Could Privacy Protection Bills Hinder Law Enforcement?

The Senate Judiciary Committee Thursday approved a bill that would set new privacy protections for Web-based email and other digital communications, sending the measure to the full Senate for debate.

Judiciary Chairman Patrick Leahy (D-Vt.), one of the authors of the bill, said the legislation is necessary to "better protect Americans' digital privacy" and iron out some inconsistencies in the protections afforded to materials that are stored on a desktop computer and those that reside in the cloud.

Under the current statute, law enforcement authorities have been able to obtain access to emails stored with a cloud provider on the authority of a subpoena, rather than the warrant they would need to obtain those same communications stored locally on a personal computer.

"If you've got the same files in the cloud, you want to have the same sense of privacy," Leahy says.

Tech Trade Groups Support the ECPA Reform Bill

The Electronic Communications Privacy Act Amendments Act, authored by Leahy and Utah Republican Mike Lee, would reform the 1986 ECPA statute, which Leahy helped draft, to harmonize the privacy protections for digital documents, doing away with the so-called 180-day rule that has provided easier access to older emails, among other provisions.

Several leading tech trade groups quickly hailed the advancement of the ECPA reform bill.

"There are some issues in Washington where there are profound disagreements about what needs to be done. This isn't one of them," Robert Holleyman, president and CEO of BSA, a software industry trade group, says in a statement. "There is broad bipartisan agreement and a groundswell of support for reform among industry and public interest groups. Everyone understands that law enforcement access and constitutional protections should be the same for online files and other digital records as they are for papers stored in a file cabinet."

In approving the ECPA overhaul bill by a voice vote, the Judiciary Committee sends the measure to the Senate floor, where any debate will likely air objections from lawmakers sympathetic to the concerns of law-enforcement authorities who have warned that some of the reform provisions could hinder their investigations.

The Justice Department has gone on record with the view that some of the distinctions in the 27-year-old law have failed to keep pace with the ways that consumers are using technology to communicate.

"We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old. Similarly, it makes sense that the statute not accord lesser protection to open emails than it gives to emails that are unopened," a DoJ official told a House subcommittee last month.

Legal Implications of Location-based Data

But the DoJ has not endorsed Leahy's bill or any other specific reform measure, and the department's absence at another House hearing Thursday morning that focused on the law's implications for location-based data was noted.

"While DoJ has briefed committee staff on ECPA and geolocation, the Obama administration has refused our request to testify in public," says Jim Sensenbrenner (R-Wis.), the chairman of the House Judiciary Committee's Subcommittee on Crime, Terrorism, Homeland Security and Investigations. "This is unacceptable."

At the Senate markup the same day, Iowa's Chuck Grassley, the ranking Republican on the Judiciary Committee, expressed a similar sentiment, saying, "It's disappointing that the DoJ hasn't weighed in."

The House hearing on ECPA and geolocation data highlighted the same underlying friction between personal privacy and the needs of law enforcement that has colored the broader debate over ECPA reform.

"Requiring probable cause to get basic, limited information about a person's historical location could make it significantly more difficult for us in law enforcement to solve crimes and seek justice," says Peter Modafferi, a veteran detective and chair of the Police Investigative Operations Committee of the International Association of Chiefs of Police.

Leading online service providers like Google and Microsoft have thrown their lot in with civil liberties groups and privacy advocates in the debate, arguing that inconsistent privacy protections have created substantial uncertainty in the market and slowed the adoption of cloud computing.

Legal vs. Privacy Implications of Location-based Surveillance

Thursday's activity on Capitol Hill involving ECPA comes about 15 months after the U.S. Supreme Court addressed the issue of location-based surveillance, ruling that law-enforcement authorities erred in not obtaining a warrant before attaching a GPS tracking device to the vehicle of a suspected D.C. drug kingpin. But that ruling was fairly narrow and stopped short of setting a broader precedent for law enforcement's use of geolocation technology.

At Thursday's House hearing, ACLU attorney Catherine Crump expressed support for the GPS Act, a bill pending before the subcommittee that would require investigators to obtain a warrant from a court before accessing a suspect's phone location.

That measure has drawn predictable opposition from the law-enforcement community. But even as the civil liberties and law enforcement camps are far apart on the appropriate legal framework for lawful access to location information under ECPA, in the wake of the Supreme Court decision, they accept as a starting point that the legal issues in play remain unsettled.

As Crump put it: "We at least agree that the current situation is unclear and in a state of chaos."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for

Follow everything from on Twitter @CIOonline, on Facebook, and on Google +.

Read more about cloud computing in CIO's Cloud Computing Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags senateElectronic Communications Privacy Actemail privacyTechnology TopicslegislationgovernmentPatrick LeahyprivacyWeb-based email.Technology Topics | Cloud ComputingsecurityCloudECPA

More about BillBSAFacebookGoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place