BILL ANALYSIS ��
SB 467
Page 1
Date of Hearing: July 2, 2013
ASSEMBLY COMMITTEE ON JUDICIARY
Bob Wieckowski, Chair
SB 467 (Leno) - As Amended: June 20, 2013
As Proposed to be Amended
SENATE VOTE : 33-1
SUBJECT : Privacy: Electronic Communications: Warrant
KEY ISSUE : Should a government agency be required to obtain a
warrant in order to obtain the contents of an electronic
communication from a service provider, regardless of the type of
service provider, the age of the communication, or whether the
communication has been opened or not?
FISCAL EFFECT : As currently in print this bill is keyed
non-fiscal.
SYNOPSIS
The federal Stored Communications Act (SCA) - which is part of
the Electronic Communications Privacy Act (ECPA) - prohibits a
government entity from obtaining the contents of a stored
electronic communication (such as an e-mail) unless it first
obtains a search warrant. However, this warrant requirement
only applies to content that is less than 180-days old and is
stored on an "electronic communication service," or ECS. An
electronic communication that has been stored for more than 180
days is deemed "abandoned" and may be obtained by a court order
or subpoena, which requires a lower threshold than the "probable
cause" showing that is required to obtain a warrant. Similarly,
a government entity can obtain a communication stored on a
"remote computing service"(RCS) with only a subpoena, and many
courts have held that this lower threshold also applies to any
e-mail that has been opened by the recipient, regardless of age
or where it is stored. Both U.S. and California lawmakers, as
well as many legal scholars, have criticized SCA as seriously
outdated. For example, the existing definitions of an ECS
(which requires a warrant) and a RCS (which only requires
subpoena) reflected the state of technology in 1986, when SCA
was enacted, but these definitions are less relevant in the age
of the Internet, cloud computing, smart phones, and mobile
�
SB 467
Page 2
applications. Courts have had difficulty determining, for
example, whether new social media should be deemed ECS or RCS,
and this designation is critically important as it determines
whether a warrant or only a subpoena is required. Although this
bill does not change the definitions of "electronic
communication service" and "remote computing service," it does
render them less problematic by creating a uniform warrant
requirement that applies to both. Similarly, the uniform
standard would resolve other sources of confusion, as to whether
the communication is in "electronic storage" or "computer
storage," and whether it is more or less than 180 days old - a
distinction that might have made more sense when computers had
more limited storage capacity and things like "cloud computing"
did not exist. This bill is supported by a number of privacy
groups and opposed by law enforcement groups.
SUMMARY : Requires a search warrant when a governmental agency
is seeking to obtain the contents of a wire or electronic
communication that is stored, held or maintained by a provider
of electronic communications services or remote computing
services. Specifically, this bill :
1)Deletes a provision of existing law that restricts the warrant
requirements for acquiring stored electronic information only
to those companies that provide electronic communication
services or remote computing services to the general public.
2)Prohibits a government entity from obtaining the contents of a
wire or electronic communication from a provider of electronic
communication service or remote computing service that is
stored, held, or maintained by that service provider without a
valid search warrant.
3)Requires a government entity that obtains the contents of an
electronic communication from a service provider pursuant to a
warrant to serve notice and a copy of the warrant upon the
customer, subscriber, or user within three days after
obtaining the communication. Requires that the notice contain
specified information, including reasonable specificity as to
the nature of the governmental inquiry and specifies
circumstances under which a governmental entity may delay
notice.
4)Prohibits a service provider from divulging the contents of an
electronic communication, subject to certain exceptions,
�
SB 467
Page 3
including where the service provider has the consent of the
sender or recipient of the communication, where it is
incidental to providing the service, or when it is disclosed
to a governmental entity to prevent death or serious injury,
as specified.
5)Permits the service provider, or the subscriber or any other
person aggrieved by a violation of the above provisions, to
recover specified relief and damages from any person or
governmental entity that committed the violation. Relief may
include, but is not limited to, equitable relief, damages,
including punitive damages, as specified, and attorney's fees
and litigation costs.
EXISTING LAW :
1)Provides that the right of the people to be secure in their
persons, houses, papers, and effects, against unreasonable
searches and seizures, shall not be violated, and no warrants
shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be
searched and the persons or things to be seized. (Amendment
IX of the U.S. Constitution; Article I, Section 13 of the
California Constitution.)
2)States that a search warrant is an order in writing, in the
name of the people, signed by a magistrate, directed to a
peace officer, commanding him or her to search for a person or
persons, a thing or things, or personal property, and, in the
case of a thing or things or personal property, bring the same
before the magistrate. (Penal Code Section 1523.)
3)Provides that a search warrant cannot be issued but upon
probable cause, supported by affidavit, naming or describing
the person to be searched or searched for, and particularly
describing the property, thing, or things and the place to be
searched. (Penal Code Section 1525.)
4)Provides that a search warrant may be issued upon any of the
specified grounds, including when a provider of electronic
communication service or remote computing service has records
or evidence, as specified, showing that property was stolen or
embezzled constituting a misdemeanor, or that property or
things are in the possession of any person with the intent to
use them as a means of committing a misdemeanor public
�
SB 467
Page 4
offense, or in the possession of another to whom he or she may
have delivered them for the purpose of concealing them or
preventing their discovery. (Penal Code Section 1524(a).)
5)Requires a provider of electronic communication service or
remote computing service to disclose to a governmental
prosecuting or investigating agency the name, address, local
and long distance telephone toll billing records, telephone
number or other subscriber number or identity, and length of
service of a subscriber to or customer of that service, and
the types of services the subscriber or customer utilized,
when the governmental entity is granted a search warrant.
(Penal Code Section 1524.3(a).)
6)States that a governmental entity receiving subscriber records
or information is not required to provide notice to a
subscriber or customer of the warrant. (Penal Code Section
1524.3(b).)
7)Authorizes a court issuing a search warrant, on a motion made
promptly by the service provider, to quash or modify the
warrant if the information or records requested are unusually
voluminous in nature or compliance with the warrant otherwise
would cause an undue burden on the provider. (Penal Code
Section 1524.3(c).)
8)Requires a provider of wire or electronic communication
services or a remote computing service, upon the request of a
peace officer, to take all necessary steps to preserve records
and other evidence in its possession pending the issuance of a
search warrant or a request in writing and an affidavit
declaring intent to file a warrant to the provider. Records
shall be retained for a period of 90 days, which shall be
extended for an additional 90-day period upon a renewed
request by the peace officer. (Penal Code Section 1524.3(d).)
9)Specifies that no cause of action shall be brought against any
provider, its officers, employees, or agents for providing
information, facilities, or assistance in good faith
compliance with a search warrant. (Penal Code Section
1524.3(e).)
10)Provides for a process for a search warrant for records that
are in the actual or constructive possession of a foreign
corporation that provides electronic communication services or
�
SB 467
Page 5
remote computing services to the general public, where the
records would reveal the identity of the customers using those
services, data stored by, or on behalf of, the customer, the
customer's usage of those services, the recipient or
destination of communications sent or from those customers, or
the content of those communications. (Penal Code Section
1524.2.)
11)Provides, under the federal Electronic Communications Privacy
Act (ECPA), that a government entity may only access the
contents of communications in electronic storage for 180 days
or less pursuant to a warrant. If the contents of a wire or
electronic communication has been in electronic storage in an
electronic communications system for more than 180 days, a
governmental entity may require its disclosure through other
means such as a subpoena or a court order. The federal law
also includes notification procedures. (18 USCS Section 2701
et seq.)
COMMENTS : This bill seeks to update California privacy law to,
in the author's words, "reflect the modern electronic world by
providing needed protection against warrantless government
access to the contents of a person's electronic communications
like e-mail or Facebook and Twitter messages." While the means
of online, wireless, and Internet communication have evolved at
an almost incomprehensible pace, it does indeed appear that
privacy laws have failed to keep up. Perhaps nowhere is the gap
between dynamic technology and static law more apparent than the
federal Stored Communications Act (SCA) - 18 USC Sections 2701
et seq. - that was enacted in 1986 as part of the Electronic
Communications Privacy Act (ECPA).
Background: Confusion in Existing Federal Law : Although SCA is
the principle federal statute protecting the privacy of stored
e-mail communications - and possibly Internet and social media
communications - it has been widely criticized as being
seriously out of date. It was enacted primarily with only
e-mail in mind and prior to the widespread use of the Internet.
According to one SCA expert, the statute is "dense and
confusing, and few cases exist explaining how the statute works.
The uncertainty has made it difficult for legislators to
legislate in the field, reporters to report about it, and
scholars to offer scholarly guidance in this very important area
of law." (Otto Kerr, A User's Guide to the Stored
Communications Act, and a Legislator's Guide to Amending It
�
SB 467
Page 6
(2004) 72 Geo. Wash. L. Rev. 1208.) Senator Patrick Leahy,
Chair of the U.S. Senate Committee on Judiciary, held hearings
on ECPA in 2010. The general consensus of the testimony
presented was that ECPA needed to be clarified and updated in
order to reflect developments in the "digital age." (U.S.
Senate. The Electronic Communications Privacy Act: Promoting
Security and Protecting Privacy in a Digital Age. Hearings
before the Committee on the Judiciary of the U.S. Senate. 111th
Congress, 2d session.) Despite this consensus, Congress had
still not acted at the time of this writing. Pending
congressional legislation, which grew out of the Leahy hearings,
seeks to update ECPA, especially in terms of creating a uniform
warrant requirement for government access to stored
communications.
One of the primary criticisms of the SCA provisions in ECPA is
that they create a number of confusing classifications that
determine the procedures that a government entity must follow in
order to gain access to the contents of a person's electronic
communications. Critics contend that these classifications were
not models of clarity to begin with, and that recent
technological changes have rendered them even more confusing
and, quite possibly, irrelevant. For example, under existing
law, a government entity must first obtain a search warrant in
order to compel a service provider to disclose the contents of
an electronic communications that is stored on an "electronic
communications service" (ECS) for 180 days or less. If the
communications has been stored for more than 180 days, then the
government entity may, with prior notice to the subscriber,
obtain access by a subpoena or by a court order showing
""articulable facts" that the information is relevant to a
"criminal investigation" - a lesser threshold than a warrant,
which requires "probable cause" that the communication contains
evidence that a crime has been or will likely be committed. It
is not entirely clear why Congress initially created the 180-day
distinction, though apparently it reflected the limited storage
capacity of computers in 1986 and is based on a theory that any
communication over 180 days old is somehow "abandoned" and
therefore no longer protected. Pending federal legislation (S.
607 and H.R. 1847) would, among other things, eliminate the
180-day rule as one part of the effort to create a more uniform
rule.
An even more outdated distinction that the SCA makes is between
communications stored on an "electronic communications service"
�
SB 467
Page 7
(ECS) and a "remote computing service" (RCS). Similar to the
180-day distinction, a government entity may only obtain a
communication from an ECS (assuming it is 180-days old or less)
with a warrant. However, a communication stored on an RCS may
be obtained, with prior notice, by a subpoena or specified court
order. The federal statute's definitions of ECS and RCS reflect
the technology that existed in 1986. An ECS is defined simply
as any entity that provides a service for the sending and
receiving of electronic communications. It had in mind
pre-Internet e-mail systems. More problematic, however, is the
definition of RCS, or "remote computing service." This is
defined as any entity that provides "storage and processing" of
electronic information. In 1986, personal or business computers
had very limited storage and processing capacities, and
businesses sent electronic data to be stored and processed. For
example, even the simple processing that can be done today with
spreadsheet software was outsourced to other businesses in 1986.
Not only is the ECS v. RCS distinction less relevant than it
was in 1986, it is not at all clear how, or if, such
distinctions have any relevance in an era of "cloud computing."
("Free at What Cost? Cloud Computing Privacy under the Stored
Communications Act" (2010) 98 Geo. L.J. 119; David S. Barnhill,
"Cloud Computing and Stored Communications: Another Look at Quon
v. Arch Wireless," (2010) 25 Berkeley Tech. L.J. 621.)
Making matters even more confusing is that while the federal
statute does not make any express distinction between "opened"
and "un-opened" e-mail, some courts have held that accessing
already opened e-mail does not require a search warrant, while
other courts, including the U.S. Ninth Circuit, have held that
whether the e-mail is opened or un-opened is irrelevant under
federal law. [Theofel v. Farey-Jones, 359 F. 3d. 1066 (9th
Circuit 2003) (holding that whether e-mail was opened or
un-opened was irrelevant, since that statute protects any
communication that is stored. But for opinions rejecting the
9th Circuit reasoning see U.S. v. Warshak , 631 F. 3d 266 (6th
Circuit 2010) and U.S. v. Weaver, 636 F. Supp. 2d 769 (C.D.
Ill., 2009).]
Pending federal legislation would amend SCA to create a clear,
single standard - a search warrant - regardless of the age of
the communication, whether it was opened or un-opened, or
whether the service provider is classified as either an ECS or
RCS. This bill in many ways mirrors that pending approach.
�
SB 467
Page 8
Specifically, this bill seeks to eliminate some of this
confusion by creating, for purposes of state law, a uniform
warrant requirement, eliminating the distinctions the somewhat
confusing and seemingly archaic distinctions made by SCA.
Unlike existing federal law, this bill would require a
government entity to obtain a warrant when it seeks the content
of an electronic communication, regardless of whether the
communication has been stored for more or less than 180 days,
and regardless of whether the communication is stored on an
"electronic communication system" or a "remote computing
system." It would also require a warrant without regard to
whether the electronic communication was open or un-opened.
Like SCA, the provisions of this bill would be broken down into
those situations in which a government entity can compel the
service provider to disclose the content of the communication (a
"required" disclosure) and those situations in which a service
may, voluntarily, divulge a subscriber's communications.
Briefly, a government entity could not compel a service provider
to turn over the contents of an electronic communication unless
it had a warrant. If a government entity does obtain this
information by warrant, then it must serve notice on the
customer or subscriber within three days. A service provider
would generally be prohibited from voluntarily disclosing the
contents of a communication without the consent of the sender or
recipient, subject to certain exceptions, including where the
provider discloses the communication to a government entity
based on a good faith belief that disclosure is necessary to
prevent death or serious injury.
The bill also eliminates a requirement in existing law that
limited the ability of a government entity to compel disclosure
of communications from a foreign (out-of-state) corporation to
service providers that offered their service to the general
public. Finally, the bill gives a civil cause of action to the
person whose communications are obtained in violation of the
requirements of this bill.
Preemption Issue : It remains to be seen whether Congress will
act on Senator Leahy's bill - or, if it does, whether the final
version will create a single, uniform standard - but this bill,
if enacted, will create a single standard that requires
government entities to obtain a search warrant in order to
obtain access to the content of e-mail communications, without
regard to the confusing array of classifications in existing
federal law. However, whenever a state attempts to regulate in
�
SB 467
Page 9
an area already governed by federal law, there is always a
possibility that federal law will preempt state law. Although
the preemption doctrine arises from so-called "supremacy clause"
of the U.S. Constitution, it does not follow that states are
always constitutionally prohibited from legislating in areas
that are also subject to federal legislation. Generally,
federal law can only preempt state law governing the same
matters in one of three ways: (1) "express preemption," where
the federal statute expressly prohibits states from legislating
on the same matter; (2) "field preemption," where the nature of
the federal statutory scheme is so comprehensive that it creates
an inference that Congress intended to "occupy the field" and
thereby preempt state law; and (3) "conflict preemption," where
a state law directly conflicts with federal law, such that a
person could not comply with state law and federal law
simultaneously. A state law is not necessarily in conflict with
a federal law simply because it provides different regulations;
for example, as a general rule - absent express or implied
preemption - a state may offer more protection than federal law,
though it may not provide less protection than federal law. In
short, that is precisely what this bill seeks to do: offer more
protection.
Although the Committee is not aware of any case law that speaks
directly to the question of whether the specific SCA provisions
at issue here preempts state law, the courts have nonetheless
held that other provisions of ECPA - including warrant
provisions under the Federal Wiretap Act - do not preempt state
law. For example at least one federal court considering whether
the Federal Wiretap Act preempted provisions of the California
Invasion of Privacy Act (Penal Code Section 630 et seq.)
concluded that the Federal Wiretap Act "was not an attempt to
occupy the field, but merely an attempt to establish minimum
standards." (Whitaker v. Garcetti, 291 F. Supp. 2d 1132, 1142
(C.D. Cal. 2003) (citing People v. Conklin (1974) 12 Cal. 3d
259, 271.) Where federal law establishes "minimum standards," a
state is generally free to establish higher, more protective
standards. A federal district court in California, on the other
hand, held that SCA did preempt state law; however, this
decision was reversed by the 9th Circuit Court of Appeal, albeit
on other grounds. The 9th Circuit did not rule on the lower
court's preemption holding, so there is still no binding
authority in this circuit on whether ECPA's SCA provisions
preempt state law. (Quon v. Arch Wireless (9Th Cir 2008) 529
F.3d 892, 902.)
�
SB 467
Page 10
In short, whether or not SCA would prevent state efforts to
create a uniform warrant requirement for all electronic
communications - where federal law allows a government entity
the option of obtaining certain categories of electronic
communications by subpoena or court order - is arguably an open
question, but it appears that the weight of authority suggests
that the provisions of this bill would not be preempted by
federal law. First, courts have fairly consistently held that
there is no "express" or "field" preemption in regard to SCA.
Therefore, federal law would only preempt on the basis of
"conflict" preemption. But as noted above, conflict preemption
means that it is impossible to comply with both federal and
state law simultaneously, or that state law somehow undermines
the overall purpose of federal law. But creating a uniform
warrant requirement does not appear to conflict with federal law
in this way. The purpose of both federal and state law is to
protect the privacy of the contents of electronic
communications, unless there is a significant government
interest in not doing so. Federal law requires a government
entity to obtain a warrant to access a communication stored on a
ECS that is 180-days old or less, but gives the government
entity the option of compelling access to communications older
than 180 days, or those stored on a RCS, with either a warrant,
a court order, or a subpoena. It is therefore quite possible to
simultaneously comply with both federal law and this bill by
simply obtaining a warrant. Not only would it be possible to
comply with this bill and federal law, this measure also seems
consistent with the overall purpose of federal law. SCA was
intended to protect consumer privacy by offering minimum levels
of protection based on where the electronic communication is
stored, how old it is, and, possibly, whether or not it has been
opened. SCA does not so much give law enforcement a "right" to
obtain communications by lesser means under defined
circumstances; rather, it offers different baseline levels of
protections to the consumer under defined circumstances. SCA,
in short, establishes a minimum level of protection; there is no
constitutional obstacle to a state providing more protection.
That is what this bill appears to do.
Responses to Selected Opposition Concerns : Although opposition
arguments are set forth in more detail below, at least two of
their objections deserve attention. First, opponents contend
that this bill, by only partially codifying the SCA provisions
of ECPA, will create "confusion." Yet, the overwhelming
�
SB 467
Page 11
judicial and scholarly commentary on SCA and ECPA suggests that
that ship has already sailed. Federal law is already
"confusing," especially in light of changing technology. It is
difficult to see how creating a uniform warrant requirement will
create more confusion for law enforcement when existing federal
law requires them to determine whether the service from which
they seek the communication is ECS or RCS, more than or less
than 180 days, open or un-opened, before they can determine
whether they need a warrant, a court order with a lesser
standard than probable cause, or a subpoena. Second, opponents
alternatively argue that this bill is "unnecessary and
duplicative," when the remainder of their arguments are premised
on the fact that the bill is not duplicative. This bill most
certainly does not duplicate federal law; it creates a uniform
warrant requirement that, unlike federal law, does away with
confusing and outdated distinctions that are very difficult to
apply to the modern world of the Internet and "cloud computing,"
things that were scarcely imagined when SCA was enacted in 1986.
ARGUMENTS IN SUPPORT : According to the author, this measure
will accomplish three things. First, the author contends that
"SB 467 updates California's electronic privacy law into the
modern age, ensuring emails and other electronic communications
content are protected from warrantless government intrusion when
stored online and in the cloud. Under SB 467, no government
entity shall obtain the contents of an electronic communication
without a warrant issued by an officer of the court, regardless
of how long it has been in electronic storage or whether it has
been opened or unopened." The author rejects the contention
that this measure will affect the ability to investigate and
solve crimes, noting for example that even "the federal
Department of Justice recently announced for the first time that
it supports a requirement that law enforcement obtain a search
warrant before accessing the contents of electronic
communications from a service provider."
Second, the author states that "SB 467 codifies the practices of
some of the biggest technology companies in California,
including Google, Facebook, Microsoft and Yahoo!, all of whom
require a search warrant before disclosing the contents of
electronic communications."
Finally, the author adds that "SB 467 allows police to obtain
the contents of electronic communications without a warrant if
�
SB 467
Page 12
they have the consent of the user, or an emergency involving the
risk of death or serious injury requires immediate disclosure of
electronic communications without a search warrant."
ARGUMENTS IN OPPOSITION : This bill is opposed by several law
enforcement organizations. The California Police Chiefs
Association (CPCA), for example, claims that the bill is
"unnecessary and duplicative," recreating certain provisions of
the federal ECPA requirements, but not all of them. In addition
to being "unnecessary," CPCA believes that this bill will also
impose new burdens on law enforcement that do not exist under
federal law. First, while federal law "applies only to those
electronic service communications that are available to the
general public" this bill would "eliminate this restricted
coverage." According to CPCA, removing this limitation will
mean that even private, closed communications systems within a
corporation or government entity will be subject to the same
restrictions as commercial service providers, thereby preventing
managers from monitoring whether or not employees are abusing an
in-house e-mail system. Second, this bill would require law
enforcement to give notice to the customer or subscriber within
three days of receiving the information through the prescribed
warrant process. CPCA points that this notice requirement does
not exist at all under federal law if the information was
obtained pursuant to warrant, and that federal law only requires
prior notice when law enforcement obtains a so-called "d" order
under SCA's Section 2703 (d), which requires disclosure if law
enforcement can show that there are "reasonable and articulable"
facts reasonably showing that the contents are relevant to a
criminal investigation. This would, according to CPCA, "impose
a new burden on law enforcement." Third, unlike federal law,
this bill sets forth a list of information that law enforcement
must provide to the customer or subscriber, whereas, again,
federal law only requires this notice and information for a "d"
order. Finally, CPCA notes that this bill provides for damages,
but does not provide for any statutory defenses or a statute of
limitations, as does federal law (citing 18 USC 2707 (e) and
(f).)
PROPOSED AUTHOR'S AMENDMENT : The existing law relating to a
warrant request from foreign (out-of-state) corporations defines
"electronic communications service" and "remote computing
services" to have the same definition as those set forth in
ECPA. However, this definition is restricted to "this section"
(existing Section 1524.2), and therefore would not apply to the
�
SB 467
Page 13
new sections added by this bill. Changing "section" to
"chapter" will not work because some of the other definitions in
that section would not necessarily apply to all parts of the
chapter. Therefore the author agrees to the following amendment
(or such an approach that Legislative Counsel deems most
consistent with its practice):
- On page 7 after line 11 insert:
For purposes of sections 1524.4, 1524.5, 1524.6 and 1524.7, the
terms "electronic communication service" and "remote computing
service" shall have the same meaning as they have in Chapter 121
(commencing with Section 2701) of Part I of Title 18 of the
United States Code Annotated.
REGISTERED SUPPORT / OPPOSITION :
Support
Electronic Frontier Foundation (sponsor)
American Civil Liberties Union
California Newspaper Publishers Association
California Public Defenders Association
Opposition
Association for Los Angeles Deputy Sheriffs
California District Attorneys Association
California Police Chiefs Association
California State Sheriffs' Association
Los Angeles County District Attorney's Office
Los Angeles Police Protective League
Riverside Sheriffs' Association
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334