Leahy Introduces Digital Privacy Bill

Revising 25-Year-Old Electronics Communications Privacy Act
Leahy Introduces Digital Privacy Bill
The author of the Electronic Communications Privacy Act introduced Tuesday new legislation to modernize the 1986 law aimed, in part, to protect the privacy of smartphone users and e-mail communications.

Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., said the Electronic Communications Privacy Act Amendments Act would enhance privacy protections for the content of Americans' e-mail and other electronic communications by requiring a search warrant to show probable cause. He said the bill includes new privacy protections for Americans' location information that is collected, used or stored by service providers, smartphones and other mobile technologies.

ECPA, as the existing law is known, hasn't been substantially changed since its enactment 25 years ago. The existing law does not directly address newer technologies such as smartphones and social networking sites. Leahy said in a statement that his bill would fill those gaps. "Updating this law to reflect the realities of our time is essential to ensuring that our federal privacy laws keep pace with new technologies and the new threats to our security." the senator said.

Leahy also said the bill would enhance the security of American computer networks by permitting service providers to voluntarily disclose content to the government relating to a cyberattack involving their computer network. The measure includes reporting requirements to protect privacy and civil liberties as well as improve law enforcement tools, including a provision to allow the government to temporarily delay notification of its access of stored electronic communications if notification would endanger national security.

Digital privacy rights has been a concern of lawmakers in recent weeks. On May 10, a Senate Judiciary subcommittee held a hearing following accounts that Apple and Google kept hidden files on smartphones of consumers' whereabouts (see Apple, Google Under Fire at Hearing). A similar hearing will be held Thursday by a subcommittee of the Senate Commerce, Science and Transportation Committee (see Apple, Facebook, Google Before Senate Panel). Sen. Jay Rockefeller, D-W.Va., introduced May 9 a bill to allow consumers to opt out of online tracking (see Rockefeller Submits Do Not Track Online Act).

The Bill's Details

According to Leahy's office, the Electronic Communications Privacy Act Amendments Act would:

  • Prohibit an electronic communications, remote computing or geolocation information service provider from voluntarily disclosing the contents of its customer's e-mail or other electronic communications to the government. There are limited exceptions to this prohibition under current law, including, customer consent and disclosure to law enforcement to address criminal activity.
  • Hold disclosure of the content of e-mail and other electronic communications by a service provider to the government to one legal standard: a search warrant issued based on a showing of probable cause. The provision would eliminate a 180-day rule that requires varying legal standards for the government to obtain e-mail content, depending upon the age of the e-mail. The provision also would require the government to notify the individual whose account was disclosed, and provide that person with a copy of the search warrant and other details about the information obtained, within three days. Existing law permits the government to access content that is publicly available, such as remarks posted on a blog or a public website.
  • Clarify that the government may use an administrative or grand jury subpoena to obtain certain kinds of electronic communication records from a service provider, including customer name, address, session time records, length of service information, subscriber number and temporarily assigned network address, and means and source of payment information.
  • Allow the government to seek a court order to delay notifying an individual of that fact that the government has accessed the contents of their electronic communications for up to 90 days. This delay period could be extended for a period of up to an additional 90 days at a time by a court. Once notice is provide, the government would be required to furnish the individual with a copy of the search warrant.
  • Permit the government to delay providing notice if doing so would endanger national security. To reduce the costs associated with providing notice, the bill would allow the government to provide notice by e-mail.
  • Set a 90-day limit on the period that the government could prevent a service provider from informing its customer about the disclosure of electronic communications information to the government. This time period could be extended by a court for up to an additional 90 days at a time.
  • Create new privacy protections for geolocation information collected stored or used by mobile devices and mobile applications, such as smartphones and tablets. This provision also would clarify the legal standards for when the government can obtain location information from these and other kinds of electronic communications devices. Specifically, the provision would require the government to obtain either a search warrant or a court order under the Foreign Intelligence Surveillance Act to access or use an individual's smartphone or other electronic communications device to obtain geolocation information.
  • Establish a law enforcement exception to the warrant requirement that would apply when the attorney general or specified senior law enforcement officials designate a law enforcement officer to obtain geolocation information during an emergency involving either, imminent danger, organized crime or an immediate threat to national security. The government must obtain a search warrant for the geolocation information within 48 hours, or a court may suppress the evidence obtained or derived from this information in a legal proceeding. The bill would include exceptions to the warrant requirement when the user consents or a call for emergency services.
  • Make several conforming technical amendments to ECPA and add definitions for geolocation information, geolocation information service electronic communications device and electronic communication identifiable information to the statute.
  • Require the government to obtain a search warrant in order to obtain real-time geolocation information, except for emergency calls for service, historical geolocation information from a service provider, codifying existing practices.
  • Permit a provider to voluntarily disclose content that is pertinent to addressing a cyberattack involving their computer network to either the government or to a third-party.

The bill also would require the attorney general and Homeland Security secretary to submit to Congress an annual report detailing the number of accounts from which either the departments of Justice or Homeland Security received voluntary disclosures under the cybersecurity exception. The bill also would require the attorney general to furnish information about the number of voluntary disclosures under the cybersecurity exception made to the Justice Department that did not result in the filing of criminal charges.


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.