Updated bill requires a warrant for email & cloud data access

It appears the 1986 Electronic Communications Privacy Act (ECPA) is going to get some updates.  Senator Patrick Leahy, the author of the ECPA back in 86, is proposing an update to the bill requiring a court-issued search warrant to be obtained before accessing a person’s email address or other content stored on cloud services.  Leahy addressed the update by saying the bill had been “outpaced by rapid changes in technology”.

Updated bill requires a warrant for email & cloud data access

Under the current version of the ECPA a warrant did not need to be obtained to gain access to email communications that had been stored for longer than 180 days.  The updated bill will require the search warrant regardless of how long the data had been stored and addresses not only email communications but also cloud computing services (for example Dropbox).

To go one step further, the update will also address geolocation data that is collected, used, or stored on smart phones.  The updated bill will require a search warrant to access a smartphone or other electronic communications device in order to collect or view this geolocation information.

Reform of the ECPA is long overdue and has been called for by privacy groups and technology companies for quite some time.  One particular coalition of these types of companies, Digital Due Process, has been lobbying since 2010 for the reform of the 1986 bill.  This coalition consists of power technology and privacy companies such as Google, Microsoft, and the American Civil Liberties Union.  The group insists that the ECPA is severely outdated and is currently unable to provide protection for the large quantity of personal data currently stored on electronic devices and cloud services.

Leahy’s update does leave a gaping loophole, however, granting the FBI the authority to obtain personal information without a court order.  This would be allowed under circumstances where authorities consider the person or information to be related to a matter of terrorism or a national intelligence case.

Overall the updates seem adequate to protect personal information on newer electronic devices and computing services, but it does leave an uncomfortable blank check in the hands of the FBI. It would be nice to see legislation without these kinds of holes to just tag something as terrorism related. What’s to stop the FBI from claiming that they consider something national security related and therefore, legally gaining access to any and all email and cloud data?

It would also be nice to see the Government be more proactive in legislation reform as technology continues to evolve and advance.  Who has access to personal information and under what conditions could quickly become a gray area if 25 years are left between legislation updates.