Last month, we posted on the senate hearings on whether the feds need to get a warrant before getting emails and other stuff stored in the cloud. The Obama administration would rather let the feds continue to get such stuff without bothering to get a warrant, as they now can do under (very outdated) current law. As we put it:
As the law currently stands, if an email is more than 180 days old, the feds are allowed to snag it without a warrant, under the 1986 Electronic Communications Privacy Act. In yet another bit of Orwellian fractal weirdness, the ECPA was designed to ensure that online communications had just as much privacy protection as anything in the offline world. (Given the erosion of Fourth Amendment protections in the brick-and-mortar world, a cynic might be tempted to crack that the ECPA has lived up to its expectations.)
And we quoted Sen. Patrick Leahy, who last year argued to drag law enforcement and the Fourth Amendment into the modern era:
Today, ECPA is a law that is often hampered by conflicting privacy standards that create uncertainty and confusion for law enforcement, the business community and American consumers.
For example, the content of a single e-mail could be subject to as many as four different levels of privacy protections under ECPA, depending on where it is stored, and when it is sent. There are also no clear standards under that law for how and under what circumstances the Government can access cell phone, or other mobile location information when investigating crime or national security matters. In addition, the growing popularity of social networking sites, such as Facebook and MySpace, present new privacy challenges that were not envisioned when ECPA was passed.
Simply put, the times have changed, and so ECPA must be updated to keep up with the times.
Well, today Sen. Leahy proposed a new bill that might do just that. The bill (pdf here) would get rid of that 180-day loophole, and require the feds to get a warrant no matter how old the email or data might be.
Obviously, we’re in favor of that. But this bill goes farther than that. If adopted, this bill would also:
- Prohibit cloud services from knowingly divulging emails or other stored data “to any governmental entity.” (We approve.)
- Require the government to give notice to you within 3 days after your emails/data were searched pursuant to a warrant, including a copy of the warrant. The 3-day period can be extended on a showing of good cause similar to that in eavesdropping cases. (We approve.)
- Permit the government to subpoena subscriber names, addresses, phone numbers, network addresses, phone call data, and payment info (including credit card data). (Can’t they already subpoena all this stuff already? To the extent this is nothing new, we have no opinion. To the extent it’s new authority, we strongly disapprove.)
- Prohibit the government from using your cell phone or iPad or what-have-you to get your physical location, without a warrant or FISA order or an immediate life-or-death/mafia/national security need. (We approve, except for the mafia exception. Mere “conspiratorial activities characteristic of organized crime” is a hole big enough to drive a busload of special agents through, and has nothing to do with immediate urgency.)
- Prohibit the government from getting historical data of your physical location without a warrant or FISA order.
- Require suppression of evidence obtained in violation of the statute. (We approve.)
- Protect cloud services from lawsuit for complying with authorized government demands. (We approve.)
On the whole, not a bad bill. There’s some room for improvement, as we’ve pointed out, but that’s what committee is for… right?