Consider the vast amount of sensitive information we all store in the cloud. Many years’ worth of emails and text messages shared with family, friends, and coworkers. Back ups of every digital photo – allowing users to revisit memories of anniversaries, kids’ birthday celebrations, and other special moments at any time, from any device. The same is true of other important documents, from sensitive work memos viewed and edited by other coworkers to copies of health records. Maybe even a copy of your just-filed tax return.
Thirty years ago, when the Electronic Communications Privacy Act (ECPA) was enacted, it was a forward-looking statute addressing a brand new technology – email and computer storage. Since that time it has become a crazy patchwork of protections – many of them inadequate. Whether a document is stored on your desktop or in the cloud, whether an email has been opened or not, and whether an email is older or younger than 180 days are by no means indicative of the level of privacy users expect that data to have. The Email Privacy Act would fix all these problems. With 314 cosponsors, it is the most popular bill in the House and the result of more than eight years of efforts to reform ECPA.
Today, the House Judiciary Committee finally moved forward with a markup of the Manager’s Substitute to the Email Privacy Act (H.R. 699), which will amend ECPA so that, with limited exceptions, law enforcement officials will be required to obtain a warrant based on probable cause before searching and seizing data stored in the cloud. It is supported by more than 50 civil society groups, trade associations and companies big and small, and passed the committee by a unanimous vote of 28–0.
The Manager’s Substitute is a compromise where the committee balanced the goals of supporters with those of law enforcement. The bill does not achieve all of the reforms CDT had hoped for. Notably, the Amendment removes a provision that would have required the government to provide notice to the customer when a warrant for their data is served on their provider — an important protection for users against dubious data search and seizure requests. However, the Amendment still preserves providers’ ability to provide such notice, unless the government can successfully demonstrate that disclosure will likely result in one or several enumerated harms (such as destruction of evidence or seriously jeopardizing an investigation).
What did not make its way into the Amendment is just as important. We are particularly pleased that the Amendment did not contain a carve-out for civil agencies. Such a carve-out would have undermined the very purpose of the bill, giving government broad new access to private communications at much lower standards.
We have waited long enough for the law that protects our internet communications to reflect the vast technological changes that have taken place in the past thirty years. CDT hopes that this vote is the beginning of a broader ECPA reform push and ultimately new privacy protections for every American.