Sen. Patrick Leahy (D-Vt.) on Tuesday introduced legislation that would update a key digital privacy law from 1986 in an effort to address changes in e-mail and mobile technology.
The bill is designed to protect types of electronic communication that did not exist when the Electronic Communications Privacy Act became law 25 years ago. The legislation also is intended to provide clarity on how the government can obtain individuals’ electronic communications and gives the government more tools designed to help stop cyber attacks and protect national security.
“Since the Electronic Communications Privacy Act was first enacted in 1986, ECPA has been one of our nation’s premiere privacy laws,” Leahy, who authored the 1986 bill, said in a statement. “But, today, this law is significantly outdated and out-paced by rapid changes in technology and the changing mission of our law enforcement agencies after September 11. Updating this law to reflect the realities of our time is essential to ensuring that our federal privacy laws keep pace with new technologies and the new threats to our security.”
The bill would forbid service providers from voluntarily divulging users’ e-mails and other electronic communications with the government. Current law allows service providers to voluntarily disclose the communications. But there are stipulations under current law that must be satisfied, including a government need to investigate criminal activity.
The legislation would abolish a rule that uses the e-mail’s age to determine how the government must obtain it. The bill would require the government to get a search warrant to obtain any electronic communications from a service provider. The government also would need an administrative or grand jury subpoena to get electronic communications records, including user address, name and session data.
The bill would give the government, with court approval, at least 90 days before it must notify individuals that it has access to their electronic communications. The government would be able delay notice if there are national security concerns.
The legislation would ensure location information service providers are covered by ECPA provisions. The government would be required to get a search warrant or court order under the Foreign Intelligence Surveillance Act to obtain location information from mobile devices. But the warrant or court order wouldn’t be needed if there was a call for help or user consent.
The bill would allow a service provider to voluntarily provide the government access to electronic communications if the government needs the information to address a cyber attack. The Justice Department would have to report to Congress on the use of this provision.
The legislation would clarify the type of information the FBI can get from a service provider for counterintelligence purposes. The information would be non-content data, including user address, name and session-related numbers.
The DOJ has yet to offer a position on Leahy’s proposal. But Associate Deputy Attorney General James Baker said at a Brookings Institution panel discussion Tuesday that any changes to ECPA must be considered cautiously. He said individuals working on legislation should thoroughly consider the implications of changing the language of ECPA and how it will affect national security, law enforcement and privacy.
“It is very difficult to try to work through some of these questions,” Baker said. “And it’s very important we do it carefully and thoughtfully.”
