Texas is poised to become the first state in the U.S. to require law enforcement officers to get a search warrant based on probable cause before they access any electronic communications and customer data stored by a third-party service provider.
The Texas legislature this week passed a bill (H.B. 2268) mandating the warrant. The measure now only needs a signature by Gov. Rick Perry to become law.
The bill would be the first to address what many, including courts, say are glaring shortcomings in the Electronic Communications Privacy Act. The ECPA was drafted in 1986 and does not always require law enforcement authorities to obtain a search warrant to access email, instant messages and other customer data stored by Internet service providers and online storage services.
In many instances, the ECPA only requires them to give prior notice and obtain an administrative subpoena to access customer data. The only situation where existing federal law mandates a search warrant is for unopened email messages that are less than 180 days old.
Concerns over warrantless email searches by police have prompted sweeping calls for ECPA reforms, both at the state and federal level.
Just last week, for instance, Sen. Rand Paul (R-KY) introduced the Fourth Amendment Preservation and Protection Act of 2013, which stipulates a search warrant requirement similar to the Texas bill. In March, three lawmakers introduced an ECPA reform bill that would require law enforcement agencies to obtain a warrant to intercept or access stored electronic communications and geolocation data.
Similar bills have been proposed by others in recent years, but the Texas statute looks to be the first effort to actually become law.
The measure requires a warrant for all law enforcement access to stored electronic data, regardless of how long it has been stored, who is storing it or how it is being stored. All applications for search warrants would need probable case and have to be supported by an oath by the officer making the request.
In most cases, companies served with such warrants would be required to comply with them within 10 days. In some instances, a judge could require compliance in as little as four days if police are able to prove than a delay would jeopardize an investigation, put someone's life at risk or let someone to escape prosecution.
The bill is important for two reasons, said Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation (EFF). First, it creates stronger privacy protections by updating the state's electronic privacy laws.
"Second, although this bill only covers Texas, it will hopefully spur other states to do the same and for Congress to update ECPA, too," Fakhoury said.
California, for instance, is currently considering a similar bill (SB 467) sponsored by the EFF. It has been passed by the California Senate and is now awaiting action in the Assembly, he said.
Separately, ECPA reform has been steadily moving through Congress, with entities as varied as Google and the U.S. Department of Justice now backing a warrant requirement, he noted. "Having individual states demonstrate to Congress that email privacy legislation is both politically and practically feasible, necessary and desired is only going to make the law better for everyone, no matter what state they're in."
The Texas law would only apply to state investigations -- not federal investigations, which will still be governed by ECPA requirements.
This article, In Texas, cops will soon need a warrant to search your email, was originally published at Computerworld.com.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about privacy in Computerworld's Privacy Topic Center.