Senators Mike Lee (R-UT) and Patrick Leahy (D-VT) have introduced the Senate version of a bill to modernize the Electronic Communications Privacy Act.
The new bill, which would modernize the original ECPA to require warrants for access to electronic communications such as email, also adds a requirement for a warrant for location information. The original House bill, the Email Privacy Act, did not cover location information.
The bill, which if passed, would need to go to a conference committee for reconciliation. While the bill appears to have broad bipartisan support, it still needs to go the relevant committees before it will be considered by the full Senate.
In its current version, the Senate bill would reform the use of gag orders by requiring that the court issuing the warrant have a “reason to believe” that notice of the warrant by the subject would have an adverse effect based on “specific and articulatable facts.”
The bill also allows for suppression of evidence in cases where the information was obtained in violation of the ECPA. The same fact-based requirement would be put into place for pen register/tap and trace actions, but would also require that the data not only be relevant, but also material.
The bill would allow subpoenas calling on companies to hand over information where the data is held by a third party. In an important change, the warrant would be required for all data regardless of age. The old and confusing standard of allowing some data older than six months to be obtained without a warrant would be eliminated.
Meanwhile, over at the House of Representatives, two bills have made it out of committee and are set to be considered by the full House. One, the Cybersecurity and Infrastructure Security Agency Act of 2017 (HR 3359), would reform the structure of part of the Department of Homeland Security to create an operational directorate to manage the department’s actions regarding critical infrastructure, cyber-security and physical security, including emergency communications.
The agency would be headed by a director who would report to the Secretary of Homeland Security, a cabinet-level post, rather than the undersecretary that handles such functions now. If this bill becomes law, it would consolidate the DHS Cyber Operations Division, the sharing of cyber-threat information and the protection of federal networks.
A second companion bill was voted out of committee July 27 for consideration by the full House. That bill is the Cyber Vulnerability Disclosure Reporting Act (HR 3202), which would handle the reporting of cyber-vulnerabilities that are found by government investigators. The bill would require DHS to report on how such disclosures were handled and the results to the House Homeland Security Committee and the Senate Homeland Security and Government Affairs committees within 240 days after the bill’s passage.
The bill addresses complaints by Microsoft and other companies about the hoarding of cyber-vulnerabilities by the government.
It was files of such vulnerabilities that were released by the hacking group ShadowBrokers last year that resulted in a series of ransomware attacks over the Past few months.
The bill would require agencies that are holding such vulnerabilities to report to Congress on how they’re handling the existing requirements to report them to the responsible companies so they can be fixed.
There’s a common thread to these bills. Each of them places limits on what the agencies of the Executive Branch of the U.S. government can do in their efforts to gather information on American citizens and U.S. companies. In addition, they bring the agencies of the Executive Branch into some sort of harmony with current technology and security practices.
Part of this is necessary, and is supported by the agencies involved. The structure of DHS needs to be changed by Congress, because it was created by Congress in the first place. The revisions put into place by HR 3359 are supported by DHS, which needs a more coordinated structure to allow it to operate efficiently.
But the bills also provide a legal framework that requires agencies that keep cyber-vulnerability data must prove that they’re sharing the information with companies that own the affected computer code as required by law. There have been claims by Microsoft and others that this wasn’t happening and recent cyber-attacks have demonstrated that to be the case.
In addition, the House and Senate are putting into place a means to stop Executive Branch agencies from finding ways to get around the Fourth Amendment, which is that part of the Bill of Rights that limits government’s power to search for information and seize property. This is a favorite target of government prosecutors who sometimes look upon the Constitution as a huge inconvenience.
If all three of these bills become law, then the agencies involved will have to follow the laws and the Constitution more specifically—in part because evidence gathered in a matter not allowed by the law can be suppressed in court.
The bills provide the means to control a whole range of secret government information gathering beyond the knowledge of the targets of the information searches.
This assumes that the legislation succeeds in eliminating the gag orders that have forced communications and data storage companies to remain silent while the government freely conducted warrantless searches and seizures. It also assumes that government prosecutors and intelligence agencies won’t think of some other way to ignore the Fourth Amendment.
Approval of these bills represents just one in a series of steps to reassert fourth amendment protections against unreasonable searches and seizures.
Assuming that the legislation is signed into law by the president in an increasingly dysfunctional White House, the hope is that it will rein in the worst abuses. But that’s not the same thing as stopping all of the abuses.