Jen Ortega serves as a consultant to EDUCAUSE on federal policy and government relations. She has worked with EDUCAUSE since 2013 and assists with monitoring legislative and regulatory proposals across a range of policy areas, including cybersecurity, data privacy, e-learning, and accessibility.
On September 16, 2015, the Senate Judiciary Committee held a hearing to discuss reforming the Electronic Communications Privacy Act (ECPA), a 30-year old statute that restricts government access to stored electronic communications. Seven witnesses representing civil law enforcement agencies, privacy advocates, and internet service providers discussed the need for reform of the outdated law and the specific reform proposals included in S. 356, the Electronic Communications Privacy Act Amendments Act of 2015, introduced by Senators Mike Lee (R-UT) and Patrick Leahy (D-VT).
S. 356 has received strong bipartisan support and is currently cosponsored by 24 Senators. Kevin Yoder (R-KS) and Jared Polis (D-CO) introduced a companion bill in the House of Representatives, H.R. 699, which has 297 cosponsors. If passed, the bills would add warrant requirements for all electronic communications regardless of how old they are; previously ECPA only protected emails 180 days old or younger from law enforcement access without a warrant. Emails older than 180 days were viewed as not requiring privacy protections based on a dated model of email management that assumed the user would download any emails seen as important to his or her personal computer. From that perspective, anything the user left on the email server for more than a few months was considered abandoned, and thus law enforcement shouldn’t have to follow rigorous legal standards to gain access to it. Obviously, given contemporary email practices in which users often store much of their email in the cloud for years at a time, ECPA’s provision allowing for warrantless access after 180 days is seen as no longer compatible with users’ reasonable expectations of privacy.
The proposed legislation would also require a government agency to notify an individual when it acquires his or her emails. Law enforcement agencies would have 10 business days to provide notice, while all other agencies would have to provide notice within 3 business days. An agency could delay this notification, though, if it had reason to believe that providing notice would jeopardize another person’s life or safety or interfere with an investigation.
Law enforcement witnesses included Elana Tyrangel (principal Deputy Assistant Attorney General at the U.S. Department of Justice), Andrew Ceresney (Director of the Division of Enforcement at the Securities and Exchange Commission), Daniel Salsburg (Chief Counsel at the Office of Technology, Research, & Investigation of the Bureau of Consumer Protection at the Federal Trade Commission), and Richard Littlehale (Assistant Special Agent in Charge of the Tennessee Bureau of Investigation). In general, these witnesses focused on the repercussions of “blanket warrant requirements” for any and all content held by the provider. They explained that since their agencies don’t have the ability to obtain a criminal warrant, reform legislation that includes provisions requiring law enforcement to obtain a search warrant prior to any access to electronic communications might block civil agencies from access to critical evidence and information. The witnesses also argued against provisions on maintaining the Internet service provider’s ability to reject an agency’s request in cases in which the agency deems it an emergency situation and the customer has granted access to his or her content.
Witnesses advocating on behalf of consumers and internet service providers included Chris Calabrese (Vice President of Policy at the Center for Democracy & Technology), Richard Salgado (Director of Law Enforcement & Information Security at Google), and Victoria Espinel (President of BSA | the software alliance). These witnesses explained that government agencies already have plenty of options and tools at their disposal for accessing content. They advocated for maintaining the provider’s ability to determine if an emergency situation is urgent enough to justify its handing over of electronic communications. They also warned against using providers as agents in law enforcement's search for content. Putting providers in that position could lead them to unintentionally disclose critical and confidential information to law enforcement (such as business secrets or information covered by attorney-client privilege), jeopardizing the trust customers have in a provider’s ability to protect their personal information.
S. 356 is still under consideration by the Senate Judiciary Committee. It is not clear if or when ECPA reform legislation might get a committee vote and proceed to consideration by the full Senate or House. EDUCAUSE, however, will continue to monitor developments in this space for signs of progress or changes that might impact college and university interests.