Privacy advocates and some tech companies hope 2019 will be the year that Congress revamps a 33-year-old law that allows law enforcement agencies easy access to some emails and other communications stored in the cloud.
Under the Electronic Communications Privacy Act, or ECPA, of 1986, law enforcement and regulatory agencies do not need a court-ordered warrant to search email and other electronic documents stored in the cloud or with a tech vendor for longer than 180 days.
The wording of the law has created inconsistent privacy protections for documents and data, depending on how long it’s stored and where it’s stored, privacy advocates say. Law enforcement agencies need warrants to search paper files in a suspect’s home or office as well as to search electronic files stored on the suspect’s computer or in the cloud for less than 180 days. Police need only a subpoena, not reviewed by a judge, to demand files stored in the cloud or with other tech providers for a longer period.
Advocates of ECPA reform argue that cloud computing and off-site email storage technologies have changed the way people store important electronic documents.
The inconsistent treatment of documents stored in the cloud also may raise questions, in some potential customers’ minds, about the privacy of U.S. cloud providers, ECPA reform advocates say.
There’s “strong support” for changing ECPA, said Neema Singh Guliani, a senior legislative counsel with the American Civil Liberties Union. “We need to update our laws to make sure that individuals are protected in the digital age.”
For nine years, privacy groups and tech companies have pushed for a change in ECPA that would extend warranty protections to long-stored electronic communications.
These efforts have stalled in Congress. In April 2016, for example, the House of Representatives voted 419–0 to pass the Email Privacy Act, an ECPA reform bill, but the Senate failed to act on it. Some senators have blocked ECPA reform bills because law enforcement is concerned that new warrant requirements would make investigations more difficult.
The Department of Justice, which has been cool to ECPA reform in the past, did not respond to questions about whether it would oppose new legislation. In the past, the Federal Trade Commission and the Securities and Exchange Commission have also raised concerns that a change could hamper their investigations.
There may be new momentum for ECPA reform this year, however. In June, the Supreme Court, in Carpenter v. the United States, ruled that police need to get warrants to collect more than a week’s worth of mobile phone geolocation data.
Even though the Supreme Court didn’t rule on stored email, justices recognized that so-called metadata “held by third parties can be very sensitive and paint a very intimate portrait of someone’s life,” Guliani said.
No ECPA reform bills have been introduced yet this year, but privacy advocates expect legislation to be on the way. The House Judiciary Committee’s new chairman, Rep. Jerry Nadler, D-N.Y., has co-sponsored ECPA reform bills in the past.
The Carpenter decision was a “narrow decision with broad language,” said Greg Nojeim, senior counsel at the Center for Democracy and Technology, a digital rights group. “The broad language suggests that other collections of metadata that are particularly revealing may be subject to the warrant requirement.”
Other privacy advocates are less optimistic about action during this session of Congress. Some Republican senators will still resist attempts to make electronic data harder for law enforcement agencies to access, said Lee Tien, senior staff attorney at the Electronic Frontier Foundation.
Another factor, Tien added, is that tech companies like Google, Facebook, Apple, and Microsoft have been pushing for ECPA reform, “and Congress likes them less now.”
