Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO) reintroduced the Email Privacy Act in Congress. The bill would update the 1986 Electronic Communications Privacy Act (ECPA), which governs the rules for how digital information can be obtained by the government and would require a warrant for any request made by the government for people’s private communications.
The ECPA has long been criticized for being an inadequate law for our new internet-driven era. The law passed in 1986 when there wasn’t much of an internet or anything resembling today’s digital communications.
For instance, only in the past decade or so have companies begun to store everyone’s communications indefinitely so they can be data-mined for advertising purposes. However, because of the three-decade-old ECPA, law enforcement is still allowed to obtain those communications without a warrant as long as the data is at least 180 days old.
"After the unanimous passage of our bill last year, I see no reason why we can’t get this done right away," Representative Yoder said. "Let’s give the Senate ample time to act, because more than 30 years has been long enough for Congress to wait on this. It’s simple, in 2017 if the federal government wants to access Americans' digital content, it must get a warrant," he added.
Email Privacy Act Reintroduced
The Email Privacy Act is being reintroduced by the new Congress because last year, despite the fact that the bill passed the House unanimously in a 419-0 vote, the Senate failed to pass it. If the Senate moves quickly now, President Obama may still be the one to sign the electronic communications reform bill into law.
Otherwise, it will be up to President Trump to decide whether he wants the old law to be updated or not, or whether he’d want other changes made to it (and assuming it passes the Senate as well, eventually).
The Email Privacy Act is endorsed by civil liberties groups and technology companies such as the ACLU, the Center for Democracy and Technology, the Electronic Frontier Foundation, Amazon, Apple, Facebook, Google, Microsoft, and Twitter.
According to representatives Yoder and Polis, the new bill would:
Affirm that Americans have a reasonable expectation of privacy in their email accounts and other personal and professional content stored online.Require the government to get a search warrant based on a showing of probable cause in order to compel a service provider to disclose communications that are not readily accessible to the public--regardless of the age of the communications or the means of their storage.Preserve the legal tools necessary to conduct criminal investigations and protect the public (nothing in the bill alters warrant requirements under the Wiretap Act, FISA, or any other law).
One of the critiques of the bill is that although companies can and should notify their customers that a warrant has been served in their name and for their data, they aren’t required by the law to do it. Even if they choose to notify customers, the government may still seek a judge-ordered delay of the notification, although presumably this wouldn’t happen too often.
However, all of this still shows that when you upload data to the cloud, the government doesn’t really believe it’s yours anymore. In order to obtain that data, it thinks it needs the consent only of the provider storing it.
This is why it may be a good idea to pre-encrypt your data locally even when you upload data to the cloud, so that if anyone wants access to it, they have to come to you first. In the case of email, that means either using OpenPGP or a an end-to-end encrypted email service. Such measures could also protect your data against the all too common data breaches.