Calendar No. 66
113th Congress Report
SENATE
1st Session 113-34
======================================================================
ELECTRONIC COMMUNICATIONS PRIVACY ACT AMENDMENTS ACT OF 2013
_______
May 16, 2013.--Ordered to be printed
_______
Mr. Leahy, from the Committee on the Judiciary,
submitted the following
R E P O R T
together with
ADDITIONAL VIEWS
[To accompany S. 607]
[Including cost estimate of the Congressional Budget Office]
The Committee on the Judiciary, to which was referred the
bill (S. 607), a bill to improve the provisions relating to the
privacy of electronic communications, having considered the
same, reports favorably thereon, with an amendment, and
recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Background and Purpose of the Electronic Communications Privacy
Act Amendments Act of 2013.......................................2
II. History of the Bill and Committee Consideration..................7
III. Section-by-Section Summary of the Bill...........................8
IV. Congressional Budget Office Cost Estimate.......................10
V. Regulatory Impact Evaluation....................................11
VI. Conclusion......................................................11
VII. Additional Views of Senators Grassley and Sessions..............12
VIII.Changes to Existing Law Made by the Bill, as Reported...........20
I. Background and Purpose of the Electronic Communications Privacy Act
Amendments Act of 2013
A. THE ELECTRONIC COMMUNICATIONS PRIVACY ACT AMENDMENTS
The Electronic Communications Privacy Act (``ECPA'')
amended the Omnibus Crime Control and Safe Streets Act to
protect against the unauthorized interception of electronic
communications. When Senator Leahy introduced ECPA with Senator
Mathias on June 19, 1986, he said: ``The Electronic
Communications Privacy Act provides standards by which law
enforcement agencies may obtain access to both electronic
communications and the records of an electronic communications
system. These provisions are designed to protect legitimate law
enforcement needs while minimizing intrusions on the privacy of
system users as well as the business needs of electronic
communications system providers.''\1\ For almost three decades,
ECPA has been the premier privacy law protecting Americans from
unauthorized Government intrusions into their private
electronic communications.
---------------------------------------------------------------------------
\1\See Cong. Rec., June 19, 1986 at page S7993.
---------------------------------------------------------------------------
The Electronic Communications Privacy Act requires that the
Government obtain a court order, based upon probable cause, in
order to intercept wireless and data communications. The law
also requires that the Government obtain a search warrant in
order to compel a third-party service provider to disclose the
content of email, or other electronic communications, that the
provider maintains in electronic storage. However, this search
warrant requirement for email applies only if the email is 180
days old or less. Under ECPA, an email is presumed to be
abandoned after 180 days and the law allows the Government to
compel the disclosure of older email with either a subpoena or
a court order that is issued upon a finding that there are
specific and articulable facts demonstrating that the
information sought is relevant to a criminal investigation. The
ECPA also allows the Government to use a subpoena or court
order to compel disclosure of documents--regardless of their
age--that a user stores in the Internet ``cloud.''\2\
---------------------------------------------------------------------------
\2\See 18 U.S.C. Sec. 2703(d).
---------------------------------------------------------------------------
At the time that Congress enacted ECPA more than 25 years
ago, Congress assumed that most Americans would periodically
access their email accounts and download any emails that they
wished to read, and that third-party service providers would
subsequently delete any email stored on their servers. In fact,
Congress believed that the most extended period of time that a
service provider might store an email would be for six months.
After almost three decades, new technologies--such as the
Internet, social networking sites and cloud computing--have
changed how Americans use and store email today. Storing
documents and other information electronically has become much
less expensive and mobile technologies permit users to access
stored documents wherever the user chooses to access the
Internet. The digital privacy protections that the Congress put
in place by enacting ECPA have not kept pace with these
changes.
In March 2010, a diverse coalition of privacy and civil
liberties advocates, major technology companies, think tanks,
and academics wrote to Chairman Leahy to urge the Committee to
begin work on reforming the Electronic Communications Privacy
Act to reflect the realities of the digital age. The aptly
named ``Digital Due Process'' coalition argued that ECPA has
been out-paced by changes in technology and the growth of email
as a primary means of communicating. The Committee held the
first of several hearings and briefings on ECPA reform in
September 2010.
On January 11, 2011, Chairman Leahy announced that his
legislative agenda for the 112th Congress would include
legislation to update the Electronic Communications Privacy Act
to better protect Americans' digital privacy. In April 2011,
the Committee held a second hearing on ECPA reform effort that
focused specifically on the perspectives of the Departments of
Justice and Commerce on proposed updates to the law.\3\ On May
11, 2011, Chairman Leahy introduced the Electronic
Communications Privacy Act Amendments Act of 2011, S.1011,
legislation that would, among other things, update ECPA to
require a search warrant for the Government to access the
contents of any email obtained from a third-party service
provider. On September 20, 2012, Chairman Leahy offered this
portion of his ECPA reform bill as an amendment in the nature
of a substitute to H.R. 2471. The Committee favorably reported
this legislation on November 29, 2012.
---------------------------------------------------------------------------
\3\Although the Obama administration did not take an official
position on the legislative proposals to update ECPA, the Committee
received technical comments and feedback on these proposals from the
Departments of Justice and Commerce and other affected Federal
agencies.
---------------------------------------------------------------------------
Reform of the Electronic Communications Privacy Act
remained a top legislative priority for the Committee during
the 113th Congress. On March 18, 2013, Chairman Leahy and
Senator Mike Lee introduced the Electronic Communications
Privacy Act Amendments Act of 2013, S. 607. The legislation
establishes a uniform search warrant requirement for the
Government to compel the disclosure of all email content when
email is stored with a third-party service provider. This
bipartisan privacy legislation seeks to carefully balance the
privacy expectations of American citizens, the legitimate needs
of law enforcement agencies and the interests of the American
technology sector. The legislation is substantially identical
to ECPA reform proposal the Senate Judiciary Committee
favorably reported in November 2012.
The Committee recognizes that most Americans regularly use
email in their professional and personal lives for confidential
communications of a business or personal nature. The Committee
also recognizes that there is growing uncertainty about the
constitutionality of the provisions in ECPA that allow the
Government to obtain certain email content without a search
warrant.\4\ The absence of a clear legal standard for access to
electronic communications content not only endangers privacy
rights, but also endangers the admissibility of evidence in
criminal and other legal proceedings. Accordingly, the
Committee has determined that the law must be updated to keep
pace with the advances in technology in order to ensure the
continued vitality of the Fourth Amendment protections for
email and other electronic communications content.
---------------------------------------------------------------------------
\4\In 2010, the United States Court of Appeals for the Sixth
Circuit held that use of a subpoena or court order under section 2703
of ECPA to obtain the contents of emails violated the Fourth
Amendment's prohibition against warrantless searches. See United States
v. Warshak, 631 F.3d 266, 288 (6th Cir. 2010).
---------------------------------------------------------------------------
The reforms in the bill will better safeguard the privacy
of email and other electronic communications while allowing law
enforcement to carry out its important mission. The bill
contains several important provisions to ensure that the
reforms to ECPA do not hinder law enforcement. First, the bill
preserves the exceptions to the warrant requirement under
existing law. For example under current law, the Government
does not need a warrant in an emergency situation involving
danger of death or serious physical injury, or when a crime is
being committed.\5\ Second, to protect the integrity of ongoing
investigations, the bill adds a new notice requirement to the
law that requires service providers to notify the Government of
their intent to inform a customer about a disclosure of
electronic communications information at least three business
days before giving such notice.
---------------------------------------------------------------------------
\5\See 18 U.S.C. 2702(b).
---------------------------------------------------------------------------
In addition, the bill does not alter the legal authorities
that the Government currently uses to obtain electronic
communications content in national security matters.
Specifically, the bill provides that the search warrant
requirement does not apply to other Federal criminal or
national security laws, including Title III of the Omnibus
Crime Control and Safe Streets Act of 1986 (commonly known as
the ``Wiretap Act'') and the Foreign Intelligence Surveillance
Act of 1978 (commonly known as ``FISA'')). The Committee does
not intend for the bill to alter other existing statutory
authorities pursuant to which the Federal Government collects
electronic communications and related information, including
surveillance and other intelligence authorities. Accordingly,
the bill does not preclude any other legal authorities that
permit the acquisition by the United States Government of the
contents of wire or electronic communications, or other records
or information of a subscriber or customer of any electronic
communications service or remote computing service, pursuant to
other lawful authorities, including in Title 18 (e.g., chapters
119, 121 or 206), Title 50 (e.g., the Foreign Intelligence
Surveillance Act of 1978, as amended), or any other provision
of Federal law.
The bill also includes several provisions to help civil
enforcement agencies, such as the Federal Trade Commission and
the Securities and Exchange Commission, investigate corporate
wrongdoing and protect consumers. Section 3 of the bill adds
civil discovery subpoenas to the existing tools that the
Government may use to obtain non-content information under
ECPA. Section 3 of the bill also makes clear that the
Government may employ administrative, civil discovery and grand
jury subpoena to obtain corporate email and other electronic
communications directly from a corporate entity, when such
communications are contained on an internal email system.
In addition, the bill preserves the legal tools in existing
law for civil enforcement agencies to obtain electronic
communications information. For example, the bill preserves the
ability for civil enforcement agencies to issue subpoenas to a
service provider to compel the disclosure of email account
information (i.e. non-content information). The bill also
preserves the ability of such agencies to compel the target of
a civil enforcement investigation to produce electronic
communications content information to the Government, including
electronic communications content information that is stored
with a third party service provider. Lastly, to address
concerns about the potential destruction of evidence, the bill
preserves the tools in current law that allow the Government,
including civil enforcement agencies, to require a service
provider to preserve any evidence in its possession to included
stored email content.\6\
---------------------------------------------------------------------------
\6\See 18 U.S.C. 2703(f).
---------------------------------------------------------------------------
The objections to the bill raised in the additional view
are misguided and belied by a plain reading of the bill and
current law. First, the additional views incorrectly suggest
that the bill may adversely impact criminal investigations. As
discussed above, current law provides numerous exceptions to
the warrant requirement in ECPA to accommodate emergencies,
child exploitation matters and other criminal activity.\7\ The
bill preserves all of these exceptions. The additional views
also acknowledge that the well-established exigent
circumstances exception to the warrant requirement provides a
separate legal ground for the Government to obtain electronic
communications information without a warrant in time sensitive
situations.\8\ The authors provide no support to substantiate
their claim that these longstanding authorities are inadequate.
---------------------------------------------------------------------------
\7\See 18 U.S.C. 2702(b)(6), (7) and (8).
\8\See, e.g., Kentucky v. King, 563 U.S.___ (2011) (exception to
warrant requirement applies when the exigencies of the situation make
the needs of law enforcement so compelling that a warrantless search is
objectively reasonable under the Fourth Amendment.)
---------------------------------------------------------------------------
The additional views also incorrectly suggest that the bill
would adversely impact the important work of the Securities
Exchange Commission and other civil enforcement agencies. As
discussed above, under current law, civil enforcement agencies
can use subpoenas to among other things--(1) compel the
disclosure of stored communications from the targets of their
investigations, (2) obtain crucial customer records from
service providers and (3) require third-party service providers
to preserve any electronic communications information sought by
the Government. Contrary to the assertion in the additional
views, the bill does not eliminate administrative subpoenas. In
fact, the bill augments the subpoena authority of civil
agencies by permitting these agencies, for the first time, to
use civil discovery subpoenas to obtain records under ECPA.
Moreover, creating a broad statutory exception to the warrant
requirement for civil enforcement matters would eviscerate the
important privacy protections in the bill and in current law.
Such an exception would apply to all kinds of civil agencies at
the Federal, State and local level, including the Internal
Revenues Service. Such an exception could also circumvent the
warrant requirement in the bill, by permitting the Government
to use information obtained under the civil exception in a
related criminal matter. The Securities and Exchange Commission
and numerous other civil enforcement agencies have successfully
performed their duties by relying upon the civil tools already
in the law to acquire stored email content for decades, while
complying with the existing warrant requirement in the law for
emails that are less than 180 days old. There is no reason to
believe that this would not continue to be the case with a
uniform warrant requirement for all electronic communications
content.\9\
---------------------------------------------------------------------------
\9\To the extent that the Securities and Exchange Commission
requires additional legal authorities to compel the disclosure of
information, such authorities should be considered when Congress
reviews the laws enacted to govern how that agency investigates and
enforces civil regulatory matters. See, e.g., Section 19(c) of the
Securities Act of 1934 (15 U.S.C. 77(a), et seq.); Section 21(b) of the
Securities and Exchange Act (15 U.S.C. 78a, et seq.); Section 209(b) of
the Investment Advisers Act (15 U.S.C. 80b-1, et seq.); and Section
42(b) of the Investment Company Act (15 U.S.C 80a-1, et seq.).
---------------------------------------------------------------------------
Lastly, the additional reviews raise the prospect of adding
a statutory time limit to the bill. There is universal
agreement on the Committee that service providers should
provide timely responses to requests from law enforcement when
proper legal process has been obtained. The Committee believes
that the courts, which have familiarity with the specific facts
and circumstances of particular investigation, are in the best
position to address such timeliness issues.\10\ Therefore, the
bill appropriately recognizes the long-standing practice of
leaving such case-by-case decisions to the courts.\11\
---------------------------------------------------------------------------
\10\A statutory time limit imposed by Congress could be very
harmful to law enforcement, because such a requirement could cause
communications service providers make disclosures to the Government
based upon a ``first come, first served'' basis, without regards to the
specific facts and needs of law enforcement in particular case.
\11\The additional views also propose that the Committee examine
other reforms to ECPA, including clarifying the legal standard for law
enforcement to access geolocation information. In May 2011, Chairman
Leahy introduced legislation to update ECPA to address geolocation
information and other electronic privacy issues. The Committee held two
hearings on these forms and the Committee will continue to work on
these issues.
---------------------------------------------------------------------------
The carefully balanced ECPA reforms in the bill have
bipartisan support on the Committee, as well as the support of
a broad coalition of more than 100 privacy, civil liberties,
civil rights and technology organizations from across the
political spectrum. The organizations and individuals below
support the principles embodied in the legislation:
Technology Industry and Trade Associations: Adobe, AOL, the
Chamber of Commerce, eBay, Facebook, IBM, LinkedIn, Microsoft,
Symantec, Verizon, Business Software Alliance, Computer and
Communications Industry Association, Newspaper Association of
America, Software & Information Industry Alliance, and
TechAmerica.
Privacy, civil liberties and civil rights communities:
American Civil Liberties Union, Americans for Tax Reform,
American Library Association, Center for Constitutional Rights,
Center for Democracy & Technology, Competitive Enterprise
Institute, The Constitution Project, Electronic Frontier
Foundation, the Heritage Foundation, The Leadership Conference
on Civil and Human Rights, Liberty Coalition, Mexican American
Legal Defense and Educational Fund, Muslim Legal Fund of
America, NAACP, National Association of Criminal Defense
Lawyers, National Hispanic Media Coalition, National Urban
League, and TechFreedom.
Law Enforcement Community: William K. Sessions, Former
Director of the Federal Bureau of Investigation (1987-1993);
Zachary W. Carter, U.S. Attorney, Eastern District of New York
(1993-1999); W. Thomas Dillard, Assistant U.S. Attorney,
Eastern District of Tennessee (1967-1976, 1978-1983), U.S.
Attorney, Northern District of Florida (1983-1986); Saul A.
Green, U.S. Attorney, Eastern District of Michigan (1994-2001);
Rodger A. Heaton, U.S. Attorney, Central District of Illinois
(2005-2009); A. Melvin McDonald, U.S. Attorney, District of
Arizona (1981-1985); Jerome F. O'Neill, U.S. Attorney, District
of Vermont (1981), First Assistant U.S. Attorney, District of
Vermont (1975-1981); Stephen M. Orlofsky, U.S. District Judge,
District of New Jersey (1996-2003); U.S. Magistrate Judge,
District of New Jersey (1976-1980); and Ron Woods, U.S.
Attorney, Southern District of Texas (1990-1993).
II. History of the Bill and Committee Consideration
A. INTRODUCTION OF THE BILL
On March 18, 2013, Senators Leahy and Lee introduced S.
607--the Electronic Communications Privacy Act Amendments Act
of 2013.
B. COMMITTEE CONSIDERATION
Chairman Leahy placed S. 607 on the Committee's executive
business agenda on April 18, 2013. The Committee considered and
favorably reported this legislation on April 25, 2013.
The Committee has held two hearings related to S. 607. On
September 22, 2010, the Judiciary Committee held a hearing
entitled, ``The Electronic Communications Privacy Act:
Promoting Security and Protecting Privacy in the Digital Age.''
The hearing examined several gaps in this digital privacy law
that have resulted from changes in technology. The witnesses
for this hearing were: Cameron F. Kerry, General Counsel,
United States Department of Commerce; James A. Baker, Associate
Deputy Attorney General, United States Department of Justice;
James X. Dempsey, Vice President for Public Policy, Center for
Democracy and Technology; Brad Smith, General Counsel and
Senior Vice President, Legal and Corporate Affairs, Microsoft
Corporation; and Jamil N. Jaffer, Attorney, Washington, D.C.
During this hearing, Senator Leahy called for Congress to work
on bipartisan legislation to update ECPA to meet the privacy
demands of the digital age.
On April 6, 2011, the Judiciary Committee held a hearing
entitled, ``The Electronic Communications Privacy Act:
Government Perspectives on Privacy in the Digital Age.'' This
hearing examined potential updates to the Electronic
Communications Privacy Act to address inconsistencies in that
law, changes in technology, and new threats to privacy and
cybersecurity. The witnesses for this hearing were: Cameron
Kerry, General Counsel, United States Department of Commerce,
and James Baker, Associate Deputy Attorney General, United
States Department of Justice.
In addition, on November 29, 2012, the Committee considered
and favorably reported legislation substantially similar to S.
607 as part of H.R. 2471, the Video Privacy Protection Act
Amendments Act of 2012.
On April 25, 2013, the Senate Judiciary Committee favorably
reported S. 607 with the following two amendments:
First, Chairman Leahy offered a technical amendment to the
bill to make technical corrections to the rule of construction
language in the bill at the request of the Department of
Justice. The changes further clarify that the bill does not
apply to, or alter, any other Federal criminal or national
security laws that authorize the United States Government to
collect, or acquire, wire or electronic communications--or
related records--including the surveillance and other
intelligence authorities contained in the Wiretap Act (Chapter
119 of Title 18) and the Foreign Intelligence Surveillance Act
of 1978 (50 U.S.C. 1801, et seq.). The Committee unanimously
adopted the amendment by voice vote.
Second, Senator Grassley offered an amendment to require
that the Comptroller General of the United States conduct a
study and report to Congress by September 30, 2015 on how ECPA
is currently being applied, including the extent to which law
enforcement is relying upon section 2703 of ECPA to obtain
information in criminal matters, and how the law will be
affected by the new warrant requirement in the bill. The
Committee unanimously adopted the amendment by voice vote.
The Committee then voted to report the Electronic
Communications Privacy Act Amendments Act of 2013, as amended,
favorably to the Senate by voice vote.
III. Section-by-Section Summary of the Bill
The Leahy-Lee Electronic Communications Privacy Act
Amendments Act would update the privacy protections for
Americans' email and other electronic communications for the
digital age. The Electronic Communications Privacy Act (ECPA)
is one of the nation's premier digital privacy laws. After
three decades, ECPA has become outdated by vast technological
advances and changing law enforcement missions since the law's
initial enactment. The bill would update this law to improve
the privacy protections for electronic communications
information that is stored or maintained by third-party service
providers. The bill maintains the careful balance that Congress
struck when it first enacted the law--to continue to protect
and promote consumer privacy interests, law enforcement needs,
and American innovation in the digital age.
Section 1. Short title
This section designates the Act as the Electronic
Communications Privacy Act Amendments Act of 2013.
Section 2. Confidentiality of electronic communications
Section 2 amends Title 18, United States Code, Section 2702
(the Electronic Communications Privacy Act or ``ECPA'') to
prohibit an electronic communications or remote computing
service provider from voluntarily disclosing the contents of
its customers' email or other electronic communications to the
Government. There are limited exceptions to this prohibition
under current law, including customer consent and disclosure to
law enforcement to address criminal activity.
Section 3. Elimination of 180-day rule; Search warrant requirement for
content; Required disclosure of customer records
Section 3 amends ECPA so that the disclosure of the content
of email and other electronic communications by an electronic
communications or remote computing service provider to the
Government is subject to one clear legal standard--a search
warrant issued based on a showing of probable cause. The
provision eliminates the confusing and outdated ``180-day''
rule that calls for different legal standards for the
Government to obtain email content, depending upon the email's
age and whether the email has been opened. The provision also
requires that the Government notify the individual whose
account was disclosed, and provide that individual with a copy
of the search warrant and other details about the information
obtained. Such notice must be provided within ten business days
for a law enforcement agency, and three business days for other
agencies, of a Government entity's receipt of the
communications unless the notice is delayed pursuant to Section
4 of the bill.
Section 3 also reaffirms current law to clarify that the
Government may use an administrative or grand jury subpoena in
order to obtain certain kinds of electronic communication
records from a service provider, including customer name,
address, session time records, length of service information,
subscriber number and temporarily assigned network address, and
means and source of payment information. At the request of the
Department of Justice and the Federal Trade Commission, Section
3 also contains a provision that adds civil discovery subpoenas
to the types of subpoenas that may be used under existing law
(administrative subpoena authorized by Federal or State law,
Federal or State grand jury subpoena and trial subpoena) to
obtain routing and other non-content information from a third-
party provider.
Lastly, the section contains a rule of construction
regarding Government access to internal corporate email that
makes clear that nothing in the bill precludes the Government
from using a subpoena to obtain email and other electronic
communications content obtained from an intended recipient or
original sender, or to obtain such communications directly from
a company when the communications are to or from an officer,
agent or employee of a company and the company is acting as an
electronic communications service provider for its own internal
email system.
Section 4. Delayed notice
Section 4 amends section 2705 of ECPA to provide that the
Government may seek a court order to delay notifying an
individual of the fact that the Government has accessed the
contents of the individual's electronic communications for up
to 180 days if the requesting Government entity is a law
enforcement agency, and for up to 90 days if the requesting
Government entity is a civil or administrative enforcement
agency. A court may extend the delay periods for a period of up
to an additional 180 or 90 days at a time, respectively.
Section 4 also establishes a time limit on the period that
the Government could preclude a service provider from informing
its customer about the disclosure of electronic communications
information to the Government. If the Government entity is a
civil or administrative enforcement agency, the applicable time
period for preclusion of notice is 90 days. The time period for
preclusion may extend up to 180 days if the requesting
Government entity is a law enforcement agency. These time
periods may also be extended by a court for up to an additional
90 or 180 days at a time, respectively.
Lastly, Section 4 requires that service providers notify
the Government of their intent to inform a customer or
subscriber of the fact that the provider has disclosed the
individual's electronic communications information to the
Government at least three business days before the provider
gives such notice to the customer or subscriber. The purpose of
this provision is to ensure that the Government has an
opportunity to protect the integrity of its investigation and,
if warranted, to ask a court to delay the notification, before
such notice is given.
Section 5. Evaluation by the Government Accountability Office
Section 5 requires that the Comptroller General of the
United States submit a report to Congress by September 30,
2015, that evaluates, among other things, during the five years
prior to the effective date of the amendments in the bill--(1)
how often law enforcement relied upon section 2703 of ECPA to
requests electronic communications content information; (2) the
average length of time needed for service providers to comply
with such requests; (3) the number of times a warrant was used
for such requests; and (4) the number of times law enforcement
requested delayed notification pursuant to section 2705 of
ECPA. Section 5 also requires that the Comptroller General--(1)
the effects of the new warrant requirement contained in the
bill on the courts; (2) conduct a survey to determine the
average length of time required to respond to requests for
information; and (3) determine whether the new warrant
requirement in the bill resulted in an increase in the use of
the emergency exception to the warrant requirement in section
2702(b)(8) of ECPA.
Section 6. Rule of construction
Section 6 provides that the search warrant requirement for
electronic communications content contained in Section 3 of the
bill does not apply to any other Federal criminal or national
security laws, including Title III of the Omnibus Crime Control
and Safe Streets Act of 1986 (commonly known as the ``Wiretap
Act'') and the Foreign Intelligence Surveillance Act of 1978
(50 U.S.C. 1801, et seq. (commonly known as ``FISA'')).
IV. Congressional Budget Office Cost Estimate
The Committee sets forth, with respect to the bill, S. 607,
the following estimate and comparison prepared by the Director
of the Congressional Budget Office under section 402 of the
Congressional Budget Act of 1974:
May 16, 2013.
Hon. Patrick J. Leahy,
Chairman, Committee on the Judiciary,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 607, the Electronic
Communications Privacy Act Amendments Act of 2013.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Mark
Grabowicz.
Sincerely,
Douglas W. Elmendorf.
Enclosure.
S. 607--Electronic Communications Privacy Act Amendments of 2013
S. 607 would amend the Electronic Communications Privacy
Act of 1986 (Public Law 99-508) to make several changes to the
current laws relating to the privacy of personal electronic
communications. The bill also would require the Government
Accountability Office (GAO) to prepare a report, by the end of
fiscal year 2015, on service providers' disclosure of customer
communications to law enforcement agencies.
Based on the cost of similar activities, CBO estimates that
it would cost $1 million to $2 million from appropriated funds
over the 2014-2015 period for GAO to prepare the report
required by the bill. CBO estimates that other provisions of
the bill would have no significant cost to the federal
government. Enacting the legislation would not affect direct
spending or revenues; therefore, pay-as-you-go procedures do
not apply.
S. 607 would impose intergovernmental mandates, as defined
in the Unfunded Mandates Reform Act (UMRA), by changing the
procedures that governmental agencies must follow when they
obtain electronic communications. Because the changes would
result in minimal additional spending, CBO estimates that the
costs of the intergovernmental mandates would be small and
would not exceed the threshold established in UMRA ($75 million
in 2013, adjusted annually for inflation).
S. 607 also would impose a private-sector mandate by
requiring providers of electronic communications and remote
computing services to inform the government before they notify
a customer or subscriber that they have disclosed information
to the government. Based on information from industry sources,
CBO estimates that the cost of the mandate would fall well
below the annual threshold established in UMRA for private-
sector mandates ($150 million in 2013, adjusted annually for
inflation).
The CBO staff contacts for this estimate are Mark Grabowicz
and Matthew Pickford (for federal costs), Elizabeth Cove
Delisle (for the impact on state, local, and tribal
governments), and Marin Burnett (for the impact on the private
sector). The estimate was approved by Theresa Gullo, Deputy
Assistant Director for Budget Analysis.
V. Regulatory Impact Evaluation
In compliance with rule XXVI of the Standing Rules of the
Senate, the Committee finds that no significant regulatory
impact will result from the enactment of S. 607.
VI. Conclusion
The bill, as amended, S. 607, provides greatly needed
updates to our Federal digital privacy laws. The bill carefully
balances the need to protect Americans' privacy rights in
cyberspace, with the legitimate needs of law enforcement and
the interests of the American technology sector. Given the many
advances in technology and new threats to privacy, the passage
and enactment of these important privacy updates is long
overdue.
VII. Additional Views
----------
ADDITIONAL VIEWS FROM SENATORS GRASSLEY AND SESSIONS
Amendments to the Electronic Communications Privacy Act Are Necessary
but Should Also Address the Impact on Law Enforcement, the Courts, and
Civil Regulatory Agencies
In the 112th Congress, we voted to report virtually the
same version of this bill because we believe that the
Electronic Communications Privacy Act of 1986 (``ECPA'') needs
to be updated to match advances in technology. However, we also
stated that the bill needed work to better protect email
privacy without hampering law enforcement agencies' ability to
obtain information in order to investigate serious crimes, as
well as civil regulatory agencies' ability to investigate
wrongdoing. We expressed concern that the bill did not strike
the proper balance, but it was the start of an important
discussion. We believe that these changes are important to
continue the carefully crafted balance between protecting
privacy and providing needed tools to law enforcement.
We find ourselves in the same position in this Congress. We
reiterate that the Committee should work to ensure that this
balance is continued as we update ECPA for decades to come.
First, the Committee should consider whether a more
comprehensive approach to updating the laws involving
electronic communications and data is warranted. This would
include looking to advances in technology for location
information in addition to the content of communications. It
would also assist in addressing the concerns that have been
raised by the law enforcement, technology, and privacy
communities. Second, the bill should address the ability of law
enforcement to obtain access to critical evidence, especially
in time-sensitive emergency cases. Third, and finally, more
consideration is needed with regard to the bill's removal of a
valuable tool from civil regulatory agencies, which rely on
administrative subpoenas to obtain email communications when
investigating insider trading, accounting fraud, and false or
misleading statements made by companies about their financial
situations.
We appreciate that members on the Committee share these
concerns and spoke up at the Committee mark-up to highlight the
need for modifications to the current bill. Additionally, we
welcome the views of the well-respected Chairwoman of the
Securities and Exchange Commission, Mary Jo White. While we
support the goal of harmonizing and updating ECPA, failure to
address these important issues and strike the proper balance
will be detrimental to not just the law enforcement and civil
regulatory agencies seeking to obtain necessary information,
but to the American people, businesses, and the court system
and may require future action from Congress to update other
parts of ECPA.
Current law
ECPA was enacted in 1986 as a result of advancements in
wireless communication technology and was designed to provide
modern rules for government access to electronic communications
and related data. It was designed to balance the public's
privacy interests with law enforcement's need to access
electronic communication information for investigative
purposes.\1\
---------------------------------------------------------------------------
\1\S. Rep. No. 99-541, pt. 3, at 5 (1986) (noting that, when ECPA
was first adopted, the Senate Judiciary Committee believed that it
``represent[ed] a fair balance between the privacy expectations of
American citizens and the legitimate needs of law enforcement
agencies'').
---------------------------------------------------------------------------
ECPA created a spectrum of legal standards depending on the
level of privacy interest in the information sought by the
government. For example, under current law, a government entity
may require a provider of electronic communication services to
disclose the contents of a wire or electronic communication
that is in electronic storage for 180 days or less pursuant to
a criminal search warrant.\2\ For communications stored with a
third party for more than 180 days, however, the statute
authorizes a lower legal burden.\3\ A government entity can
require a provider of electronic communication services to
disclose the contents of the communications either by search
warrant (without notice to the subscriber or customer), or by
administrative, grand jury, or trial subpoena, or a Section
2703(d) court order if notice is first provided to the
subscriber or customer.\4\ The basis for the ``180 day rule''
has been that if the emails are stored by a third party service
provider for more than six months, one's expectation of privacy
in the content of these communications diminishes, and these
records are therefore treated more akin to third party business
records than real-time communications. As a result, law
enforcement investigators have been able to use quicker and
more efficient methods of legal process (i.e., subpoena or
2703(d) order) to obtain the content contained in these older
emails and related records.\5\
---------------------------------------------------------------------------
\2\18 U.S.C. Sec. 2703(a) (2006).
\3\18 U.S.C. Sec. 2703(a) (2006).
\4\18 U.S.C. Sec. 2703(b) (2006).
\5\On March 19, 2013, while testifying before the House Judiciary
Subcommittee on Crime, Terrorism, Homeland Security, and
Investigations, Acting Assistant Attorney General Elana Tyrangiel
testified that the Department of Justice no longer supports
differentiating between emails kept in storage for less than 180 days
and emails stored for over 180 days. She did not indicate, however,
whether the Department had solicited input from the thousands of state
and local law enforcement professionals on the front lines prior to
offering a view that could adversely impact the course of their
investigations.
---------------------------------------------------------------------------
The ability to use a subpoena or a court order has allowed
law enforcement officials to gather older email content
information quickly in cases where time is of the essence and
probable cause may not yet have been developed. However, under
the bill criminal investigators would not be able to obtain
email information in criminal investigations until they have
developed probable cause and could obtain a search warrant.
Additionally, these same tools have permitted federal
regulatory agencies like the Securities and Exchange
Commission, the Food and Drug Administration, the Consumer
Product Safety Commission, and the Federal Trade Commission,
etc., to gather important information by administrative
subpoenas and carry out their enforcement responsibilities over
important industries. But this bill eliminates these
administrative subpoenas. Therefore, since civil investigators
have no criminal search warrant authority, they would no longer
be able to obtain the contents of emails unless a target of an
investigation or a charged defendant graciously provides the
incriminating email containing the ``smoking gun.'' Civil
regulators would then have no ability to compel the disclosure
of email content from third party Internet service providers.
As a result, the bill raises concerns over civil regulatory
agencies' ability to even undertake the types of investigations
Congress has authorized and empowered them to undertake.
ECPA reform requires a more comprehensive review
As an initial matter, in conducting a review of the laws
relating to electronic communications and related documents, we
agree that work needs to be done to ensure that our laws are up
to date and do not negatively impact business innovation and
development. We also need to address legitimate privacy
concerns. It is equally important, however, to hear from the
law enforcement community to ensure we do not limit their
ability to obtain information necessary to catch criminals and
terrorists who use electronic communications to further their
crimes. ECPA has specific definitions and has come to be
interpreted by courts in particular ways; therefore, any
amendment requires careful consideration to ensure we do not
create loopholes that make it harder for law enforcement to do
their jobs and allow criminals and terrorists to operate with
impunity.
Demonstrating the need for a comprehensive review, the bill
is silent regarding the use of ECPA to obtain data regarding
location information data. Increasingly, judges across the
country are examining whether ECPA allows law enforcement to
obtain location information data obtained from a handheld
device or from cellular site towers. The Committee on the
Judiciary in the House of Representatives recently held a
hearing to address this exact question.\6\ This hearing
examined the different legal tools law enforcement utilizes to
obtain stored, prospective, or real-time geolocation
information. Specifically, the hearing focused on the different
statutes employed to obtain this information, including the use
of ECPA, 2703(d) orders, pen registers, and combinations of
these various authorities.\7\ The testimony at the hearing
discussed the need for Congress to bring clarity to ECPA and
companion statutes to address the splits among the various
federal courts as part of any ECPA reform effort. This bill
does not include such endeavors and as a result, does not
examine ECPA in a comprehensive manner. The Committee should
follow the lead of the House Judiciary Committee and examine
these important issues to ensure that the proper balance is
struck with regard to all aspects of ECPA, including
geolocation.
---------------------------------------------------------------------------
\6\See The Electronic Communications Privacy Act (ECPA), Part 2:
Geolocation Privacy and Surveillance Before the H. Comm. on the
Judiciary, 113th Cong. (April 25, 2013).
\7\Id. (Statement of Mark Eckenwiler, Senior Counsel, Perkins Coie
LLP).
---------------------------------------------------------------------------
The amendment may adversely affect criminal investigations
Law enforcement representatives have raised concerns that
increasing the legal standard to require a criminal search
warrant for the content of all email communications regardless
of the length of time they have been in electronic storage will
hinder and delay criminal investigations.\8\ Criminal search
warrants require a showing of probable cause to believe that a
crime has been committed and that evidence of that crime will
be located in the place to be searched. This can be a
challenging standard, especially in cases where time is of the
essence.
---------------------------------------------------------------------------
\8\Id. at 2; Letter from the MCCPA, et al., to Chairman Leahy &
Ranking Member Grassley, supra note 7, at 2-3.
---------------------------------------------------------------------------
For example, in the early stages of a child abduction case
where time is of the essence, the facts are usually not fully
known. Investigators often cannot establish probable cause to
search a missing child's email account--or a similar account
such as Facebook or Twitter--because it is not clear that a
kidnapping has occurred or that evidence of that crime will be
found in the child's email account. However, under current law,
investigators have been able to access the contents of a
child's email account by using grand jury subpoenas or court
orders, thereby identifying valuable investigative leads and
even perpetrators who may have been communicating with the
child.
Under the bill, however, investigators have no way to
compel the disclosure of this vital information and are left at
the mercy of parental consent or voluntary disclosure by
service providers. While neither of these scenarios requires a
warrant, they are both highly problematic for other reasons.
Investigators would encounter issues with parental consent when
a child's parents are unavailable because they are dead or
missing, or unwilling to consent when they are targets of the
investigation.
Voluntary disclosure by service providers is likewise
unreliable, because the bill does not address the current
standard in Section 2702(b) of Title 18, United States Code on
emergency disclosures. This section merely requires service
providers to voluntarily disclose email content information to
law enforcement officials if the provider, in good faith,
believes that an emergency involving danger of death or serious
physical injury to any person requires the disclosure without
delay of the communication. But, even if an emergency arises
and time is of the essence, the bill does not require a service
provider to disclose important information to law enforcement
investigators. Early in an investigation, when any information
as to the location of the child and identity of the kidnappers
is absolutely critical, a provider may be reluctant to
voluntarily disclose information without a warrant for a number
of reasons. These might include a fear of litigation for
disclosing a customer's information without a warrant,
declining to accept law enforcement's assertion that there are
enough facts to justify an emergency, implementing a policy of
always requiring a search warrant, and many other possible
impediments to the rapid recovery of the child.
Some members of the Committee have stated that the
traditional ``exigent circumstances'' to the Fourth Amendment
would be sufficient to permit investigators to seize the
electronic communication information without a warrant. Despite
assurances from supporters of the bill that the traditional
exigent circumstances exception would apply in the event this
bill becomes law, this is not a settled issue by any means.
As a threshold matter, courts across the country disagree
as to whether the contents of email stored in the hands of a
third party service provider trigger privacy protection under
the Fourth Amendment. Some courts have held that emails are
analogous to a mailed letter, and that an individual's
reasonable expectation of privacy ends upon delivery of the
letter or the transmission of the email to the recipient.\9\
Other courts have reached a different conclusion, holding that
a subscriber enjoys a reasonable expectation of privacy in the
content of emails that are stored or sent and received through
a third-party internet service provider.\10\ Unfortunately, the
Committee never held a hearing, heard witnesses or reviewed
evidence, or even had the opportunity to debate this important
question.
---------------------------------------------------------------------------
\9\See, e.g., United States v. Lifshitz, 369 F.3d 173, 190 (2d Cir.
2004) (holding that, like letter-writers whose expectation of privacy
ends upon delivery of the letter, individuals may not possess a
legitimate expectation of privacy ``in transmissions over the Internet
or e-mail that have already arrived at the recipient''); United States
v. Dupree, 781 F.Supp.2d 115, 159 (E.D.N.Y.2011) (finding that
defendants could ``not claim a legitimate expectation of privacy in
emails that they gave [an employee] permission to access and view'');
State v. Hinton, 280 P.3d 476, 482 (Wash. App. 2012) (ruling that the
defendant's expectation of privacy in a text message terminated upon
the message's delivery to the recipient). Furthermore, the Supreme
Court has held that the Fourth Amendment did not prevent the government
from reviewing electronic pager messages of its employees. City of
Ontario v. Quon, 130 S.Ct. 2619 (2010).
\10\See, e.g., United States v. Warshak, 631 F.3d 266, 288 (6th
Cir. 2010) (holding that ``a subscriber enjoys a reasonable expectation
of privacy in the contents of emails `that are stored with, or sent or
received through, a commercial [internet service provider]'''); United
States v. Forrester, 512 F.3d 500, 509-11 (9th Cir. 2008) (finding that
a customer does not have a legitimate expectation of privacy in the
email addresses attached to transmitted messages or the internet
protocol addresses visited on a home computer because that information
is voluntarily conveyed to the service provider, but distinguishing
between addresses and the content of messages, noting that ``the
contents may deserve Fourth Amendment protection, but the address and
size of the package do not'').
---------------------------------------------------------------------------
But even assuming arguendo that traditional Fourth
Amendment exceptions apply, the exigent circumstances exception
to the warrant requirement would not be helpful in obtaining
email content because the bill leaves law enforcement officials
at the mercy of the service providers, even in an emergency.
Law enforcement investigators, who have the training and
experience in such matters, should be making the determination
as to what constitutes an emergency situation--not an untrained
employee of a service provider. An emergency exception that
allows law enforcement professionals to determine the existence
of an emergency and requires service providers to disclose the
requested information is a potential fix that might help
address some law enforcement concerns and might help
recalibrate ECPA so that there is better balance between
privacy and public safety.
Finally, we have a related concern as to whether Congress
should be looking at setting time limits to ensure timely
compliance with the search warrants. By raising all content
requests to a search warrant standard, the bill would delegate
authority to every state, local, and federal judge to manage
requests for email content. This is important because,
traditionally, search warrants do not operate like subpoenas,
where recipients are typically given up to 14 days to respond.
Instead, search warrants usually require immediate processing
and prompt reporting back to the judge. However, law
enforcement officials have advised us that third-party service
providers do not always provide prompt compliance.
Additionally, because the statute is silent on this matter,
courts often create their own time limits. We should consider
whether uniform time limits for compliance with the search
warrant are appropriate and seek to avoid the confusion
inherent with third-party compliance wrought by the variable
time limits set by the different federal and state courts
issuing these warrants.
Civil investigations could be adversely affected
As noted above, under the bill, agencies with civil
regulatory authority will no longer be able to compel access to
older email content because the amendment removes the
administrative subpoena as a tool to obtain email
communications. The bill permits criminal search warrants as
the sole legal vehicle to compel disclosure of email content.
Without criminal search warrant authority, these civil federal
agencies reported to us that the amendment will negatively
impact their investigations.
For example, Securities and Exchange Commission Chairwoman
Mary Jo White recently sent a letter to the Committee outlining
her concerns that the SEC will be unable to obtain critical
emails necessary to investigate civil securities fraud
statutes. Specifically, she wrote that the legislation, in its
current form, could have an impact on the Commission's
``ability to protect investors and to assist victims of
securities fraud.''\11\
---------------------------------------------------------------------------
\11\Letter from SEC to U.S. Senate Judiciary Committee Chairman
Leahy (April 24, 2013) (attached in appendix).
---------------------------------------------------------------------------
Chairman White's letter also argues that the proposed
``work-arounds'' that have been suggested would be inadequate.
For example, some argue that the solution is to simply obtain
emails from the targets of the investigation.\12\ Chairman
White argues that often time these individuals delete relevant
emails or otherwise fail to provide them despite obtaining a
subpoena.\13\ As a result, the Chairman White fears that this
could embolden non-compliance with subpoenas by targets of
investigations.\14\
---------------------------------------------------------------------------
\12\Id. at 2-3.
\13\Id.
\14\Id.
---------------------------------------------------------------------------
Additionally, Chairman White argues against those who say
the SEC could simply work with the Justice Department to obtain
a warrant.\15\ She notes that, ``the Commission cannot request
that the DOJ apply for a search warrant on the SEC's behalf.''
Further, she adds that the vast majority of cases investigated
by the SEC are not criminal and therefore would be outside the
scope of ability to obtain a warrant--effectively limiting
enforcement.\16\
---------------------------------------------------------------------------
\15\Id. at 2.
\16\Id.
---------------------------------------------------------------------------
To remedy this, Chairman White advocates for an amendment
to allow a judicial standard for civil matters akin to a
criminal search warrant.\17\ This is an idea worth considering
as we move forward. It would still require a ruling from a
judge of a competent jurisdiction, similar to what we will
allow for criminal cases under this bill, while retaining the
protections provided in this bill.
---------------------------------------------------------------------------
\17\Id. at 3.
---------------------------------------------------------------------------
The SEC relies on email communications to help determine a
person's intent, agreements and conspiracies to defraud, and
patterns of illegal conduct when investigating allegations of
insider trading, accounting fraud, and providing false or
misleading information about securities and the companies that
issue them. In providing technical assistance to the Ranking
Member in evaluating the bill, the SEC advised that this
legislation would significantly impact the SEC's enforcement of
the securities laws--including insider trading.
The SEC recently filed a civil case against two individuals
alleging that over a period of years they engaged in a scheme
to artificially inflate the financial results of a publicly
owned retailer by engaging in a series of fraudulent financial
transactions. During the investigation, the SEC obtained an
email using an ECPA-authorized subpoena showing that one of the
defendants sent an email describing the publicly owned
company's commitment to buy certain products and services at
inflated prices. The email stated ``the fake credits that were
negotiated with'' the company were being used ``to hit certain
quarterly numbers.'' This evidence was particularly important
because the defendants were sophisticated and had cleverly and
carefully concealed their scheme. The SEC subpoenaed the
Internet Service Provider (ISP) because an individual in the
case had failed to produce an email from one of his personal
email account in response to a subpoena issued to him almost a
year earlier. SEC investigators confronted the defendant with
the email obtained from the ISP. The defendant then produced
his personal email, including this inculpatory one. This
example demonstrates how important the administrative subpoena
is in the civil regulatory context; indeed, it can be the
difference between enforcing the laws and watching helplessly
as crafty fraudsters escape liability and accountability for
their crimes.
The SEC has also advised us that investigative
administrative subpoenas for email from ISPs are highly
valuable in other situations, such as: (1) when investigators
are attempting to locate stolen assets of victimized investors,
(2) where the target of an investigation lives outside the
United States, and (3) where the target of an investigation
claims to have deleted all of their emails, has a damaged hard
drive, or simply withholds the evidence.
The administrative subpoena is a vital tool for other
federal civil enforcement agencies as well. The Food and Drug
Administration also uses administrative subpoenas to review
email communications to investigate allegations regarding
violations of food and drug safety laws. The Consumer Product
Safety Commission and the Federal Trade Commission use email
communications to investigate allegations of fraud, deception,
and unfair business practices in the marketplace. The
Commodities and Futures Trading Commission (CFTC) relies on
email communications to investigate fraud, manipulation, and
abusive trading practices in the marketplace. Through effective
oversight, the CFTC enables the futures markets to serve the
important function of providing a means for price discovery and
offsetting price risk.
Conclusion
We agree that ECPA reform is needed to address the dramatic
advances to technology over the last three decades. We have
concerns, however, with the version reported by the Committee.
There are very valid concerns raised by the law enforcement
community and civil regulatory agencies and those concerns
should be addressed. ECPA is an important privacy law and
advances in technology warrant an update. However, in addition
to the changes made for content in this bill, ECPA reform
should address some of these other concerns raised to ensure we
have a comprehensive approach that strikes the proper balance
between privacy and public safety. Going forward, we trust that
the Committee will address the concerns described above so that
ECPA reform can be achieved.
Charles E. Grassley.
Jeff Sessions.
VIII. Changes to Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
S. 607, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, and existing law in which no
change is proposed is shown in roman):
18 USC Sec. 2702--VOLUNTARY DISCLOSURE OF CUSTOMER COMMUNICATIONS OR
RECORDS
(a) Prohibitions.--Except as provided in subsection (b) or
(c)--
(1) a person or entity providing an electronic
communication service to the public shall not knowingly
divulge to any person or entity the contents of a
communication while in electronic storage by that
service; and
(2) a person or entity providing remote computing
service to the public shall not knowingly divulge to
any person or entity the contents of any communication
which is carried or maintained on that service--
(A) on behalf of, and received by means of
electronic transmission from (or created by
means of computer processing of communications
received by means of electronic transmission
from), a subscriber or customer of such
service;
(B) solely for the purpose of providing
storage or computer processing services to such
subscriber or customer, if the provider is not
authorized to access the contents of any such
communications for purposes of providing any
services other than storage or computer
processing; and
(3) [a provider of remote computing service or
electronic communication service to the public shall
not knowingly divulge a record or other information
pertaining to a subscriber to or customer of such
service (not including the contents of communications
covered by paragraph (1) or (2)) to any Governmental
entity.] a provider of remote computing service or
electronic communication service to the public shall
not knowingly divulge to any Governmental entity the
contents of any communication described in section
2703(a), or any record or other information pertaining
to a subscriber or customer of such service.
(b) Exceptions for Disclosure of Communications.--A
provider described in subsection (a) may divulge the contents
of a communication--
(1) to an addressee or intended recipient of such
communication or an agent of such addressee or intended
recipient;
(2) as otherwise authorized in section 2517,
2511(2)(a), or 2703 of this title;
(3) with the lawful consent of the originator or an
addressee or intended recipient of such communication,
or the subscriber in the case of remote computing
service;
(4) to a person employed or authorized or whose
facilities are used to forward such communication to
its destination;
(5) as may be necessarily incident to the rendition
of the service or to the protection of the rights or
property of the provider of that service;
(6) to the National Center for Missing and Exploited
Children, in connection with a report submitted thereto
under section 2258A;
(7) to a law enforcement agency--
(A) if the contents--
(i) were inadvertently obtained by
the service provider; and
(ii) appear to pertain to the
commission of a crime; or
(8) to a Governmental entity, if the provider, in
good faith, believes that an emergency involving danger
of death or serious physical injury to any person
requires disclosure without delay of communications
relating to the emergency.
(c) Exceptions for Disclosure of Customer Records.--A
provider described in subsection (a) may divulge a record or
other information pertaining to a subscriber to or customer of
such service (not including the contents of communications
covered by subsection (a)(1) or (a)(2))--
(1) as otherwise authorized in section 2703;
(2) with the lawful consent of the customer or
subscriber;
(3) as may be necessarily incident to the rendition
of the service or to the protection of the rights or
property of the provider of that service;
(4) to a Governmental entity, if the provider, in
good faith, believes that an emergency involving danger
of death or serious physical injury to any person
requires disclosure without delay of information
relating to the emergency;
(5) to the National Center for Missing and Exploited
Children, in connection with a report submitted thereto
under section 2258A; or
(6) to any person other than a Governmental entity.
(d) Reporting of Emergency Disclosures.--On an annual
basis, the Attorney General shall submit to the Committee on
the Judiciary of the House of Representatives and the Committee
on the Judiciary of the Senate a report containing--
(1) the number of accounts from which the Department
of Justice has received voluntary disclosures under
subsection (b)(8); and
(2) a summary of the basis for disclosure in those
instances where--
(A) voluntary disclosures under subsection
(b)(8) were made to the Department of Justice;
and
(B) the investigation pertaining to those
disclosures was closed without the filing of
criminal charges.
18 USC Sec. 2703--REQUIRED DISCLOSURE OF CUSTOMER COMMUNICATIONS OR
RECORDS
[(a) Contents of Wire or Electronic Communications in
Electronic Storage.--A Governmental entity may require the
disclosure by a provider of electronic communication service of
the contents of a wire or electronic communication, that is in
electronic storage in an electronic communications system for
one hundred and eighty days or less, only pursuant to a warrant
issued using the procedures described in the Federal Rules of
Criminal Procedure (or, in the case of a State court, issued
using State warrant procedures) by a court of competent
jurisdiction. A Governmental entity may require the disclosure
by a provider of electronic communications services of the
contents of a wire or electronic communication that has been in
electronic storage in an electronic communications system for
more than one hundred and eighty days by the means available
under subsection (b) of this section.
[(b) Contents of Wire or Electronic Communications in a
Remote Computing Service.--
[(1) A Governmental entity may require a provider of
remote computing service to disclose the contents of
any wire or electronic communication to which this
paragraph is made applicable by paragraph (2) of this
subsection--
[(A) without required notice to the
subscriber or customer, if the Governmental
entity obtains a warrant issued using the
procedures described in the Federal Rules of
Criminal Procedure (or, in the case of a State
court, issued using State warrant procedures)
by a court of competent jurisdiction; or
[(B) with prior notice from the Governmental
entity to the subscriber or customer if the
Governmental entity--
[(i) uses an administrative subpoena
authorized by a Federal or State
statute or a Federal or State grand
jury or trial subpoena; or
[(ii) obtains a court order for such
disclosure under subsection (d) of this
section; except that delayed notice may
be given pursuant to section 2705 of
this title.
[(2) Paragraph (1) is applicable with respect to any
wire or electronic communication that is held or
maintained on that service--
[(A) on behalf of, and received by means of
electronic transmission from (or created by
means of computer processing of communications
received by means of electronic transmission
from), a subscriber or customer of such remote
computing service; and
[(B) solely for the purpose of providing
storage or computer processing services to such
subscriber or customer, if the provider is not
authorized to access the contents of any such
communications for purposes of providing any
services other than storage or computer
processing.
[(c) Records Concerning Electronic Communication Service or
Remote Computing Service.--
[(1) A Governmental entity may require a provider of
electronic communication service or remote computing
service to disclose a record or other information
pertaining to a subscriber to or customer of such
service (not including the contents of communications)
only when the Governmental entity--
[(A) obtains a warrant issued using the
procedures described in the Federal Rules of
Criminal Procedure (or, in the case of a State
court, issued using State warrant procedures)
by a court of competent jurisdiction;
[(B) obtains a court order for such
disclosure under subsection (d) of this
section;
[(C) has the consent of the subscriber or
customer to such disclosure;
[(D) submits a formal written request
relevant to a law enforcement investigation
concerning telemarketing fraud for the name,
address, and place of business of a subscriber
or customer of such provider, which subscriber
or customer is engaged in telemarketing (as
such term is defined in section 2325 of this
title); or
[(E) seeks information under paragraph (2).
[(2) A provider of electronic communication service
or remote computing service shall disclose to a
Governmental entity the--
[(A) name;
[(B) address;
[(C) local and long distance telephone
connection records, or records of session times
and durations;
[(D) length of service (including start date)
and types of service utilized;
[(E)telephone or instrument number or other
subscriber number or identity, including any
temporarily assigned network address; and
[(F) means and source of payment for such
service (including any credit card or bank
account number), of a subscriber to or customer
of such service when the Governmental entity
uses an administrative subpoena authorized by a
Federal or State statute or a Federal or State
grand jury or trial subpoena or any means
available under paragraph (1).
[(3) A Governmental entity receiving records or
information under this subsection is not required to
provide notice to a subscriber or customer.]
(a) Contents of Wire or Electronic Communications.--A
Governmental entity may require the disclosure by a provider of
electronic communication service or remote computing service of
the contents of a wire or electronic communication that is in
electronic storage with or otherwise stored, held, or
maintained by the provider only if the Governmental entity
obtains a warrant issued using the procedures described in the
Federal Rules of Criminal Procedure (or, in the case of a State
court, issued using State warrant procedures) that is issued by
a court of competent jurisdiction directing the disclosure.
(b) Notice.--Except as provided in section 2705, not later
than 10 business days, in the case of a law enforcement agency,
or not later than 3 days, in the case of any other Governmental
entity, after a Governmental entity receives the contents of a
wire or electronic communication of a subscriber or customer
from a provider of electronic communication service or remote
computing service under subsection (a), the Governmental entity
shall serve upon, or deliver to by registered or first-class
mail, electronic mail, or other means reasonably calculated to
be effective, as specified by the court issuing the warrant,
the subscriber or customer--
(1) a copy of the warrant; and
(2) a notice that includes the information referred
to in clause (i) and (ii) of section 2705(a)(4)(B).
(c) Records Concerning Electronic Communication Service or
Remote Computing Service.--
(1) In general.--Subject to paragraph (2), a
Governmental entity may require a provider of
electronic communication service or remote computing
service to disclose a record or other information
pertaining to a subscriber or customer of the provider
or service (not including the contents of
communications), only if the Governmental entity--
(A) obtains a warrant issued using the
procedures described in the Federal Rules of
Criminal Procedure (or, in the case of a State
court, issued using State warrant procedures)
that is issued by a court of competent
jurisdiction directing the disclosure;
(B) obtains a court order directing the
disclosure under subsection (d);
(C) has the consent of the subscriber or
customer to the disclosure; or
(D) submits a formal written request relevant
to a law enforcement investigation concerning
telemarketing fraud for the name, address, and
place of business of a subscriber or customer
of the provider or service that is engaged in
telemarketing (as defined in section 2325).
(2) Information to be disclosed.--A provider of
electronic communication service or remote computing
service shall, in response to an administrative
subpoena authorized by Federal or State statute, a
grand jury, trial, or civil discovery subpoena, or any
means authorized under paragraph (1), disclose to a
Governmental entity the--
(A) name;
(B) address;
(C) local and long distance telephone
connection records, or records of session times
and durations;
(D) length of service (including start date)
and types of service used;
(E) telephone or instrument number or other
subscriber number or identity, including any
temporarily assigned network address; and
(F) means and source of payment for such
service (including any credit card or bank
account number), of a subscriber or customer of
such service.
(3) Notice not required.--A Governmental entity that
receives records or information under this subsection
is not required to provide notice to a subscriber or
customer.
(d) Requirements for Court Order.--[A court order for
disclosure under subsection (b) or (c)] A court order for
disclosure under subsection (c) may be issued by any court that
is a court of competent jurisdiction and shall issue only if
the Governmental entity offers specific and articulable facts
showing that there are reasonable grounds to believe that [the
contents of a wire or electronic communication, or] the records
or other information sought, are relevant and material to an
ongoing criminal investigation. In the case of a State
Governmental authority, such a court order shall not issue if
prohibited by the law of such State. A court issuing an order
pursuant to this section, on a motion made promptly by the
service provider, may quash or modify such order, if the
information or records requested are unusually voluminous in
nature or compliance with such order otherwise would cause an
undue burden on such provider.
(e) No Cause of Action Against a Provider Disclosing
Information Under This Chapter.--No cause of action shall lie
in any court against any provider of wire or electronic
communication service, its officers, employees, agents, or
other specified persons for providing information, facilities,
or assistance in accordance with the terms of a court order,
warrant, subpoena, statutory authorization, or certification
under this chapter.
(f) Requirement To Preserve Evidence.--
(1) In general.--A provider of wire or electronic
communication services or a remote computing service,
upon the request of a Governmental entity, shall take
all necessary steps to preserve records and other
evidence in its possession pending the issuance of a
court order or other process.
(2) Period of retention.--Records referred to in
paragraph (1) shall be retained for a period of 90
days, which shall be extended for an additional 90-day
period upon a renewed request by the Governmental
entity.
(g) Presence of Officer Not Required.--Notwithstanding
section 3105 of this title, the presence of an officer shall
not be required for service or execution of a search warrant
issued in accordance with this chapter requiring disclosure by
a provider of electronic communications service or remote
computing service of the contents of communications or records
or other information pertaining to a subscriber to or customer
of such service.
(h) Rule of Construction.--Nothing in this section or in
section 2702 shall be construed to limit the authority of a
Governmental entity to use an administrative subpoena
authorized under a Federal or State statute or to use a Federal
or State grand jury, trial, or civil discovery subpoena to--
(1) require an originator, addressee, or intended
recipient of an electronic communication to disclose
the contents of the electronic communication to the
Governmental entity; or
(2) require an entity that provides electronic
communication services to the officers, directors,
employees, or agents of the entity (for the purpose of
carrying out their duties) to disclose the contents of
an electronic communication to or from an officer,
director, employee, or agent of the entity to a
Governmental entity, if the electronic communication is
held, stored, or maintained on an electronic
communications system owned or operated by the entity.
18 USC Sec. 2705--DELAYED NOTICE
[(a) Delay of Notification.--
[(1) A Governmental entity acting under section
2703(b) of this title may--
[(A) where a court order is sought, include
in the application a request, which the court
shall grant, for an order delaying the
notification required under section 2703(b) of
this title for a period not to exceed ninety
days, if the court determines that there is
reason to believe that notification of the
existence of the court order may have an
adverse result described in paragraph (2) of
this subsection; or
[(B) where an administrative subpoena
authorized by a Federal or State statute or a
Federal or State grand jury subpoena is
obtained, delay the notification required under
section 2703(b) of this title for a period not
to exceed ninety days upon the execution of a
written certification of a supervisory official
that there is reason to believe that
notification of the existence of the subpoena
may have an adverse result described in
paragraph (2) of this subsection.
[(2) An adverse result for the purposes of paragraph
(1) of this subsection is--
[(A) endangering the life or physical safety
of an individual;
[(B) flight from prosecution;
[(C) destruction of or tampering with
evidence;
[(D) intimidation of potential witnesses; or
[(E) otherwise seriously jeopardizing an
investigation or unduly delaying a trial.
[(3) The Governmental entity shall maintain a true
copy of certification under paragraph (1)(B).
[(4) Extensions of the delay of notification provided
in section 2703 of up to ninety days each may be
granted by the court upon application, or by
certification by a Governmental entity, but only in
accordance with subsection (b) of this section.
[(5) Upon expiration of the period of delay of
notification under paragraph (1) or (4) of this
subsection, the Governmental entity shall serve upon,
or deliver by registered or first-class mail to, the
customer or subscriber a copy of the process or request
together with notice that--
[(A) states with reasonable specificity the
nature of the law enforcement inquiry; and
[(B) informs such customer or subscriber--
[(i) that information maintained for
such customer or subscriber by the
service provider named in such process
or request was supplied to or requested
by that Governmental authority and the
date on which the supplying or request
took place;
[(ii) that notification of such
customer or subscriber was delayed;
[(iii) what Governmental entity or
court made the certification or
determination pursuant to which that
delay was made; and
[(iv) which provision of this chapter
allowed such delay.
[(6) As used in this subsection, the term
``supervisory official'' means the investigative agent
in charge or assistant investigative agent in charge or
an equivalent of an investigating agency's headquarters
or regional office, or the chief prosecuting attorney
or the first assistant prosecuting attorney or an
equivalent of a prosecuting attorney's headquarters or
regional office.
[(b) Preclusion of Notice to Subject of Governmental
Access.--A Governmental entity acting under section 2703, when
it is not required to notify the subscriber or customer under
section 2703(b)(1), or to the extent that it may delay such
notice pursuant to subsection (a) of this section, may apply to
a court for an order commanding a provider of electronic
communications service or remote computing service to whom a
warrant, subpoena, or court order is directed, for such period
as the court deems appropriate, not to notify any other person
of the existence of the warrant, subpoena, or court order. The
court shall enter such an order if it determines that there is
reason to believe that notification of the existence of the
warrant, subpoena, or court order will result in--
[(1) endangering the life or physical safety of an
individual;
[(2) flight from prosecution;
[(3) destruction of or tampering with evidence;
[(4) intimidation of potential witnesses; or
[(5) otherwise seriously jeopardizing an
investigation or unduly delaying a trial.]
(a) Delay of Notification.--
(1) In general. A Governmental entity that is seeking
a warrant under section 2703(a) may include in the
application for the warrant a request for an order
delaying the notification required under section
2703(a) for a period of not more than 180 days, in the
case of a law enforcement agency, or not more than 90
days, in the case of any other Governmental entity.
(2) Determination.--A court shall grant a request for
delayed notification made under paragraph (1) if the
court determines that there is reason to believe that
notification of the existence of the warrant may result
in
(A) endangering the life or physical safety
of an individual;
(B) flight from prosecution;
(C) destruction of or tampering with
evidence;
(D) intimidation of potential witnesses; or
(E) otherwise seriously jeopardizing an
investigation or unduly delaying a trial.
(3) Extension.--Upon request by a Governmental
entity, a court may grant 1 or more extensions of the
delay of notification granted under paragraph (2) of
not more than 180 days, in the case of a law
enforcement agency, or not more than 90 days, in the
case of any other Governmental entity.
(4) Expiration of the delay of notification.--Upon
expiration of the period of delay of notification under
paragraph (2) or (3), the Governmental entity shall
serve upon, or deliver to by registered or first-class
mail, electronic mail or other means reasonably
calculated to be effective as specified by the court
approving the search warrant, the customer or
subscriber--
(A) a copy of the warrant; and
(B) notice that informs the customer or
subscriber--
(i) of the nature of the law
enforcement inquiry with reasonable
specificity;
(ii) that information maintained for
the customer or subscriber by the
provider of electronic communication
service or remote computing service
named in the process or request was
supplied to, or requested by, the
Governmental entity;
(iii) of the date on which the
warrant was served on the provider and
the date on which the information was
provided by the provider to the
Governmental entity;
(iv) that notification of the
customer or subscriber was delayed;
(v) the identity of the court
authorizing the delay; and
(vi) of the provision of this chapter
under which the delay was authorized.
(b) Preclusion of Notice to Subject of Governmental
Access.--
(1) In general.--A Governmental entity that is
obtaining the contents of a communication or
information or records under section 2703 may apply to
a court for an order directing a provider of electronic
communication service or remote computing service to
which a warrant, order, subpoena, or other directive
under section 2703 is directed not to notify any other
person of the existence of the warrant, order,
subpoena, or other directive for a period of not more
than 180 days, in the case of a law enforcement agency,
or not more than 90 days, in the case of any other
Governmental entity.
(2) Determination.--A court shall grant a request for
an order made under paragraph (1) if the court
determines that there is reason to believe that
notification of the existence of the warrant, order,
subpoena, or other directive may result in--
(A) endangering the life or physical safety
of an individual;
(B) flight from prosecution;
(C) destruction of or tampering with
evidence;
(D) intimidation of potential witnesses; or
(E) otherwise seriously jeopardizing an
investigation or unduly delaying a trial.
(3) Extension.--Upon request by a Governmental
entity, a court may grant 1 or more extensions of an
order granted under paragraph (2) of not more than 180
days, in the case of a law enforcement agency, or not
more than 90 days, in the case of any other
Governmental entity.
(4) Prior notice to law enforcement.--Upon expiration
of the period of delay of notice under this section,
and not later than 3 business days before providing
notice to a customer or subscriber, a provider of
electronic communications service or remote computing
service shall notify the Governmental entity that
obtained the contents of a communication or information
or records under section 2703 of the intent of the
provider of electronic communications service or remote
computing service to notify the customer or subscriber
of the existence of the warrant, order, or subpoena
seeking that information.
(c) Definition.--In this section and section 2703, the term
``law enforcement agency'' means an agency of the United
States, a State, or a political subdivision of a State,
authorized by law or by a Government agency to engage in or
supervise the prevention, detection, investigation, or
prosecution of any violation of criminal law, or any other
Federal or State agency conducting a criminal investigation.
