Last year, House members introduced the Email Privacy Act (H.R.699) to amend the three decade-old Electronic Communications Privacy Act (ECPA) of 1986, which hasn’t kept up with today’s technologies and modern privacy realities.
The ECPA also has some serious flaws, such as not requiring a warrant from law enforcement to obtain electronic communications, as well as allowing law enforcement to obtain emails older than 180 days without any court order (as they are considered “abandoned”).
The ECPA reform has been delayed for so long that the ACLU has taken matters into its own hands and started encouraging legislators to support ECPA reforms that require a warrant for electronic communications requests in at least 16 states.
Virginia Representative Bob Goodlatte, who is the House Judiciary Committee chairman, said that the ECPA flaws and more will be fixed at the federal level as well in the new EPA legislation:
“It’s clear that the law needs to be modernized and updated to ensure it keeps pace with ever-changing technologies so that we protect Americans’ constitutional rights and provide law enforcement with the tools they need for criminal investigations in the digital age. I look forward to moving this legislation through the Committee next month and working with House leaders to bring the bill to the floor.”
The EPA bill requires the government to get a warrant from a judge before asking a communications service provider for its data, regardless of how long the data has been held by the provider or whether the data is requested from an “electronic communications service” or a “remote computing service”. This solves the two major flaws the ECPA has had for the past three decades.
Another major improvement is that the law enforcement agencies will also have to serve the owner of the data a copy of the warrant within 10 days of receiving that data. If it’s another government entity, it needs to serve the copy of the warrant within three days of receiving the data. However, the government can request delays of the notification from the judge.
Having to serve a copy of the warrant directly to the owner of the data seems to just make common sense. Even if in the 21st century we store our information on other companies’ computers, it doesn’t mean that data is not ours anymore, or that just about anyone can go look through it without us having to know about it.
The EPA still doesn’t say that only the owner of the data should be served with the warrant, but serving both the company that holds the data as well as the owner seems like a relatively reasonable compromise.
Kansas Representative Kevin Yoder, who is a co-sponsor of the bill, believes that it should pass easily through the House:
“With 308 of my colleagues – a majority of both Republicans and Democrats – and a majority of the Judiciary Committee in support of the bill, the markup should be brief and the bill should swiftly move to the House floor for passage.”
The bad news is that although a majority of Congress has supported the bill as it is, the Department of Justice and other law enforcement agencies have managed to stall the passage of the bill by demanding some rather large carve-outs, such as the ability to bypass the warrant requirement in case of “emergencies.”
The problem here is that although in theory it doesn’t sound like a bad idea, the U.S. government has already been abusing such powers for a long time. For instance, the National Security Letters, which don’t require a warrant from a judge and could previously gag a company or individuals for life, were initially meant to be used in actual “national security” situations, but the vast majority of them ended up being used in drug-related cases.
Google has also opposed this carve-out in the EPA bill, because it experienced the same situation. When the government gets such exemptions, it tends to abuse them.
"It unfortunately appears to be the case that some law enforcement officials make emergency disclosure requests because it is easier than getting legal process, with the checks that come with it, even though legal process is available in a timely manner," said Google's Richard Salgado.
Even if the emergency clause remains in the bill, it should be strictly defined for exactly what type of situations in which law enforcement can use those powers, to ensure they aren’t abused, or at least to limit the potential abuse.
The Email Privacy Act is expected to be put up for a vote on the House floor next month, and it could become one of the most significant privacy reforms in recent times, especially if the emergency carve-outs are significantly limited.
You can watch the most recent House hearing on the EPA legislation in the video below.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.