The would update the 1986 ECPA by requiring that U.S. law enforcement agencies get court-ordered search warrants before accessing electronic data stored with third-party vendors, such as cloud providers.
Currently, the ECPA allows law enforcement agencies to gain access to unopened e-mails and files stored in the cloud for longer than 180 days through a subpoena, typically issued by a prosecutor, not a judge. The 180-day rule is "outdated," said Senator Patrick Leahy, a Vermont Democrat and sponsor of the new bill.
The 1986 law has been "out-paced by rapid changes in technology and the changing mission of our law enforcement agencies" since the Sept. 11, 2001, terrorist attacks on the U.S., Leahy, chairman of the Senate Judiciary Committee, said in a statement. "Under the current law, a single email could be subject to as many a four different levels of privacy protections, depending upon where it is stored and when it was sent."
The bill would also require that law enforcement agencies get court-approved warrants to access the geolocation information of a mobile phone subscriber. Under current U.S. law, it's unclear if mobile phone location information is protected by the warrant process.
The bill requires that law enforcement agencies notify suspects within three days that government agents have accessed their data, although it would allow law enforcement agencies to seek court orders delaying the notification for 90 days in sensitive situations. The legislation allows ISPs and other vendors to voluntarily disclose information that is pertinent to addressing a cyberattack to the government.