Sen. Patrick Leahy on Tuesday unveiled an overhaul to a 25-year-old digital privacy law that would require the government to obtain warrants before accesssing email and other cloud-based data.
The update to the Electronic Communications Privacy Act (ECPA), would also extend to location-based data, and allow private companies to collaborate with the government in the event of a cyber attack.
The ECPA was first enacted in 1986, well before the Internet, email, or smartphones. As a result, it is "significantly outdated and out-paced by rapid changes in technology and the changing mission of our law enforcement agencies after September 11," said Leahy, a Vermont Democrat.
As a result, Leahy's updated 2011 version of the ECPA would apply to technologies like email, cloud services, and location data on smartphones. If the government wanted an ISP to hand over emails on a particular customer, for example, they would need to first obtain a warrant. At this point, the government abides by a rule that provides access to email after 180 days, depending on the circumstance.
"The bill gets rid of the so-called '180-day rule' and replaces this confusing mosaic with one clear legal standard for the protection of the content of emails and other electronic communications," Leahy said in a statement.
If the government obtains access, they would have to notify the person involved and provide them with a copy of the warrant within three days. If it's a sensitive investigation, and the government doesn't want to tip off the alleged offenders right away, it can delay notification by up to 90 days via court order, which can be extended another 90 days, if necessary. There can also be a delay for national security reasons.
In the wake of a controversy over how smartphones collect user data, the updated ECPA would also require warrants or a court order under the Foreign Intelligence Surveillance Act for location-based data.
"There are well-balanced exceptions to the warrant requirement if the government needs to obtain location information to address an immediate threat to safety or national security, or when there is user consent or a call for emergency services," Leahy said.
A warrant for location information must still be obtained within 48 hours, even in an emergency, or a court might suppress the data gathered. There is also an exception when a user provides consent or calls for emergency services.
The government could use an administrative or grand jury subpoena in order to get certain info from an ISP, including: customer name, address, session time records, length of service information, subscriber number and temporarily assigned network address, and means and source of payment information.
Taking a page from the cyber-security plan unveiled by the Obama administration last week, Leahy's plan also allows for collaboration between the government and private companies if those companies are the victim of a cyber attack.
"The legislation creates a new limited exception to the nondisclosure requirements under the ECPA, so that a service provider can voluntarily disclose content to the government that is pertinent to addressing a cyberattack," Leahy said. "To protect privacy and civil liberties, the bill also requires that, among other things, the Attorney General and the Secretary of Homeland Security submit an annual report to Congress detailing the number of accounts from which their departments received voluntary disclosures under this new cybersecurity exception."
The bill comes several days after Leahy introduced the PROTECT IP Act, which would allow the U.S. government to go after "rogue Web sites" that contain infringing content.