Senate Judiciary Committee Approves Leahy Bill to Require Warrant for Accessing Cloud Stored E-Mail
November 29, 2012. The Senate Judiciary Committee (SJC) held an executive business meeting at which it amended and approved HR 2471 [LOC | WW | HTML], an untitled bill that would require a warrant for accessing cloud stored e-mail, and that would make it easier for social media users to disclose their video viewing.
Summary of this article:
Summary.
ECPA Reform.
November 29 SJC Meeting.
Government Access to Stored E-Mail.
Video Privacy Protection Act.
Reaction.
Summary. As introduced, and as passed by the House on December 6, 2011, this is a bill to amend the "Video Privacy Protection Act" or VPPA. The House bill contains a modest amendment to 18 U.S.C. § 2710 regarding video tape privacy and social media.
Sen. Patrick Leahy (D-VT) has used HR 2471 as the vehicle for a late in the Congress effort to revise the Electronic Communications Privacy Act (ECPA) to impose a warrant requirement for accessing e-mail stored in the cloud.
The bill, as approved by the SJC includes a revised version of the VPPA revision, and amendments to 18 U.S.C. § 2703 and other sections of the ECPA's Stored Communications Act (SCA) to require the government to obtain a court warrant to access the content of stored e-mail.
The bill just approved by the SJC provides that
"A governmental entity may require the disclosure by a provider of electronic communication service or remote computing service of the contents of a wire or electronic communication that is in electronic storage with or otherwise stored, held, or maintained by the provider only if the governmental entity obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) that is issued by a court of competent jurisdiction directing the disclosure."
(Parentheses in original.) See, TLJ's red line mark up of this bill.
In addition, Sen. Leahy has ambitiously announced that the agenda for the December 6 executive business meeting of the SJC includes consideration of S 1223 [LOC | WW], the "Location Privacy Protection Act of 2011", sponsored by Sen. Al Franken (D-MN).
Neither the House, nor its House Judiciary Committee (HJC), have approved either S 1223, or a warrants for stored e-mail bill. Moreover, there is opposition to both in the House, Senate, and Obama administration, and among federal, state and local law enforcement officials, prosecutors, and regulators.
Furthermore, the 112th Congress is in its final weeks. The Congress is in a lame duck session in which budgetary issues dominate its attention. Thus, enactment of these bills in the 112th Congress is highly unlikely.
ECPA Reform. Neither this bill, nor S 1223, constitute proposals for comprehensive ECPA reform. Rather, they each address just one of many areas in which the ECPA is outdated. Although, they address two of the most important topics.
A coalition of companies and groups named the Digital Due Process (DDP) announced a set of four principles for ECPA reform in 2010. See, story titled "Digital Due Process Coalition Proposes Changes to Federal Surveillance Law" in in TLJ Daily E-Mail Alert No. 2,068, March 31, 2010.
This bill and S 1223 address two of the DPP's proposals.
The DDP's third proposal is, "Before obtaining transactional data in real time about when and with whom an individual communicates using email, instant messaging, text messaging, the telephone or any other communications technology, the government should demonstrate to a court that such data is relevant to an authorized criminal investigation."
The DPP's fourth proposal is, "Before obtaining transactional data about multiple unidentified users of communications or other online services when trying to track down a suspect, the government should first demonstrate to a court that the data is needed for its criminal investigation."
These two bills, and the DPP's proposals, seek to protect privacy, liberty and security. It should also be noted that certain law enforcement, prosecutorial, regulatory and intelligence agencies seek amendment to the ECPA to broaden surveillance powers of government, and surveillance duties of service providers.
For example, there are data retention mandates in the ECPA's Stored Communications Act (SCA). However, some government officials seek a new and vast data retention mandate. Rep. Lamar Smith (R-TX) has tried but failed to enact a broad data retention mandate in the 112th Congress.
November 29 SJC Meeting. The SJC approved by unanimous consent an amendment in the nature of a substitute (AINS) [10 pages in PDF] offered by Sen. Leahy. Title I is the "Video Privacy Protection Act Amendments Act of 2012". The much longer Title II is the "Electronic Communications Privacy Act Amendments Act of 2012".
The SJC also approved four amendments to the AINS:
The SJC also rejected an amendment [2 pages in PDF] to the AINS offered by Sen. Charles Grassley (R-IA) by a vote of 6-11. It would have carved out an exception to the warrant requirement for investigations of crimes "involving" certain enumerated activities.
Sen. Leahy (at right) stated at the meeting that we need "to contain the way surveillance is expanding" and "we have to update our privacy laws". He also referenced the importance of "promoting new technologies like cloud computing".
He said that in 1986, when the ECPA was enacted, "e-mail was nothing like it is today".
He said that his bill amends the ECPA to "enhance privacy protections". It "requires that the government obtain a search warrant based upon probable cause to obtain the content of Americans' e-mail, and other electronic communications, when those communications are requested from a third party service provider."
He said that "I think we have to eliminate the anachronistic distinction made in the law based on whether the emails are more or less than 180 days old."
Sen. Leahy also said that his bill updates the VPPA to allow Americans, "if they wish, to share their movie and television watching experiences through social media".
Grassley said that the SJC held a hearing, but that it was two years ago, and that the government witnesses had "no cleared administration positions".
He argued that the SJC should first hear the concerns raised by law enforcement officials, and by representatives of federal regulators, such as the Securities and Exchange Commission (SEC), before legislating.
Government Access to Stored E-Mail. This bill would require a warrant to obtain the content of e-mail stored in the cloud. The key language is quoted above.
Actually, the bill addresses e-mail stored with an "electronic communication service" or ECS, or an "remote computing service" or RCS. RCS is defined at 18 U.S.C. § 2711. ECS is defined at 18 U.S.C. § 2510. These definitions are obsolete. However, the bill does not amend these definitions.
Subsection 2703(a) currently provides that a warrant is required only to obtain communications in storage with an ECS that is less than 180 days old.
Subsection 2703(a) currently provides that "A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section."
The bill would not impose a warrant requirement for accessing things other than the content of e-mails, such as users' names, addresses, and credit card numbers.
The bill would require the government to give notice to the customer of the e-mail cloud service that it has seized the content of e-mails. However, the bill would also enable law enforcement agencies to obtain with the warrant a 180 day delay of such notification, for certain enumerated reasons, including "flight from prosecution" and "jeopardizing an investigation". The bill would also allow unlimited extensions.
Similarly, the bill would authorize the court to impose a 180 day gag order on the service providers, also with allowance for unlimited extensions.
This bill would not affect government acquisition of oral communications, such as through wiretaps and bugs. Nor would it affect government access to stored communications under the Foreign Intelligence Surveillance Act (FISA).
Video Privacy Protection Act. The VPPA was enacted by the 100th Congress in 1988 just after the public debates and Senate hearings pertaining to the nomination of Judge Robert Bork to be a Justice of the Supreme Court, which involved public disclosure of his video rental records. That bill was Public Law No. 100-68. It is codified at 18 U.S.C. § 2710.
The VPPA currently provides that "A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person".
Now, providers of social media, such as Facebook, want users to be able to disclose their video rentals and recommendations with a one time opt-in procedure, rather than requiring consent every time they want to recommend a video.
The bill approved by the SJC on November 29 differs from the bill passed by the House last year.
The House bill would amend the VPPA to provide that
"A video tape service provider may disclose personally identifiable information concerning any consumer ... to any person with the informed, written consent (including through an electronic means using the Internet) in a form distinct and separate from any form setting forth other legal or financial obligations of the consumer given at one or both of the following times -- (i) the time the disclosure is sought; and (ii) in advance for a set period of time or until consent is withdrawn by such consumer".
The VPPA defines "video tape service". Neither the House bill, nor the bill approved by the SJC on November 29, would alter that definition.
Sen. Leahy's bill, as amended by an amendment offered by Sen. Feinstein, would amend the VPPA to provide that
"A video tape service provider may disclose personally
identifiable information concerning any consumer ... to any person with
the informed, written consent (including through an electronic means using the
Internet) of the consumer that---
(i) is in a form distinct and separate from any form setting forth
other legal or financial obligations of the consumer;
(ii)(I) is given at time the disclosure is sought; or (II) is
given in advance for a set period of time, not to exceed 1 year or until consent
is withdrawn by the consumer, which ever is sooner; and
(iii) the video tape service provider has provided an opportunity,
in a clear and conspicuous manner, for the consumer to withdraw on a
case-by-case basis or to withdraw for ongoing disclosures, at the consumer’s
election;
Reaction. Ed Black, head of the Computer and Communications Industry Association (CCIA), stated in a release that "Updating our laws which protect vital constitutional rights in this era of technological change has been long overdue. CCIA is grateful to Chairman Leahy and other supporters of this legislation for beginning to move legislation ensuring that our emails, instant messages and social networking communications have the level of protection that is more on par with the principles of a robust 4th Amendment."
Gregory Nojeim, of the Center for Democracy and Technology (CDT), stated in a release that "Our privacy laws are woefully outdated given the rapid advance of technology. This vote today sets the stage for updating the law to reflect the reality of how people use technology in their daily lives. It keeps the government from turning cloud providers into a one-stop convenience store for government investigators and requires government investigators to do for online communications what they already do in the offline world: Get a warrant before reading postal letters or searching our homes. This bill would support the development of cloud computing services and other innovative technologies."
(Published in TLJ Daily E-Mail Alert No. 2,479, November 30, 2012.)