Lawmakers call for greater protections from e-surveillance

House members push for ECPA reform during a hearing, and senators introduce a new bill

If U.S. law enforcement agencies agree to changes in electronic surveillance law to better protect the privacy of stored email and documents, they want several changes in return, including a requirement that email and cloud service providers hold onto records longer.

Representatives of the U.S. Department of Justice and the Tennessee Bureau of Investigation told U.S. lawmakers Tuesday that they could accept some changes to the 1986 Electronic Communications Surveillance Act (ECPA), after several members of the U.S. House of Representatives Judiciary Committee called for changes in the law that would require law enforcement agencies to get court-ordered warrants to obtain emails and other electronic documents stored for more than six months.

Right now, U.S. law enforcement agencies need only a subpoena to obtain electronic documents stored for longer than 180 days on servers outside a suspect's computer. Several tech companies and digital rights groups have been calling for more privacy protections in ECPA for three years, saying it doesn't make sense that a document in a file cabinet, or an email less than 180 days old, should enjoy more privacy protections than stored electronic documents.

The U.S. Constitution's Fourth Amendment, prohibiting unreasonable searches and seizures by the government, "protects more than just Luddites," Representative Jim Sensenbrenner, a Wisconsin Republican and chairman of the Judiciary Committee's crime subcommittee, said during a hearing Tuesday. "Americans should not have to choose between privacy and the Internet."

While ECPA reform is a top priority, finding a balance between privacy and law enforcement needs won't be easy, Sensenbrenner said. Lawmakers tried during the last session of Congress to pass ECPA reform bills, but failed, he noted.

If Congress makes it harder for law enforcement agencies to get access to stored documents, it should also require email and cloud service providers to hang onto documents longer, and it should prohibit service providers from warning customers when investigators seek access to their documents, said Richard Littlehale, assistant special agent in charge of the Technical Services Unit at the Tennessee Bureau of Investigation.

Congress should also require service providers to respond to law enforcement records requests in a timely manner, Littlehale told the subcommittee.

"When we request these records, it is for a reason -- we believe that the records constitute evidence that will lead to identification of sexual predators, the recovery of kidnapping victims, or the successful prosecution of a murderer," Littlehale said. "Any consideration of changes to ECPA that will make obtaining communications records more time-consuming and laborious should reflect an understanding of how those changes will impact our ability to do our job."

During the hearing, Representative Louie Gohmert, a Texas Republican, questioned why Google was pushing for email privacy protections when it shares information about Gmail users with advertisers. Gohmert asked whether U.S. law investigators could get "the same deal" as advertisers who send targeted ads to Gmail users based on keywords.

The automated keyword advertising process isn't the same as a company turning over a subscriber's account information to police, said Richard Salgado, director of law enforcement and information security at Google.

On the same day as the hearing, two senators introduced an ECPA reform bill. Senators Patrick Leahy, a Vermont Democrat, and Mike Lee, a Utah Republican, introduced the Electronic Communications Privacy Act Amendments Act, which would require law enforcement agencies to get search warrants for stored electronic communications.

Twenty-seven years ago, "no one could have imagined just how the Internet and mobile technologies would transform how we communicate and exchange information today," Leahy said in a statement. "Privacy laws written in an analog era are no longer suited for privacy threats we face in a digital world."

Leahy's statement was echoed by several members of the House subcommittee, and even Elana Tyrangiel, acting assistant attorney general in the DOJ's Office of Legal Policy. While DOJ officials have been reluctant in the past to embrace ECPA reform, Tyrangiel said some of the legal distinctions in electronic surveillance law "have failed to keep up with the development of technology, and the ways in which individuals and companies use, and increasingly rely on, electronic and stored communications."

In general, law enforcement agencies should get search warrants before obtaining any email, she said. "There is no principled basis to treat email less than 180 days old differently than email more than 180 days old," Tyrangiel added.

Still, there should be some exceptions, particularly when lives are at stake, she said. In civil cases filed by U.S. agencies, subpoenas for business records may still be appropriate, she added.

When asked for what specific changes the DOJ would recommend, or about some scenarios, Tyrangiel told several lawmakers the DOJ wasn't ready to offer an opinion. That led Sensenbrenner to say Tyrangiel was "ill prepared" for the hearing.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Department of JusticeJim SensenbrennerU.S. House of Representatives Judiciary CommitteelegislationPatrick LeahyprivacyTennessee Bureau of InvestigationRichard SalgadoMike LeeLouie GohmertGooglesecurityRichard LittlehaleElana Tyrangielgovernment

More about Department of JusticeDOJGoogleIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts