New federal legislation could restrict the use of warrantless searches to seize personal data and communications stored on the nation’s computers
Senators Mike Lee (R-UT) and Patrick Leahy (D-VT) have introduced the Senate version of a bill to modernize the Electronic Communications Privacy Act.
The new bill, which would modernize the original ECPA to require warrants for access to electronic communications such as email, also adds a requirement for a warrant for location information. The original House bill, the Email Privacy Act, did not cover location information.
The bill, which if passed, would need to go to a conference committee for reconciliation. While the bill appears to have broad bipartisan support, it still needs to go the relevant committees before it will be considered by the full Senate.
In its current version, the Senate bill would reform the use of gag orders by requiring that the court issuing the warrant have a “reason to believe” that notice of the warrant by the subject would have an adverse effect based on “specific and articulatable facts.”
The bill also allows for suppression of evidence in cases where the information was obtained in violation of the ECPA. The same fact-based requirement would be put into place for pen register/tap and trace actions, but would also require that the data not only be relevant, but also material.
The bill would allow subpoenas calling on companies to hand over information where the data is held by a third party. In an important change, the warrant would be required for all data regardless of age. The old and confusing standard of allowing some data older than six months to be obtained without a warrant would be eliminated.
Meanwhile, over at the House of Representatives, two bills have made it out of committee and are set to be considered by the full House. One, the Cybersecurity and Infrastructure Security Agency Act of 2017 (HR 3359), would reform the structure of part of the Department of Homeland Security to create an operational directorate to manage the department’s actions regarding critical infrastructure, cyber-security and physical security, including emergency communications.
The agency would be headed by a director who would report to the Secretary of Homeland Security, a cabinet-level post, rather than the undersecretary that handles such functions now. If this bill becomes law, it would consolidate the DHS Cyber Operations Division, the sharing of cyber-threat information and the protection of federal networks.
A second companion bill was voted out of committee July 27 for consideration by the full House. That bill is the Cyber Vulnerability Disclosure Reporting Act (HR 3202), which would handle the reporting of cyber-vulnerabilities that are found by government investigators. The bill would require DHS to report on how such disclosures were handled and the results to the House Homeland Security Committee and the Senate Homeland Security and Government Affairs committees within 240 days after the bill’s passage.
The bill addresses complaints by Microsoft and other companies about the hoarding of cyber-vulnerabilities by the government.
It was files of such vulnerabilities that were released by the hacking group ShadowBrokers last year that resulted in a series of ransomware attacks over the Past few months.
The bill would require agencies that are holding such vulnerabilities to report to Congress on how they’re handling the existing requirements to report them to the responsible companies so they can be fixed.