Senator Leahy Proposes Amendments to ECPA
By Elizabeth Katz & Steve Satterfield
Twenty-five years after authoring the Electronic Communications Privacy Act (“ECPA”), Senator Patrick Leahy has introduced a bill, the ECPA Amendments Act of 2011 (S. 1011), that is intended to adapt the Act to the privacy and security challenges of the 21st Century. The bill would amend Title II of ECPA, commonly called the “Stored Communications Act” or “SCA,” which regulates the disclosure to private parties and the U.S. government of electronic communications in storage with certain service providers. Much of S. 1011 increases the requirements that the U.S. government must satisfy to compel disclosure of covered communications.
The bill was introduced amid a flurry of activity in the Senate related to privacy and data security. Last week, the newly formed Senate Subcommittee on Privacy, Technology and the Law held a hearing on privacy in the mobile communications context (which also touched on ECPA reform), and the Senate Commerce Committee held a similar hearing today (its sixth hearing on consumer privacy in the past 13 months).
After the jump is a summary of S. 1011’s key provisions.
Regulated Entities. The SCA currently regulates the disclosure (voluntary and compelled) of stored electronic communications by providers of two types of services: “electronic communications services” and “remote computing services.” S. 1011 adds a third category of regulated entity: “geolocation information services,” which the bill defines as “the provision of a global positioning service or other mapping, locational, or directional service.”
Compelled Disclosure of Contents of Communications. Section 2703 of the SCA sets forth the standards the U.S. government must meet to compel disclosure of different types of stored information (e.g., contents of communications, non-content records relating to communications, and basic subscriber information). In the current version of the statute, the required legal process varies based on the type of information sought and, when the information sought is the contents of a communication, whether it has been in storage for fewer than 180 days. S. 1011 simplifies this approach by eliminating the so-called “180 day rule.” Instead, a warrant must be secured to compel disclosure of the contents of any stored electronic communication.
Notice to Customer or Subscriber. S. 1011 requires the U.S. government to provide notice to an affected customer or subscriber within three calendar days after receiving the content of a communication. The notice must include a copy of the warrant as well as additional information about the nature of the government’s inquiry. Like the current version of the SCA, S. 1011 permits the government to delay notice (for up to 90 days, with the possibility of additional extensions) where the government shows that notice may, for example, endanger life or physical safety or result in a suspect’s flight from prosecution. In addition to the current justifications for delaying notice, S.1011 permits delayed notice where providing timely notice would endanger national security.
Protection of Location Information from Government Access. S. 1011 introduces an entirely new section designed to limit government access to “geolocation information,” which the bill defines as “any information concerning the location of an electronic communications device that is in whole or in part generated by or derived from the operation or use of the electronic communications device.” “Electronic communications device” is, in turn, defined as “any device that enables access to or use of an electronic communications system, electronic communications service, remote computing service, or geolocation information service.” The bill requires the government to obtain a warrant or the “express consent of the owner or use of the device” before directly accessing or using geolocation information, except in certain cases of emergency. This provision also provides for reasonable compensation to a covered provider that is compelled to provide “information, facilities, or technical assistance.” Providers also are protected against all causes of action based on their compliance with this section.
Compelled Disclosure of Geolocation Information. The bill imposes somewhat different requirements where the U.S. government seeks to obtain geolocation information indirectly (i.e.,when already held by a regulated service provider). If the government wants to compel disclosure of “geolocation information contemporaneously or prospectively” collected, it will need a warrant, except in certain emergency situations. If the government wants to compel disclosure of “historical location information,” it will need a warrant, consent, or a court order that would issue upon a showing of “specific and articulable facts . . . that there are reasonable grounds to believe that that the [information] . . . is relevant and material to an ongoing criminal investigation.” See 18 U.S.C. § 2703(d). (This is sometimes referred to a “specific andarticulable facts order” or “(d) order.”)
Voluntary Disclosures to Protect Cybersecurity. S. 1011 also creates an exception to the general prohibition against disclosure that would allow a provider to disclose content (to the government or a private party) when necessary to address a cyberattack on the provider’s computer network.
The bill has drawn praise from consumer groups but major industry players have yet to comment. As with the numerous other privacy and data security bill pending at the federal and state level, Inside Privacy will follow the progress of S. 1011 closely.