Senate bill would require warrant to obtain emails from Internet companies

Lawmakers on Tuesday introduced in the Senate a bill that would require a search warrant for government officials to get emails and other personal information on users of Internet companies.

The bipartisan bill introduced by Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., and Sen. Mike Lee, R-Utah, would amend the 27-year-old Electronic Communications Privacy Act, considered ancient by critics. It was passed before the Internet had grown to become the massive information network it is today.

"Privacy laws written in an analog era are no longer suited for privacy threats we face in a digital world," Leahy said in a statement. Leahy has made updating the ECPA one of his top priorities in Congress this year.

The Electronics Communications Privacy Act Amendments Act of 2013 (ECPA) would require a warrant for electronic communications stored with a third-party service provider, such as Google, Facebook and Microsoft.

In addition, the government would have to notify a person within 10 days of obtaining a warrant that it has received his private communications. That requirement would not apply in cases where such a disclosure would threaten an ongoing investigation.

For years, government officials and law enforcement have sought subpoenas from prosecutors in order to obtain emails and other user data from Internet companies. Privacy advocates have argued that subpoenas are too easy to obtain, and law enforcement should be required to get a warrant from a judge.

[Also see: New breed of organized criminals aided by Internet, says Interpol]

The American Civil Liberties Union had joined Internet companies in pushing for the change in the ECPA. "We're happy to see bipartisan legislation introduced to uphold what we think are really important constitutional values," said Chris Calabrese, legislative counsel for the ACLU in Washington, D.C.

The U.S. Justice Department is asking that civil investigations be exempted from the warrant requirement, a move opposed by the ACLU.

Calabrese argued that there's no difference in obtaining emails for a criminal case investigated by law enforcement or in a bank fraud civil action by the Securities and Exchange Commission (SEC). The ECPA is meant to protect people against privacy invasion by government, not just police.

"It just doesn't make sense," he said. "The fact is a warrant is a well-understood standard. It's appropriate for investigations and that's the one they should stick to."

Google has been one of the Internet companies out front in challenging the government over the use of subpoenas for obtaining electronic communications. Twice a year, the company lists the number of requests it receives from governments worldwide and includes its rate of compliance.

Google did not respond to a request for comment. The Internet Association, an industry group that includes the search giant, Facebook, eBay and, said it "strongly supports" updating the ECPA. "An email in your inbox deserves the same legal protections as a letter in your mailbox," the association said in a statement.

The ACLU and other privacy advocates are also lobbying to require warrants in obtaining geolocation information found in people's mobile phones. While the ACLU would favor having the requirement in the ECPA, it is expected to be dealt with separately by lawmakers.

"We want to get them both done," Calabrese said. "We're willing to see them move separately, if that's what needs to happen."

Along with the ECPA, privacy advocates have been raising concerns over the Cyber Intelligence Sharing and Protection Act (CISPA), introduced last month in Congress. The bill would provide immunity from customer lawsuits to private companies in the U.S. that share cyberthreat information with the federal government.

As it exists today, the bill does not go far enough in preventing people's personal information from also being shared, advocates say.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsGoogleMicrosoftElectronic Communications Privacy Actsoftwaredata protectionData Protection | Data PrivacyFacebook

More about Amazon.comAmazon Web ServiceseBayFacebookGoogleInterpolMicrosoftSECSecurities and Exchange Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts