The Electronic Communications Privacy Act dates back to the ’80s and was written based on assumptions about how the internet works that are simply no longer true. It badly needs to be updated, and Senators Orrin Hatch and Chris Coons introduced legislation this week that would address one critical area of legal befuddlement: what happens when law enforcement wants to see data about a U.S. citizen for crimes inside our borders, but that data actually sits on servers located overseas?
In a speech introducing his measure, the International Communications Privacy Act, before the Senate, Hatch said:
If a person is a U.S. national, or is located in the United States, law enforcement may compel disclosure, regardless of where the data is stored, provided the data is accessible from a U.S. computer and law enforcement uses proper criminal process.
If a person is not a U.S. national, however, and is not located in the United States, then different rules apply. These rules are founded on three principles: respect, comity, and reciprocity.
The two biggest changes that the law makes are these: first, it requires law enforcement to get a warrant for data about U.S. citizens in more cases than they have to now. Second, it makes it clear that a warrant for a U.S. national’s data is valid even if a company has stored that data in some other country.
The legislation has been met with approval by most of the largest tech companies. Microsoft is among those tech giants that approve of it. In many ways, it was a legal battle between Microsoft and U.S. law enforcement that underscored the need to revisit these laws. Brad Smith, Microsoft’s president, wrote in a blog post, “For far too long, technology companies, law enforcement and, ultimately, the courts have been forced to choose between competing interpretations of an outdated statute. These conflicts of law put businesses in a no-win situation, putting American technology companies at a disadvantage.”
Microsoft also signed onto a general letter of support (PDF) alongside Apple, AT&T, Facebook, Google, Microsoft and Verizon. Several other tech organizations have also endorsed the measure, according to Hatch’s site.
A longstanding tech think tank, The Information Technology and Innovation Foundation, broadly supported the measure, while also suggesting that its fundamental change goes too far. “In particular, it should not attempt to exert extra-territorial authority over data as other nations will likely strike back with similar laws that create jurisdictional conflicts,” a statement from the organization read (this is the same group that argues U.S. broadband is great just like it is).
Civil liberties groups did not respond to a request for comment from the Observer. Hatch also introduced the legislation in the prior Congress.
It’s not the only measure out there attempting to update our outdated laws. Senators Mike Lee and Patrick Leahy have also introduced a related measure that would also make it clear that cops generally need a warrant to seek information stored on a third party server or even to use creepy hardware to track them down, such as devices that spoof cell towers to see who’s passing by. The Electronic Frontier Foundation has generally endorsed Lee and Leahy’s efforts.
The House of Representatives has twice approved legislation better protecting the privacy of email, but the Senate has never taken it up.