New York Representative Jerrold Nadler and Michigan Representative John Conyers Jr. recently proposed a string of amendments intended to modernize the Electronic Communication Privacy Act (ECPA). Most notably, the bill would require authorities to prove probable cause and obtain a warrant before accessing cloud-hosted emails to inform an investigation.
While many would have assumed that such privacy protections were already in place, several holes have emerged in the increasingly antiquated legislation. ECPA provisions state that email and other content stored by an Internet service provider (ISP) for more than 180 days can be freely obtained by law enforcement agencies without the need to show probable cause that the data relates to a criminal investigation. A warrant is required, however, to gain access to content that is either less than 180 days old or stored on a private citizen's hard drive.
As Wired columnist David Kravets noted, the law was written in 1986, when ISPs served a much smaller role in storing online communications. Email was only held on third-party servers for a brief period before being funneled into a recipient's inbox. Therefore, messages that were still hanging in limbo after six months were effectively considered abandoned property.
But as email has assumed a larger role in personal and professional communications, archives have grown too great to be stored on individual hard drives. As a result, more users are turning to cloud computing to carry some of the burden. The trouble is, many of these hosted services store content indefinitely, well beyond the 180-day grace period outlined by the ECPA.
"Communications technology is evolving at an exponential rate and, as such, requires corresponding updates to our privacy laws," Nadler explained in a prepared statement. "This new legislation will ensure that ECPA strikes the right balance between the interests and needs of law enforcement and the privacy interests of the American people."
Aside from raising the bar for access to cloud-hosted content, the bill will also provide a uniform set of standards for notifying data owners when their communications are being reviewed by government agents, including criteria that must be met for authorities to delay informing the individual out of concern for jeopardizing an investigation.
This news comes on the heels of recent revelations that the FBI has been trying to convince online communication services to make their infrastructure more "wiretap-friendly" and growing increasingly accustomed to requesting mobile device data from cellphone carriers. This increased awareness could instill a renewed sense of urgency that wasn't there when Senator Patrick Leahy was stalled in his attempts to make similar reforms in 2011.
Cloud Security News from SimplySecurity.com by Trend Micro