House Judiciary Wades Into ECPA Reform

Will be a priority to update law on government access to electronic communications 3/19/2013 02:59:07 PM Eastern

The House will take another crack at the "tough
nut" of updating the Electronic Communications Privacy Act, an effort that
began with a hearing in the House Judiciary Subcommittee on Subcommittee on
Crime, Terrorism, Homeland Security and Investigations.

The goal is to update the law to clarify the protections of
emails, text, and info stored in the cloud from unreasonable searches and
seizures by the government and in civil suits. But Subcommittee chairman Jim
Sensenbrenner (R-Wis.) made it clear it would have to be a balancing act
between protecting privacy and allowing for law enforcement investigation of
crime, though he also said that would be a "tough nut to crack."
(ECPA update legislation failed to materialize out of the last Congress.)
"Americans should not have to choose between privacy and the
Internet," he said.

Sensenbrenner said he expected there would probably need to
be a probable cause warrant standard for most communications, at least in
criminal investigations.

The ECPA, which incorporates the Stored Communications Act,
was passed in 1986 and deals with standard for government access to stored
electronic information by communications service providers, for example whether
that requires a search warrant or the lesser standard of a subpoena. It has not
been updated significantly since 2001.

Among the issues are the current differing standards between
how the government can get access to opened vs. unopened email, how long info
must be archived for potential inspection by law enforcement and the definition
of content.

Google security exec Richard Salgado pointed to some of the
"complex and baffling" distinctions in ECPA reflective of the
divergence between assumptions in the law and the way electronic communications
has evolved. "ECPA provides that the government can compel a service
provider to disclose the contents of an email that is older than 180 days with
nothing more than a subpoena (and notice to the user, which can be delayed in
certain circumstances). If the email is 180 days or newer, the government will
need a search warrant. The Department of Justice also takes the position that a
subpoena is appropriate to compel the service provider to disclose the contents
of an email even if it is not older than 180 days if the user has already
opened it. The Ninth Circuit Court of Appeals has rejected this view."

Rep. Bobby Scott (D-Va.), ranking member of the
subcommittee, said the Act was clearly outdated, pointing out that a single email
could be subject to different legal standards for access depending on whether
it was being stored or awaiting storage. He pointed out that service providers
are providing both a communications service and a remote storage service and
that there needed to be clarity on the definition of content.

The Justice Department says that the rule should be updated
to treat all stored emails similarly in terms of protections rather than treat
emails 180 days old differently, and that it makes no sense to accord
"lesser protection to opened emails than it gives to emails that are
unopened," as is currently the case. But DOJ witness Elana Tyrangiel did
not come with a lot of answers. "Acknowledging that the so-called '180-day
rule' and other distinctions in the SCA no longer make sense is an important
first step," she said. "The harder question is how to update those
outdated rules and the statute in light of new and changing technologies while
maintaining protections for privacy and adequately providing for public safety
and other law enforcement imperatives."

Richard Littlehale, of the Tennessee Bureau of
Investigation, suggested that law enforcement access to info should include
timely response by service providers whatever method was established by
Congress for access or protections. There is currently no requirement in a
warrant that the information be made available in a timely fashion, something
he would like to see changed. Littlehale also made the point that what he was
talking about was not access to information, or content or communications
records, but "evidence." He said law enforcement has no interest in
communications records unless they advance a criminal investigation.

Rep. Louie Gomert (R-Texas), after some prodding, got
Salgado to say that Google would not strike a deal with the government to flag
it on communications with key terms like "Benghazi" in them, as it
does for paid advertisers who bid for the privilege of targeting ads based on
automatic key word searches, but Gomert seemed less than satisfied with the
exchange or the answer. When Salgado said he thought the two issues were apples
and oranges, Gomert filed back that he wasn't having a discussion on comparing

Gomert said he wanted to clarify that for the
"simpletons" who write for the Huffington
that he wasn't in favor of the government being able to strike such a
deal with Google. Exercising a point of privilege, Sensenbrenner pointed out
that his son, who has an advanced degree, writes for Huffington.

Sensenbrenner was not pleased that Tyrangiel could offer no
alternative to the current 180-day requirement of storage of emails. She said
data retention was a complicated and tricky subject but she was eager to
discuss it further. Sensenbrenner who seemed to be eager to get an answer, said
the question should not have been a surprise and advised her -- and by
extension, Justice -- to come better equipped the next time. If this were a
trial, he chastised, there would be some people unhappy with how unprepared you

Littlehale gave no definitive answer, but said it depended
on how expeditiously service providers responded. If it was within a few days,
records might not have to be kept as long, but if it were months, then records
might need to be kept up to a year.

Full committee chairman Bob Goodlatte (R-Va.) said that
updating the ECPA would be a top priority of Judiciary Committee.


Alert to All Users of the Disqus commenting system:
Because of a recent global security issue, the Disqus website recommends that all users change their Disqus passwords. Here's a URL about the issue: