Congress Weighs Online Privacy Law Update
The House Judiciary Committee's Subcommittee on Crime, Terrorism, Homeland Security, and Investigations held a hearing on the Electronic Communications Privacy Act (ECPA), a 1986 law updated in 1994 and in 2001 that covers how government agencies can conduct surveillance and how they can demand information from organizations and individuals.
- Secure Access: Next Steps In Identity Management
- Will Your State Deliver a Modernized Medicaid Program by 2014?
White PapersMore >>
- Research: Federal Government Cybersecurity Survey
- Research: Managed Print Services for Government Agencies
Committee Chairman Bob Goodlatte (R.-VA) acknowledged that the ECPA, a law intended to balance privacy rights with the requirements of law enforcement, needs to change. The technology of 1986, he said, seems ancient when compared to the Internet-enabled world of 2013.
"ECPA reform must be undertaken so that despite the evolution of technology and its use in the world, the constitutional protections reinforced by ECPA will endure," he said in prepared remarks.
[ Navigating the slippery slope of employee surveillance? Read Watching Workers: Where's The Line? ]
The hearing focused on lawful access to stored information. As far as law enforcement is concerned, access should be easier and faster. Richard Littlehale, assistant special agent in charge, technical services unit in the Tennessee Bureau of Investigation, testified that any revision to the ECPA should ensure that communications providers respond to law enforcement demands for information in a timely manner.
"There is no requirement in current law -- including search warrant practice -- for providers to respond in a timely fashion to lawful process requests by governmental entities," he said in prepared remarks. "Some providers routinely respond in a timely way, but others do not."
He urged the inclusion of "a reasonable legal mandate for responsiveness," insisting that it need not be too costly or burdensome to communications providers.
Littlehale also argued for the inclusion of mandatory text message retention rules in any ECPA revision. "Billions of texts are sent every day, and some surely contain key evidence about criminal activity," he said.
Elana Tyrangiel, acting assistant attorney general in the Office of Legal Policy, a division of the U.S. Department of Justice, expressed similar concerns. The law, she said, has been instrumental in tracking down violent criminals. "In one case, a suspected serial killer who had killed more than ten people sent an anonymous letter to a newspaper reporter that identified the location of a victim's body with an 'X' drawn on a map," she said in prepared remarks. "Investigators recognized the mapping website on which the serial killer generated the map. They obtained from that website the IP address of the user who had generated the map and then used ECPA process served on the user's Internet service provider to obtain the physical address of the subscriber who had visited the mapping website."
Even as she acknowledged flaws in the law, such as the way that email older than 180 days is treated differently than newer email, she emphasized that any ECPA revision should not put civil investigations on different footing than criminal inquiries. She also said that differences in the way that content and non-content information -- routing information -- are treated under the Pen Register Statute and the Wiretap Act need to be harmonized.
Richard Salgado, director of law enforcement and information security at Google, meanwhile advocated updating the ECPA so that it's consistent with constitutional privacy protections. "...ECPA frustrates users' reasonable expectations of privacy," he said in prepared remarks. "Users expect, as they should, that the documents they store online have the same Fourth Amendment protections as they do when the government wants to enter the home to seize documents stored in a desk drawer."
Orin S. Kerr, a law professor at George Washington University School of Law, offered a more extensive overview of the problems with the ECPA. In addition to citing the absence of warrant protection for email older than 180 days, he noted that search engine queries are not protected under the ECPA.
Kerr also said that warrant requirements are vague, that warrantless access provisions in the law fail to satisfy the Fourth Amendment, and that the current statute does not place any limits on the amount of information a communication provider can turn over to the government.
When communications providers respond to a government demand for information, they might send all the data they have. This might be a substantial amount of information. As Kerr noted, the typical Gmail user has about 17,000 email messages stored in his or her account at any given time. "Investigators can scan through all of the contents of a person's digital life without limit," he said.