This new law is binding only for state and local law enforcement - federal agents are bound by the much more permissive Electronic Communications Privacy Act (ECPA) that dates back to 1986, and says that a warrant is required only if the email has not yet been opened by the recipient. Once the email has been perused by him or her, and/or is still present in the inbox after 180 days, the agents can access it without a warrant.
“It's always good to see states passing pro-privacy legislation because it sends a signal to Congress. It sends a signal to conservative members who might not yet be on board that this is something being supported in their own states and it helps the courts to see that this is a safe space to venture into. When cities and states start protecting e-mail, then judges may feel like there is a reasonable expectation of privacy,” privacy researcher and activist Chris Soghoian commented the signing for Ars Techica.
In parallel with this law passing through both houses of the Texas legislature, a new bipartisan bill aimed at doing a similar thing has been introduced at the federal level.
Representatives Kevin Yoder (R-Kansas), Tom Graves (R-Georgia), and Jared Polis (D-Colorado) have managed to amass 94 co-sponsors for their Email Privacy Act (H.R. 1852), which would serve as an update to the aforementioned EPCA to improve privacy protections for electronic communications information stored or maintained by third-party service providers.
"The Email Privacy Act updates legislation written in a time when server storage was limited. Back then, an email user was expected to permanently download his or her email locally from a server for reading, response, and long-term storage. So the 180 day rule made sense, because email left on a server for that long could be reasonably viewed as abandoned. But that’s not the case today with people accessing and storing years and years worth of email through third-party servers," the representatives wrote in an editorial for Wired.
"Fundamentally, the Email Privacy Act would ensure that the Fourth Amendment protections Americans already have for mail, phone calls, and other paper/ hard documents are extended to their soft communications too. Specifically, our legislation updates ECPA by strengthening privacy protections for electronic communications stored by third party service providers such as Amazon, Dropbox, Facebook, Google, Yahoo, and countless other cloud services. If government agencies want to obtain any of these communications, they would first need to obtain a warrant from a judge — not their self-anointed authority."
“With the latest concerns over abuse of government power, members are supporting the Email Privacy Act as a vehicle to ensure their constituents’ right to privacy. The American people deserve to have their right to email privacy, and the government’s limitations, clearly defined,” commented Congressman Graves.
"Congress needs to act now to update our laws through the Email Privacy Act and reign in any overreaching by government agencies," the representatives say. "It’s ironic that we have benefitted tremendously from technological innovations and advancements such as smartphones and always-connected networks but that our laws have not kept pace with the privacy realities of the 21st century."
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.