Senate bill would require warrant to obtain emails from Internet companies
'Analog era' Electronic Communications Privacy Act no longer suited to digital age, said one of the bill's sponsors, Sen. Patrick Leahy
By Antone Gonsalves
March 20, 2013 — CSO — Lawmakers on Tuesday introduced in the Senate a bill that would require a search warrant for government officials to get emails and other personal information on users of Internet companies.
The bipartisan bill introduced by Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., and Sen. Mike Lee, R-Utah, would amend the 27-year-old Electronic Communications Privacy Act, considered ancient by critics. It was passed before the Internet had grown to become the massive information network it is today.
"Privacy laws written in an analog era are no longer suited for privacy threats we face in a digital world," Leahy said in a statement. Leahy has made updating the ECPA one of his top priorities in Congress this year.
The Electronics Communications Privacy Act Amendments Act of 2013 (ECPA) would require a warrant for electronic communications stored with a third-party service provider, such as Google, Facebook and Microsoft.
In addition, the government would have to notify a person within 10 days of obtaining a warrant that it has received his private communications. That requirement would not apply in cases where such a disclosure would threaten an ongoing investigation.
For years, government officials and law enforcement have sought subpoenas from prosecutors in order to obtain emails and other user data from Internet companies. Privacy advocates have argued that subpoenas are too easy to obtain, and law enforcement should be required to get a warrant from a judge.
The American Civil Liberties Union had joined Internet companies in pushing for the change in the ECPA. "We're happy to see bipartisan legislation introduced to uphold what we think are really important constitutional values," said Chris Calabrese, legislative counsel for the ACLU in Washington, D.C.
The U.S. Justice Department is asking that civil investigations be exempted from the warrant requirement, a move opposed by the ACLU.
Calabrese argued that there's no difference in obtaining emails for a criminal case investigated by law enforcement or in a bank fraud civil action by the Securities and Exchange Commission (SEC). The ECPA is meant to protect people against privacy invasion by government, not just police.
"It just doesn't make sense," he said. "The fact is a warrant is a well-understood standard. It's appropriate for investigations and that's the one they should stick to."
Google has been one of the Internet companies out front in challenging the government over the use of subpoenas for obtaining electronic communications. Twice a year, the company lists the number of requests it receives from governments worldwide and includes its rate of compliance.
Google did not respond to a request for comment. The Internet Association, an industry group that includes the search giant, Facebook, eBay and Amazon.com, said it "strongly supports" updating the ECPA. "An email in your inbox deserves the same legal protections as a letter in your mailbox," the association said in a statement.
The ACLU and other privacy advocates are also lobbying to require warrants in obtaining geolocation information found in people's mobile phones. While the ACLU would favor having the requirement in the ECPA, it is expected to be dealt with separately by lawmakers.
"We want to get them both done," Calabrese said. "We're willing to see them move separately, if that's what needs to happen."
Along with the ECPA, privacy advocates have been raising concerns over the Cyber Intelligence Sharing and Protection Act (CISPA), introduced last month in Congress. The bill would provide immunity from customer lawsuits to private companies in the U.S. that share cyberthreat information with the federal government.
As it exists today, the bill does not go far enough in preventing people's personal information from also being shared, advocates say.
Read more about data privacy in CSOonline's Data Privacy section.