eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
The Senate Judiciary Committee held hearings Sept. 16 on proposed updates to the Stored Communications Act, a relic of the mid-1980s, which is a part of the Electronic Communications Privacy Act (ECPA).
Committee members asked various stakeholders what they thought should be done to update that part of the ECPA. As is the case with most Senate hearings, the stakeholders reiterated positions they’ve previously announced, but this time those positions became part of the record.
The current proposals for the Stored Communications Act (or SCA as it’s fondly called on the Hill) would be amended by a number of provisions, including a critical one that addresses a legal issue that has been the focus of recent court battles over federal demands for access to data stored in database servers maintained overseas.
This is the Law Enforcement Access to Data Stored Abroad (LEADS) Act. The LEADS Act would clarify the handling of electronic data stored outside the United States, which is at the core of the ongoing legal drama between Microsoft and the U.S. Justice Department.
In that case, Justice has been trying to compel Microsoft to turn over records of a European citizen that are stored in Ireland and Microsoft has declined, saying that a U.S. warrant can’t be enforced outside U.S. territory.
There are other provisions being considered as well, including elimination of the 180 day difference between email that can be accessed without a warrant and email that can’t.
Those provisions would also eliminate a distinction between emails that’s been opened and those which have not. One notable position that seems to emerge from time to time came from Richard Littlehale of the Tennessee Bureau of Investigation, speaking for the Association of State Criminal Investigative Agencies (ASCIA).
In his testimony, Littlehale bemoaned the fact that a number of providers insisted on sticking with the letter of the law and requiring actual warrants before they’d turn over their customers email and voicemail files. Even worse, he complained that workers in the process of collecting data at his request sometimes made mistakes, and once a worker at a cell phone company accidentally deleted a voicemail message.
To prevent such a thing from ever happening again, ASCIA is apparently asking Congress to pass legislation that would outlaw mistakes and also would require that all providers store all such messages, whether email or voicemail, forever so that customers could not erase their own messages. He also espoused a plan that would mandate immediate turnover of all requested information, regardless of whether there was a warrant.
While the ASCIA position may sound extreme and while it clearly subverts the Fourth Amendment to the U.S. Constitution, this position is gaining some traction in Congress.
The same is true for the ASCIA’s claims about the inadequacy of laws requiring notification of warrants and the lack of laws requiring the retention of all records, including such things as records of IP addresses that have communicated with a server.
Senate Holds Hearings on Updated ECPA Data Privacy, Storage Rules
Instead, that portion of the law enforcement community is arguing for a new requirement that would mandate the creation and retention of any record, including transient DNS requests and other IP connections that might someday be useful to some investigator, somewhere.
Other agencies and outside groups are leaning more toward support of the changes to the ECPA that are currently being proposed, while not surprisingly, some agencies are using the proposed revision to the ECPA as a way to get access to information that they’ve never had before.
One notable illustration is the Federal Trade Commission, which states in its testimony that it currently doesn’t get information from providers covered by the ECPA, but would like to have the law amended so that it can get whatever content it wants, without a warrant.
As you might expect, a strong undertone to the Senate hearings was the current appeal in the Department of Justice vs. Microsoft case. The LEADS Act and the proposed changes to the ECPA would clarify how data contained on foreign servers and owned by foreign nationals should be treated.
As it stands now, the legislation asks the State Department and the Justice Department to find a way to streamline requests to foreign governments for data that could be evidence.
Notably, the LEADS Act also contains language that would vacate any warrant that would force a U.S. person or corporation to violate a foreign law. It also eliminates the differences between the age and opening date of messages that no longer make sense in today’s context.
In addition, the updates to the ECPA would change the act so that it conforms to court decisions that now require law enforcement to get a warrant before seeking information from a person’s personal messaging accounts, whether they’re in the form of email or text messages.
The technology industry is solidly behind the LEADS Act and the changes to the ECPA. “We urge the Senate Judiciary Committee to reject any effort to create exceptions for government agencies, which would lead to lesser protections for information stored remotely than in the home,” Mark MacCarthy, senior vice president of the Software and Information Industry Association, stated in an email. “The committee should pass the Lee-Leahy legislation to bring ECPA in-line with current technology.”
Likewise, BSA–The Software Alliance president Victoria Espinel said in her testimony that the organization supports passage of the ECPA. “The Act makes critical updates that are needed to protect the privacy of Americans’ email content and subscriber records.”
At this point it remains to be seen exactly what direction an update to the ECPA might take. Most of the testimony in the Senate hearing urged strongly for passage of the revisions as soon as possible.
However, some (but not all) law enforcement statements urged against continuing the ECPA. While it’s unlikely that the committee will side with allowing investigators unfettered access to email, it’s unclear what direction the final legislation will take.