Lawmakers call for greater protections from e-surveillance

House members push for ECPA reform during a hearing, and senators introduce a new bill

If U.S. law enforcement agencies agree to changes in electronic surveillance law to better protect the privacy of stored email and documents, they want several changes in return, including a requirement that email and cloud service providers hold onto records longer.

Representatives of the U.S. Department of Justice and the Tennessee Bureau of Investigation told U.S. lawmakers Tuesday that they could accept some changes to the 1986 Electronic Communications Surveillance Act (ECPA), after several members of the U.S. House of Representatives Judiciary Committee called for changes in the law that would require law enforcement agencies to get court-ordered warrants to obtain emails and other electronic documents stored for more than six months.

Right now, U.S. law enforcement agencies need only a subpoena to obtain electronic documents stored for longer than 180 days on servers outside a suspect's computer. Several tech companies and digital rights groups have been calling for more privacy protections in ECPA for three years, saying it doesn't make sense that a document in a file cabinet, or an email less than 180 days old, should enjoy more privacy protections than stored electronic documents.

The U.S. Constitution's Fourth Amendment, prohibiting unreasonable searches and seizures by the government, "protects more than just Luddites," Representative Jim Sensenbrenner, a Wisconsin Republican and chairman of the Judiciary Committee's crime subcommittee, said during a hearing Tuesday. "Americans should not have to choose between privacy and the Internet."

While ECPA reform is a top priority, finding a balance between privacy and law enforcement needs won't be easy, Sensenbrenner said. Lawmakers tried during the last session of Congress to pass ECPA reform bills, but failed, he noted.

If Congress makes it harder for law enforcement agencies to get access to stored documents, it should also require email and cloud service providers to hang onto documents longer, and it should prohibit service providers from warning customers when investigators seek access to their documents, said Richard Littlehale, assistant special agent in charge of the Technical Services Unit at the Tennessee Bureau of Investigation.

Congress should also require service providers to respond to law enforcement records requests in a timely manner, Littlehale told the subcommittee.

"When we request these records, it is for a reason -- we believe that the records constitute evidence that will lead to identification of sexual predators, the recovery of kidnapping victims, or the successful prosecution of a murderer," Littlehale said. "Any consideration of changes to ECPA that will make obtaining communications records more time-consuming and laborious should reflect an understanding of how those changes will impact our ability to do our job."

During the hearing, Representative Louie Gohmert, a Texas Republican, questioned why Google was pushing for email privacy protections when it shares information about Gmail users with advertisers. Gohmert asked whether U.S. law investigators could get "the same deal" as advertisers who send targeted ads to Gmail users based on keywords.

The automated keyword advertising process isn't the same as a company turning over a subscriber's account information to police, said Richard Salgado, director of law enforcement and information security at Google.

On the same day as the hearing, two senators introduced an ECPA reform bill. Senators Patrick Leahy, a Vermont Democrat, and Mike Lee, a Utah Republican, introduced the Electronic Communications Privacy Act Amendments Act, which would require law enforcement agencies to get search warrants for stored electronic communications.

Twenty-seven years ago, "no one could have imagined just how the Internet and mobile technologies would transform how we communicate and exchange information today," Leahy said in a statement. "Privacy laws written in an analog era are no longer suited for privacy threats we face in a digital world."

Leahy's statement was echoed by several members of the House subcommittee, and even Elana Tyrangiel, acting assistant attorney general in the DOJ's Office of Legal Policy. While DOJ officials have been reluctant in the past to embrace ECPA reform, Tyrangiel said some of the legal distinctions in electronic surveillance law "have failed to keep up with the development of technology, and the ways in which individuals and companies use, and increasingly rely on, electronic and stored communications."

In general, law enforcement agencies should get search warrants before obtaining any email, she said. "There is no principled basis to treat email less than 180 days old differently than email more than 180 days old," Tyrangiel added.

Still, there should be some exceptions, particularly when lives are at stake, she said. In civil cases filed by U.S. agencies, subpoenas for business records may still be appropriate, she added.

When asked for what specific changes the DOJ would recommend, or about some scenarios, Tyrangiel told several lawmakers the DOJ wasn't ready to offer an opinion. That led Sensenbrenner to say Tyrangiel was "ill prepared" for the hearing.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies