Latest in ECPA
The House Judiciary Committee is holding a hearing at 10am this morning on cross-border data requests, featuring testimony from the Department of Justice, the U.K. government, Google, the Center for Democracy and Technology, state law enforcement, and yours truly. The hearing will be livestreamed here, where you can also find the written testimony.
On January 9th, Reps. Yoder and Polis re-introduced the Email Privacy Act to update the Electronic Communications Privacy Act (ECPA) (there is no Senate companion bill yet). ECPA sets forth the rules for how federal, state and local government agencies (and foreign governments) obtain electronic communication content and metadata from U.S. service providers.
Yesterday, the Second Circuit Court of Appeals ruled against the United States Government in the case Microsoft v. United States, stating that the government cannot compel Microsoft, or other companies, to turn over customer emails stored on servers outside the United States. Here's a brief summary of the opinion.
Yesterday, the Second Circuit released its long-awaited opinion in the Microsoft Ireland case, ruling that the DOJ cannot compel Microsoft to produce emails stored on its Irish servers, because to do so would be an extraterritorial application of the Stored Communications Act (SCA), and nothing in the Act rebuts the presumption against extraterritoriality. I will have more to say about the case in the coming days, but I wanted to share a few initial reactions here.
Yesterday, the ACLU filed a motion to join Microsoft’s ongoing challenge to the constitutionality of § 2705(b) of the Electronic Communications Privacy Act (ECPA), which permits the government to obtain gag orders that prohibit technology companies like Microsoft from disclosing to anyone that the government has obtained customer data. The case began last month when Microsoft filed a complaint in the District Court for the Western District of Washington.
As I've previously written, the Congress has been considering updating the Electronic Communications Privacy Act. The Act, first adopted in 1986, does not have a warrant requirement for government access to the content of older, stored email. I have testified in favor of modernizing ECPA to remove this historical oddity. Today, the House unanimously passed the Email Privacy Act (H.R. 699) today by a vote of 419-0.
While we are at it, I thought I would also call attention to this provision of the Omnibus. It appears in the section which funds the financial services agencies (that is, it applies to the IRS, SEC, FTC, GSA, and OMB):
This is the second post in a series analyzing the Daskal-Woods reform proposal for law enforcement demands for communications content across national borders. In the first post, I examined how the proposal dealt with communications content. Here, I explain why the proposal should also account for cross-border law enforcement demands for metadata.
The House Judiciary Committee had a hearing yesterday on HR 699, the Email Privacy Act. The bill, which has more than 300 co-sponsors in the House (!) would update the Stored Communications Act to apply a warrant requirement to law enforcement requests for email content from internet service providers.
Reading through the news coverage of the Microsoft Ireland warrant case, one thing stands out: nearly everyone agrees that the existing system for managing cross-border law enforcement requests for data is deeply flawed.