On October 12, 2013 Governor Brown of California announced his intention to veto S.B. 467, a bill that would have created a uniform warrant and rapid notice requirement for state law enforcement agencies that sought to access stored electronic communications. S.B. 467 would also have created a civil cause of action for noncompliance with the requirements of the statute. In his veto statement, Governor Brown noted “this bill…imposes new notice requirements that go beyond those required by federal law and could impede ongoing criminal investigations. I do not think that is wise.” Against the backdrop of a vigorous national debate on government access to electronic communications, Governor Brown’s veto is a powerful reminder that law enforcement agencies consider such surveillance tools to be critical to their mission.
S.B. 467 was written to update elements of the federal law governing law enforcement surveillance and interception of electronic data that aged poorly with the advent of cloud computing. The Electronic Communications Privacy Act of 1986 (ECPA) was written in an era where electronic communications were typically stored locally. The rapid adoption of cloud computing, in which data and communications are stored remotely, paired with slowly evolving jurisprudence, led to the development of widely criticized legal standards. For example, ECPA permits the government to access opened email over 180 days old that is stored in the cloud without a warrant, but requires a warrant to access unopened email.
Federal efforts to reform ECPA to apply a uniform warrant standard for communications stored in the cloud, led by Senator Leahy (D-VT), have been discussed in Washington for several years. However, reform efforts remain stalled among a broader legislative impasse. In 2010, the United States Court of Appeals for the Sixth Circuit held in United States v. Warshak that elements of ECPA were unconstitutional to the extent they permitted warrantless access to email. While not binding outside of the circuit, which encompasses Kentucky, Michigan, Ohio, and Tennessee, technology companies around the country relied on this case to require a warrant prior to granting access to stored communications. Governor Brown noted this trend in his veto message, stating “in the vast majority of cases, law enforcement agencies obtain a search warrant” to access communications.
However, there is considerable debate around the country about ECPA’s premise that communications stored remotely by third parties (in the cloud, for example) are entitled to lesser privacy protection. States have been spurred to action by the lack of federal movement on the issue and growing grassroots calls for protection against government surveillance post-Snowden. In June 2013, Texas Governor Rick Perry signed H.B. 2268, a bill substantially similar to California’s S.B. 467, into law. As passed by the legislature, S.B. 467 would have set forth:
- A requirement that state governmental entities obtain a valid search warrant (in accordance with established warrant procedures) to obtain the contents of a wire or electronic communication from a provider of electronic communications services or remote computing services.
- A requirement that within three days of the government’s receipt of the duly requested content, the subscriber/user/customer whose data was requested must be served with a copy of the warrant and notice.
- A prohibition on a provider of electronic communication services or remote computing services from knowingly divulging the contents of a communication that is stored or maintained by that service provider without consent.
- A civil cause of action against any violator of the statute that may be brought by the aggrieved party.
S.B. 467, which enjoyed support from privacy and civil liberties groups, was opposed by law enforcement, including the California Police Chiefs Association and the California District Attorneys Association. While the bill would not have impacted federal law enforcement, the takeaway for companies that offer services that may be covered by ECPA is that even post-Snowden, there is not a consensus on the balance between privacy and security on an issue as simple as government access to cloud-based email. S.B. 467 is mostly similar to H.B. 2268, which updated Texas's Code of Criminal Procedure Article 18 to remove the 180-day rule for obtaining a warrant and replaced it with a general warrant requirement for Texas law enforcement access to any electronic customer data stored inside or outside the state by a service provider, regardless of the data’s age or whether particular communications have been opened, and to provide service providers with a four to thirty day window in which to comply with law enforcement requests. Like S.B. 467, the government must notify individuals within three days of the government’s receipt of the requested content. Texans also have a private right of action for violations of Article 18, but only in limited contexts that do not include instances where a service provider complies with law enforcement requests. The Texas law currently provides the strongest statutory email privacy protections in the United States.
Federal efforts to modernize ECPA in line with current privacy expectations, and the advent of cloud computing and web-based email, have been spearheaded by Senators Leahy and Lee. This bipartisan effort, supported by an industry/NGO group known as the “Digital Due Process Coalition,” is still underway in Washington. In March 2013, Senators Leahy and Lee introduced a bill, the Electronic Communications Privacy Act (ECPA) Amendments Act of 2013 (S. 607), that would amend ECPA to require government officials to obtain a warrant (except in emergencies) in order to require online service providers to disclose the private communications of their users, eliminating the 180 day rule and explicitly applying to cloud computing. The Leahy-Lee bill also requires that law enforcement notify individuals within 10 business days following the government’s receipt of the individual’s information. The Leahy-Lee bill was reported to the full Senate, where it awaits a vote, on April 25, 2013.