It would be somewhat of an understatement to say that methods of communication have changed over the last 31 years. Yet in that time, laws pertaining to the privacy of those new types of communication have remained stuck in the past.
Debate what you will about the value of leg warmers, a Firebird vs. a Trans Am, or “the need for speed,” but it’s hard to argue that the Fourth Amendment to the U.S. Constitution only applies to “old school” forms of communication. On Monday, the U.S. House of Representatives agreed that it was time for edits; by unanimous voice vote, the House passed the bipartisan-sponsored bill called Email Privacy Act (H.R. 387).
Introduced by Colorado Representative Jared Polis (D) and Kansas Representative Kevin Yoder (R), the new bill replaces the severely outdated Electronic Communications Privacy Act (ECPA) of 1986. Privacy advocates have long railed against the ECPA, which afforded law enforcement warrantless access to citizens’ private emails, texts, photos, videos, and other sensitive information, provided that information was more than 180 days old. Because the ECPA didn’t account for electronic communication or cloud storage, given their finite usage in 1986, H.R. 387 also modernized language and brought the new bill in line with a 2010 decision from the Sixth Circuit Court of Appeals which concluded that the ECPA was unconstitutional.
It’s a primitive clash
Tech companies have been rallying in favor of updated protections alongside privacy groups, and in a joint letter to the House Judiciary Committee dated January 20, 2017, delegates from Adobe, Amazon, Cisco, Dropbox, Facebook, Google, IBM, Microsoft, and Twitter, among others, lent support for passage of the bill. What’s more, the warrant stipulates that providers are now free to “notify a subscriber or customer of a receipt of a warrant, court order, subpoena, or request,” unless the court is ordered to delay notification. Justification for a delay includes the potential for “endangering the life or physical safety of an individual, flight from prosecution, destruction of or tampering with evidence,” and the like.
This isn’t the first time the bill made its rounds; last year a version of the bill passed in the House, only to stall in the Senate, in large part due to a provision introduced by Senator Jeff Sessions which would have allowed law enforcement to ignore the law “under extraordinary circumstances.” The rejection of the provision was a big win for conceptual privacy but left citizens and companies subject to antiquated laws. Until Monday.
Bravely we hope
Kevin Haynes, Chief Privacy Officer at The Nemours Foundation, thinks yesterday’s vote is a step in the right direction. “It is a good sign that the bill has passed (now two times) in the House,” he said via email. Haynes continued, “Hopefully the Senate will take it up this session—without also trying to tackle the Computer Fraud and Abuse Act at the same time. H.R. 387 is the right thing to do. It just makes constitutional sense to require a warrant for email.” While Haynes is positive about recent developments, he notes that he is also hopeful for future improvements to the bill and consumer privacy.
Before the bill becomes a law, of course, it has to pass a Senate vote. Given the content and its cross-aisle support, the bill seems likely to pass this time around. That said, it’s not out of the question that additions which weaken privacy in the name of national security could be proposed. The U.S. government is extremely polarized at present and all it takes is a few outspoken supporters of enhanced surveillance to change the nature of the bill. To this point, The Electronic Frontier Foundation has issued a statement saying, “Senators need to be vigilant about fending off these kinds of amendments when the Email Privacy Act is considered in the Senate this time around,” adding that “the emails in your inbox should have the same privacy protections as the papers in your desk drawer.”
There is so much at stake
Security practitioners should agree that confidentiality is a critical aspect of the CIA (confidentiality, integrity, availability) triad. Though prohibiting law enforcement from conducting legitimate investigations is certainly in no one’s benefit, putting lawful protections in place to keep private data private and out of the grasp of those without written, legal consent is a positive step for all.