencies after September 11. Updating this law to reflect the realities of our time is essential to ensuring that our federal privacy laws keep pace with new technologies and the new threats to our security.”
Under the current version of ECPA, government officials may acquire data from internet service providers without showing probable cause that a crime was committed as long as the content in question has been stored on a third-party server for 180 days or more. In such a case, the government need only show that it has “reasonable grounds to believe” the information would be pertinent in an investigation.
That part of the act is a holdover from a time when e-mail wasn’t stored on servers for a long time, but instead was held there briefly on its way to the recipient’s inbox.
Government officials could still obtain some information, such as customer name, address and session length via administrative or grand jury subpoena under the proposed changes.
Many privacy groups and Internet and technology based businesses have been pushing for the proposed changes.
“This is a good bill and long overdue,” said Jim Dempsey, of Digital Due Process, a consortium of groups like the ACLU, Americans for Tax Reform, Google and Microsoft. It makes no sense to have one standard for personal data stored at home or on an office and another for data stored on the server of a person’s favorite email provider, he said. “That statute was written in 1986, which is light-years ago in Internet time,” he added.
Nicole Black, of Fiandach and Fiandach and author of an upcoming book on cloud computing to be published by the American Bar Association agreed with the need to update the ECPA, but expressed doubts about how effective Leahy’s proposed changes will be.
Instead of making specific changes – such as the one regarding web-based email – the lawmakers would be better off establishing a broad framework for what the government can and can’t do when it comes to communications technology privacy. To do otherwise is to risk a law’s rapid obsolescence, she added. Technology continues to evolve at a furious pace and as soon as one legal thicket is cleared, new ones will inevitably emerge to take its place.
The Leahy bill, which has not yet been sent to committee for review, makes other changes ECPA as well.
It would, for example, require the government to get a probable-cause warrant to obtain real-time cell phone location data, but would not require it if authorities request location data from the past – something Dempsey says makes no sense. “That is just as intrusive, “ he added. Still, he feels the overall bill is quite good.
The public should not expect to see the bill made into law in the immediate future, however. A representative from Leahy’s office said that the Senator is working to shore up additional support for the legislation from both sides of the aisle, and has not yet scheduled the bill for Committee consideration.