House bill would require warrants for data stored in the cloud

A U.S. House of Representatives committee has advanced a bill to give email and cloud-stored data new privacy protections from law enforcement searches.

The House Judiciary Committee on Wednesday voted 28-0 to approve an amended version of the Email Privacy Act, which would require law enforcement agencies to get court-ordered warrants to search email and other cloud-stored data that’s more than six months old.

Some privacy advocates and tech companies have been pushing Congress to update a 30-year-old law called the Electronic Communications Privacy Act (ECPA) for the last six years.

It’s time to reform ECPA, said Representative Bob Goodlatte, a Virginia Republican and committee chairman. The bill “reaffirms our committment to protect the privacy interests of the American people,” he said.

The bill, which now awaits action on the House floor, has 314 co-sponsors, more than three-quarters of the body’s members. It’s unclear, however, if the legislation can pass both the House and the Senate this year, because the legislative process often grinds to a halt in the final months before a national election.

Under U.S. law, police need warrants to get their hands on paper files in a suspect’s home or office and electronic files stored for less than 180 days. But under ECPA, police agencies need only a subpoena, not reviewed by a judge, to demand files stored in the cloud for longer than 180 days.

The legal distinction between recently created data and data stored for 180 days is “archaic and outdated,” said Representative Hakeem Jeffries, a New York Democrat.

The amended version of the bill, offered by Goodlatte and several other committee members, takes away some provisions in the original that raised objections by law enforcement groups. The amendment is a “carefully negotiated agreement” among lawmakers, law enforcement groups, and privacy advocates, Goodlatte said.

Under the amendment law enforcement agencies are no longer required to serve a warrant on the targeted criminal as well as the communications provider holding the data. The provider can still notify the targeted customer unless ordered by a judge not to do so. The amendment also would not require warrants for information that criminal suspects have shared widely.

The committee’s action follows months of debate about the FBI’s push to force Apple to help it unlock security measures of mobile phones in criminal and terrorism case. ECPA reform and the Apple unlocking cases address separate privacy questions — the FBI has sought warrants in the Apple cases — but the committee’s push to give computers users more privacy stands at odds to efforts by the FBI and other lawmakers to remove privacy protections and give law enforcement more tools.