Senate Takes Up Privacy Protection with New ECPA Bill

Faced with a national consensus concerning NSA’s activities as a large-scale violation of citizen privacy and a court ruling declaring PRISM unconstitutional, momentum has been building slowly in Congress to legislate boundaries around future government attempts at data collection.

U.S. Sens. Patrick Leahy (D–VT) and Mike Lee (R–UT) Thursday reintroduced a bill they had cosponsored offering revisions of the Electronic Communications Privacy Act (ECPA) to extend Fourth Amendment protections to private data stored on servers on the Internet or in the “cloud.” Among the legal weaknesses NSA had been able to exploit was ECPA’s silence on Internet-related communications. ECPA, which sets out rules for law enforcement agencies that want to tap phone conversations, became law 30 years ago when there was no concept of e-commerce, cloud storage, web searching, or other routine Web-based applications people now use daily.

The House took a major step toward reform, passing the Email Privacy Act in February. A Senate version of the bill was also expected to be introduced this week.

The Leahy-Lee bill, christened the EPCA Modernization Act of 2017, updates ECPA and requires the government to obtain a warrant to access emails, social media posts and other online content stored in the cloud. The bill also eliminates the 180-day sunset on stored communications. Previously a warrant was not required for communications stored beyond 180 days.

In addition to Congress, some states are taking action. In July 2015, Montana became the first state to enact a comprehensive law requiring police to obtain a search warrant before obtaining location information generated by personal electronic devices, such as cell phones. In October 2015, California Gov. Jerry Brown signed CalECPA, a bipartisan bill requiring police to get a warrant before searching online accounts or personal communications devices.

These actions come none too soon. In addition to NSA’s surveillance activities, state and local police are using devices called Stingrays, which mimic cell phone reception towers to trick phones into revealing identifying information and location data. Congress, along with legislatures in states such as New York, South Carolina, and Utah, has introduced bills that would require search warrants for Stingray use. In September 2015, the Department of Justice made it policy that federal law enforcement agencies obtain a search warrant before using Stingrays.

The lack of specific Fourth Amendment protection is partly responsible for the massive scope of the government’s use of the Internet to violate citizens’ privacy. NSA hid behind judicial interpretations suggesting cloud data has no explicit legal protection, but this is use of a technicality to evade the principle of the law. The intent of ECPA was to prevent the very sort of fishing expeditions NSA has been conducting.

Had there been appropriate judicial and legislative oversight, it is difficult to imagine these surveillance programs would have grown as large and intrusive as they became. After the December 2015 attack in San Bernardino, California by two radicalized terrorists, some, including presidential candidate Sen. Marco Rubio (R-FL), questioned the wisdom of curtailing warrantless NSA surveillance even though the program failed to alert the government to those attackers or their plan.

In a rush to identify suspects, law enforcement too often overlooks constitutionally protected civil liberties. Any future surveillance programs should be subject to strict oversight from lawmakers and an independent judiciary. Those safeguards should recognize

  • The right of Internet companies to be notified when their infrastructure is being used for surveillance;
  • The right of Internet companies to disclose instances when they have been asked to assist with surveillance and turn over information;
  • The necessity of due process;
  • Domestic civilian surveillance is within the purview of conventional courts, not FISA or secret military courts; and
  • Requests for data should be held to the same standard as other search warrants: The requester must identify the suspect, the probable cause, the data to be searched, and the specific information being sought.

In a free society, individuals are not automatically assumed to be suspects requiring or justifying constant surveillance. Citizens have the right to go about their business without answering to the state for every thought, act, purchase, or social media comment.