Congress Must Enact ECPA Reform Legislation This Year
EFF applauds Sen. Mike Lee (R-UT) and Sen. Patrick Leahy (D-VT) for today introducing the ECPA Modernization Act of 2017 to protect user privacy in cloud content and geolocation information. As part of a congressional effort to reform the Electronic Communications Privacy Act, the Senate bill complements the Email Privacy Act (H.R. 387), which the House passed in February 2017 by voice vote—the second time the House has passed this legislation with overwhelming bipartisan support.
EFF supports these bills and urges Congress to enact ECPA reform legislation this year.
Both the House and Senate bills require law enforcement to obtain a probable cause warrant from a judge to access private content stored by third-party service providers. This would codify the 2010 Sixth Circuit Court of Appeals decision in Warshak v. United States, which held that the government violated the Fourth Amendment when it obtained emails stored by a third-party service provider without a probable cause warrant. This would also be consistent with the 2015 Ninth Circuit Court of Appeals decision in United States v. Kitzhaber, which held that the defendant had a reasonable expectation of privacy in his emails stored by a third-party service provider.
Additionally, the Senate bill:
- Requires the government to obtain a probable cause warrant from a judge to access geolocation information stored by third-party service providers;
- Requires the government to notify a user when it obtains a warrant to access the user’s cloud content or stored geolocation information;
- Requires the government to obtain a probable cause warrant from a judge in order to acquire real-time geolocation information, for example, via a cell-site simulator (a.k.a., IMSI catcher or Stingray) or GPS tracking device. This is consistent with the 2012 U.S. Supreme Court decision in United States v. Jones, in which five justices agreed that ongoing electronic surveillance by the government of an individual’s movements implicates that individual’s reasonable expectation of privacy.
- Provides a suppression remedy if the government accesses cloud content or stored or real-time geolocation information without a warrant or otherwise in violation of the law. This means that a court can deem such data inadmissible as “evidence in any trial, hearing, or other proceeding in or before any court, grand jury, department, officer, agency, regulatory body, legislative committee, or other authority of the United States, a State, or a political subdivision thereof.”
- Heightens the standard for the government to obtain a pen register order (to capture numbers dialed) or trap-and-trace order (to track an incoming caller) from a court.
The Senate bill thus embodies the first three principles of the Digital Due Process coalition, a diverse group of civil liberties non-profits (including EFF), technology companies, trade associations, and others that support ECPA reform.
However, the Senate bill isn’t perfect. For example, we would prefer that the government be required to provide notice to a user after it obtains real-time geolocation information. The bill does not explicitly require this. While Federal Rule of Criminal Procedure 41(f)(2)(C) requires after-the-fact notice, a statutory notice mandate would preempt attempts to amend the court rules.
The time for ECPA reform is long overdue. ECPA was first passed in 1986 and provides modest privacy protections against government access to electronic communications and content stored by third-party service providers—and it doesn’t even contemplate geolocation information.
The law has not kept pace with advances in technology and the habits of users. With the rise of cloud computing, individuals have come to rely on technology companies to store private emails, text messages, social media posts, photos and other documents, often indefinitely. While such content might contain the most personal of thoughts and details about an individual, many users do not realize that an email stored on a Google or Microsoft server has less protection than a letter sitting in a desk drawer at home. And users often can’t control how and when their whereabouts are being tracked by technology.
We urge Congress to act quickly to enact ECPA reform legislation, which would provide critical privacy protections for users of modern technology without unduly hindering law enforcement.