Blog

 March 5th, 2015

To Beep or Not to Beep: The Ups and Downs of Smartphone Privacy

 By Eliza Cohen

 http://www.economist.com/news/leaders/21645180-smartphone-ubiquitous-addictive-and-transformative-planet-phones

http://www.economist.com/news/briefing/21645130-watch-out-hackersand-spooks-spy-your-pocket

On February 19, the Intercept revealed that spies at GCHQ (Britain’s equivalent to the NSA) had stolen hundreds of thousands of encryption keys coded into Gemalto SIM cards in order to access conversations and data. The story was based on documents that were leaked by Edward Snowden, the government contractor who began to publicly disclose classified NSA documents in June 2013.

On the heels of this latest report, The Economist has published a two-story briefing in its issue of February 28. In “Smartphone Security: The Spy in Your Pocket,” the magazine paints a harrowing picture of cellular security, described as “mostly an afterthought in a booming industry that has always seen market share as the priority.” Organizations such as the NSA have entire departments whose job it is to breach cell phone encryptions and other protective mechanisms. Criminal malware is described as an ever-growing industry, and an alarming number of apps are guilty of transmitting unencrypted data that may be read at will. Though industry players and consumers are cognizant of data protection issues, The Economist writes that “there is still a lot for the industry and its users to learn.”

In its second briefing, “Planet of the Smartphones,” The Economist plays its own devil’s advocate. The magazine enumerates three benefits that militate against the threat to privacy posed by smartphones. First, “the same phones that allow governments to spy on their citizens also record the brutality of officials and spread information and dissenting opinions.” Thus, the magazine writes that smartphones empower the ordinary individual to challenge government authoritarianism. Second, the same personal data that companies may seek to exploit can also used to advance the public good. Smartphones are described as “digital census-takers” that create an unprecedentedly detailed view of society in real time. This data may be used for a variety of social purposes, including crime prevention and the monitoring of global epidemics. Third, The Economist holds that smartphones provide immense economic benefit. Smartphones have the potential to remake entire industries at lightning speed. The phone itself is the platform, which is conducive to the development of cheap startups (like WhatsApp and Uber) that may one day be valued in the millions or billions. Though cell phones present important privacy considerations, The Economist opines that society must adapt to these new realities, and develop norms and methods of accountability for smartphone use.

The Economist is right about one thing: the smartphone has changed the world, and is an invaluable source of economic and social good. However, by focusing on the benefits that accrue from smartphone usage, the magazine is adopting an oversimplified approach to information privacy. The mere fact that cellular data may be used to advance the public good is not a justification for the breach of privacy on a universal scale. In Riley v. California, the court states: “the fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of protection.” Smartphones may be used to combat authoritarian regimes, to aggregate useful data, and to remake entire industries — but not at the expense of global privacy. Widespread government spying and corporate data-mining are not necessary corollaries of cell phone usage. Though data monitoring may be necessary in certain instances for the purposes of national security, these usages should be circumscribed, and governments must be held accountable for their actions to the greatest extent possible. In United States v. Warshak, the court held that “the Fourth Amendment must keep pace with the inexorable march of technological progress, or its guarantees will whither and perish.” Since the NSA wiretapping scandal first came to light, it has become glaringly apparent that the age of “reasonable” privacy is over, and that we are more in need of Fourth Amendment protections now than ever before. Yes, The Economist is correct in stating that cell phones are “ubiquitous, addictive and transformative” — but ultimately, at what cost?

February 27, 2015

Gemalto hacking shows that NSA and GCHQ are not shy about targeting market leaders to weaken phone encryption security

https://firstlook.org/theintercept/2015/02/19/great-sim-heist/

http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx

https://firstlook.org/theintercept/2015/02/25/gemalto-doesnt-know-doesnt-know/

http://www.theregister.co.uk/2015/02/20/gemalto_sim_surveillance_fallout/

By: Edwin Mok

On February 19, 2015, The Intercept reported that in 2010-2011 the American and British spy agencies had hacked the world’s largest manufacturer of SIM cards and stolen encryption keys, potentially allowing intelligence agencies to “monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments”. The report was based on top-secret documents provided by NSA whistleblower Edward Snowden. According to a 2010 document, the NSA and the Government Communications Headquarters (GCHQ) – the NSA’s British counterpart – conducted a joint operation targeting Gemalto, which makes chips used in mobile phones and credit cards, and whose clients include “AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world”.

Six days later, on February 25, 2015, Gemalto released a statement confirming that “in 2010 and 2011, [the company] detected two particularly sophisticated intrusions” upon their internal computer networks. It continues: “At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation”. However, Gemalto asserts that the intrusions “only breached its office networks and could not have resulted in a massive theft of SIM encryption keys”. It speculates that its dominance in the SIM card market may have made it the “target of choice for the intelligence services in order to reach the highest number of mobile phones”.

SIM cards store information used to identify and authenticate subscribers on a telecommunications network. They are also used to store information such as contacts, text messages, and phone numbers. Domestically, the FBI and other agencies can force U.S.-based telecommunications companies to give up such information through court orders. However, this sort of data collection is much more difficult at the international level, because foreign governments and companies will not typically allow the NSA or other intelligence agencies to access the communications on their networks. Possession of the encryption keys would, according the The Intercept article, give the NSA “the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted”.

Although Gemalto claims that no encryption keys were stolen – and some experts have expressed serious doubts as to the thoroughness of their investigation – the fact that the hacking attempt occurred is significant. It shows that the NSA and the GCHQ have in the recent past attempted to seriously compromise phone security on a vast and global scale. And it shows that they are not shy about targeting the biggest players in the market. It is notable that Gemalto is headquartered in Amsterdam, that is, not within any country part of the “Five Eyes” intelligence alliance (comprised of Australia, Canada, New Zealand, the U.K., and the U.S.). It seems, at the very least, the NSA and the GCHQ view any company based outside of those five countries as fair game.

There is an additional important wrinkle to this story. The article by The Intercept resulted in a $470 million loss to Gemalto’s stock price. While that stock price has since rebounded (helped no doubt by Gemalto’s assurances that no encryption keys were stolen), this situation raises the specter of state-sanctioned electronic espionage as an economic, investment, and insurance risk for international companies operating in the telecommunications space. It is one thing when such attacks purportedly originate from China or North Korea. It’s quite another to learn that such attacks have been occurring between supposedly friendly nations. And it begs the question: who else has been in the NSA’s crosshairs?

The message is clear. If you are an international company with information viewed as strategic to the NSA or other spy agencies, you’re a potential target. Indeed, they may already have targeted you.

February 26th, 2015

Do we have information privacy at the era of smartphone?”

By: Ying Zhang, L.L.M

http://en.miui.com/thread-67462-1-1.html

In Riley v. California, the Supreme Court found that “Cell phones differ in both a quantitative and a qualitative sense from other objects that might be kept on an arrestee’s person.” The Supreme Court pointed out that one of the most distinguishing features of modern cell phone is their immense storage capacity; the storage capacity of cell phones has several interrelated consequences for privacy. Further, the Supreme Courts believed that the data stored on a cell phone is not only distinguished from physical records by quantity, certain types of data are also qualitative different. For example, an Internet search and browsing history could reveal an individual’s private interest or concerns; historic location information can reconstruct someone’s specific movement; mobile application software on a cell phone offers a range of tools for managing detailed information about all aspects of a person’s life. The Supreme Court held that “a cell phone search would typically expose to the government far more than the most exhaustive search of a house…”. Based on the above, among others, the Supreme Court finally determined that the police must get a warrant before searching a cell phone seized incident to an arrest.

In the above ruling, the Supreme Court recognizes that the decision will bring an impact on the ability of law enforcement to combat crime, but why does the Supreme Court still make the ruling? Is the Supreme Court proactive in its ruling or did the Court exaggerate the influence of cell p hone on our daily life? Let’s see a related data in relation cell phone from China.

The linked article below is about a transcript of the interview with Jun LEI by Russell Flannery of Forbes Shanghai. Jun LEI is a founder and the CEO of the biggest Chinese cell phone manufacturer XIAO MI. LEI was recently crowned as Forbes’ Business Man of The Year in Asia. In accordance with the interview, we may conclude that the Supreme Court does not overstate impact of cell phone to our life; moreover, our information privacy is highly threatened by the data that we believe are stored in our cell phone even if we hold our cell phone with us 24 hours a day.

1. A cell phone itself does not only store large quantity of information, since a cell phone now is able to connect to Internet any time and places, a cell phone may store more and more information on various types of “big data cloud services” from time to time. LEI mentioned that only the cell phones that are manufactured and sold by XIAO MI will uploads 380 Terabytes content to the cloud storage that is provided by XIAO MI. One Terabytes equals 1024 Gigabytes; if data of 380 Terabytes is all about pictures in cellphone phones, this implies that users of XIAO MI cell phones uploads over 0.1 billion pieces of pictures every day.
2. In addition to the quantity of the information that is stored in a cell phone, XIAO MI cell phones are also connected with TC, Box, wearable devices, router, and smart home devices; this decides a cell phone can collect and store various types of information. Therefore, through the cell phones it sold, XIAO MI acquires massive data not only phone numbers and communication log, but also other valuable and sensitive information, such as health records.

3. Cell phone service providers and cloud storage service providers plan to make profits upon acquiring and controlling these data. LEI predicted that XIAO MI will have more than 1000 Petabytes of data after year 2015 which will need more servers, machines, IDCs, bandwidth. In accordance with LEI, 1 Petabyte storage services (1 Petabyte amounts to 1000 Terabytes) requires cost of RMB 3 million; 1000 Petabytes will cost XIAO MI around RMB 3 billion. Once cell phone users store their data, for free, on the cloud storages that are provided by XIAO MI at its own expenses, XIAO MI will ask every user’s permit to read very the user’s data. Once a user permits, XIAO MI can use machines to read and analyze the data and make many commercial decisions. For example, XIAO MI may determine whether it can give a user a loan. If the data reveals that a user has a stable income, pay your credit card debts on time, never goes out of New York city, then XIAO MI might decide to hire the user and lend the user one hundred thousand RMB without “fear” that the user will leave, because XIAO MI owns all data of the user.

After all, LEI believes that mobile networking is still in its explosive growth phase and will continue for 5 to10 years. Smartphones will be the center of the world. Everything is within our control via a smart phone, house’s air, water quality, and safety; this also means that others can use our smart phone to do so too

February 26th, 2015

Department of Justice Warrant Requirement Proposed Amendment Concerning Electronic Surveillance in Anonymous Computer Sources Raises Serious Fourth Amendment Concerns

By: Breta Olsen

http://www.slate.com/blogs/future_tense/2015/02/19/google_says_proposed_doj_rule_41_revision_is_monumental_fourth_amendment.html

http://justsecurity.org/15018/justice-department-proposal-massive-expand-fbi-extraterritorial-surveillance/

https://www.aclu.org/blog/national-security/government-pursuit-less-secure-internet

The DOJ has proposed an amendment to Rule 41 of Federal Criminal Procedure on a proposed amendment that would allow magistrate judges to issue search warrants outside of their jurisdiction that authorize the “use [of] remote access to search electronic storage media and to seize or copy electronically stored information” when the location of the computer source is unknown. According to the DOJ, this amendment will ensure that FBI searches of digital data do not have their warrants precluded due to lack of venue when technology is used to disguise a computer’s geographic location.

While the Department of Justice insists that this is a small tweak to an existing rule that does not expand the power of the FBI to search, organizations as varied as Google, the ACLU, Reporter Committee on Freedom of the Press and the Electronic Frontier Freedom all cautioned the Judicial Conference Advisory Committee on Criminal Rules to reject the proposal and advised that, if this change should be made, Congress is the appropriate venue rather than the rule-making process due to fourth amendment concerns.

According to the ACLU, the sample search warrants submitted to the committee indicate that the warrants would be used to implement network investigative techniques (NIT), which involves the hacking of a device and the installation of malware on the targeted computers. These searches may well constitute an unreasonable search under the fourth amendment given their destructive nature, unpredictability, and ability to affect countless non-targeted computers.

Google points out that the wording of the amendment is sufficiently vague to raise further fourth amendment concerns. For example, the sample warrants make no attempt to describe what “storage media” will be searched, giving seemingly unlimited access, which is disturbing because NIT makes it possible for the government to take control of targeted computers and access data stored locally, on a network drive, or in the cloud. This raises serious particularity concerns under the fourth amendment. With respect to the scope of the warrants, Google points out that there are no statements on the sample warrants about what type of “storage media” will be searched or how the government will avoid implicating non-targeted computers in the search as it tracks an anonymous actor. Finally, Google points out that NIT techniques have the ability to access a computer’s microphone and camera remotely. To the extent that any of these searches employ this method, and either activate these devices or collect information in real time from them, the heightened protections of Title III would apply, and the government has not addressed these concerns in their proposal.

Public comments before the Committee closed on February 17 and in the next few weeks, the Judicial Conference Advisory Committee on Criminal Rules will make a decision about the preliminary proposal.

February 26th, 2015

U.S. v. Winn

By: Siyuan Wang

https://s3.amazonaws.com/s3.documentcloud.org/documents/1667465/sd-illinois-cellphone-20150209.pdf

http://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/02/23/court-invalidates-cell-phone-warrant-as-overbroad/

In this case, a man named Winn (the defendant) had been seen using his cell phone to photograph or videotape a group of minors in their swimsuits while rubbing his genitals. The government asked for and obtained a warrant to search Winn’s phone for all evidence of public indecency stored inside it. The officer used the Cellebrite UFED Touch machine to extract data from the cell phone, which included “two calendar events, a forty-four item call log, twenty-three contacts, eighty text messages, 312 images, and twenty-five videos.” No evidence of public indecency was obtained, but some of the data was evidence of child pornography. Winn seeks to suppress the evidence, claiming that the warrant was overbroad. The court agreed with defendant on this issue and reasoned:

The warrant authorized the seizure of “any or all files” contained on the cell phone and its memory card that “constitute[d] evidence of the offense of [Public Indecency 720 ILCS 5/11–30],” including, but not limited to, the calendar, phonebook, contacts, SMS messages, MMS messages, emails, pictures, videos, images, ringtones, audio files, all call logs, installed application data, GPS information, WIFI information, internet history and usage, any system files, and any delated data (Docs.22–2, 22–3).

The major, overriding problem with the description of the object of the search—“any or all files”—is that the police did not have probable cause to believe that everything on the phone was evidence of the crime of public indecency. The description was a template used by the St. Clair County State’s Attorney’s Office for all cell phone searches. Templates are, of course, fine to use as a starting point. But they must be tailored to the facts of each case. This particular template authorized the seizure of virtually every piece of data that could conceivably be found on the phone. The Supreme Court put the scope of such a wholesale seizure in perspective by explaining that it “would typically expose the government to far more than the most exhaustive search of a house.” Riley v. California, 134 S.Ct. 2473, 2491 (2014) (emphasis in original). Obviously, the police will not have probable cause to search through and seize such an expansive array of data every time they search a cell phone.

The court went on to explain what a specific warrant looks like:

the warrant could have described the location of the incident as well as the subjects of the images—children at a swimming pool, or more specifically young girls in swimsuits at the Mascoutah Public Pool. See, e.g., Mann, 592 F.3d at 780–81 (where warrant authorized police to search for “images of women in locker rooms or other private areas” for evidence of voyeurism).

This reasoning demonstrates court’s concerns of aggregating data stored in cell phones and how it influences the scope of warrant. As recognized in Riley, cell phone is different in the sense of type and range of data contained. The rationale is that due to the large storage capacity, the expectation of privacy is heightened in such context.

This is an easy case because the law enforcement used a template warrant, which was “patently” overbroad by nature. The court took a very restricted approach by saying that only photos and videos related to public indecency crime should be searched since only these two types of data were relevant. Along this line of reasoning, we need to first match the possible form of evidence with the crime feature in order to determine the scope of a warrant. Then problem of how extensive the search need to be in accordance with the suspected crime will arise.

Panel 9

February 23rd, 2015

By: Alexia J Boyarsky

Proposed Congressional Reform to Government Access to Emails

http://thehill.com/policy/technology/230974-leahy-lee-ready-email-privacy-bill

http://ivn.us/2015/02/16/240-u-s-reps-sign-bill-protecting-private-online-communications/

http://www.zdnet.com/article/ecpa-reform-will-kill-warrantless-email-searches/

New bi-partisan Congressional bill was introduced this week, resembling a similar bill from last year, that would require the government to get a warrant prior to obtaining access to any emails. As current law stands under the Electronic Communications Privacy Act from 1986, the government only needs a subpoena for old emails (older than 180 days) or for read emails. These provisions made some limited sense when the bill was enacted because storage space was expensive and most people did not keep their emails for that long. However, in the modern day, the Congressmen argue that emails have become so pervasive and so private that more protections are vital.

Currently, 240 cosponsors have signed onto the deal, which makes it possible that it will pass Congress. After the Patriot Act, the most vocal opposition to government searches of emails was silenced, however, in the wake of news of the National Security Agency surveillance leaks, there has been more support throughout Congress for laws that limit the government’s abilities to search citizens’ emails. These reintroduced bills will be voted on either this month or next, and barring a comparable bureaucratic stalemate such as what killed the bill last year, they are likely to pass.

Major Tech Companies Take Sides in Battle Over Update To ECPA

By: Matthew Shore

Panel 9

Link: http://www.law360.com/articles/614439/google-others-renew-push-for-digital-privacy-law-reform

From industry to civil rights groups, many sides are now lining up against the government in the fight to bolster the Electronic Communications Privacy Act. Google, Twitter and other tech companies recently sent a letter to House Judiciary Committee Chairman Robert Goodlatte and Ranking Member John Conyers, asking that Congress give consideration to the Email Privacy Act. The act, which would be an update to the Electronic Communications Privacy Act, “would make it clear that, excepting emergencies, the government needs a warrant to compel a service provider to disclose the content of emails, texts or other private user material stored in the cloud by the service provider.”

In the Sixth Circuit opinion United States v. Warshak, Judge Boggs stated that “[t]he government may not compel a commercial ISP to turn over the contents of a subscriber’s emails without first obtaining a warrant based on probable cause.” This seems to line up with the goal of the Email Privacy Act. However, supporters note that there have also been conflicting rulings, which has left both the government and service providers in an uncertain position.

While service providers may be looking for guidance in how to act, and protection of their customers, the government’s interest is in protecting its citizens. Advocates for digital privacy, in pushing for the Act, can point to the extent of our lives that now exist in our emails, texts and information in the cloud. Government actors have an argument that this is the very reason that the government needs the ability to access this information easily. Much of the planning by terrorists occurs outside of the old methods of surveillance and the government must be able to act quickly, if need be.

By: Rose Dorvel

February 19, 2015

http://www.huffingtonpost.com/2015/02/13/david-carr-edward-snowden-death-interview_n_6677790.html

Has media coverage of Snowden’s NSA leaks conditioned Americans to have no subjective expectation of privacy in their virtual lives?

Earlier this week, New York Times columnist David Carr dropped dead mysteriously following a panel interview with Snowden discussing the film Citizenfour, which tracks the former-NSA-contractor-turned-whistleblower’s decision to leak National Security Agency’s documents on widespread, unchecked governmental spying on citizens to the media. Conspicuously absent from the article is mention of any privacy protection measures underway that were prompted by Snowden’s leaks.

With each article that exposes the sweeping surveillance of American citizens—without mention of mitigation measures underway by public or private actors, the notion that one’s virtual life is always being watched and retained for potential future use, misuse or abuse is drilled into the public’s brain. After an avalanche of articles exposing relentless NSA spying on U.S. citizens, Americans are aware and on notice that the government is relentlessly capturing their personal data (via phones, computers, social media, etc.). Repetition of this idea, without consequential public or political backlash, has not accomplished protection against pervasive privacy invasion, presumably the objective of Snowden’s decision to leak NSA documents.

Instead, Americans are told and again that the NSA tracks and records their every move, which is likely and, often necessarily, an electronic one in the modern day.

An insidious consequence of the media’s Snowden coverage is that the people have been conditioned to accept the pervasive spying as normal, perhaps per a regime to protect American freedoms from threats of terror. This result is antithetical to Snowden’s pledged objective to curb widespread unchecked spying, and one that could actually lead to an acceptance of total surveillance, and consequent erosion of Fourth and First Amendment protections. After hearing Snowden’s story, many Americans may no longer subjectively expect any privacy when they use their smartphones, computers, and other ubiquitous digital devices.

With the all the media coverage and a film in the public domain publicizing pervasive NSA surveillance, would an American citizen subjectively expect his electronic communications to be kept private? Would society consider such an expectation reasonable? What about in the name of national security?

Carnivore, an FBI program capable of recording, searching and storing all contents of electronic communication, was the hotly debated subject of governmental initiatives to establish more stringent privacy protection measures. Then 9/11 promptly snuffed out the debate.

Hitler, in Mein Kampf, said “The best way to take control over a people and control them utterly is to take a little of their freedom at a time, to erode rights by a thousand tiny and almost imperceptible reductions. In this way, the people will not see those rights and freedoms being removed until past the point at which these changes cannot be reversed.” Let’s examine whether Americans have exchanged some of their civil liberties for a promise of security from an external terror threat, how we can balance homeland security measures with the Fourth Amendment’s “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches,” and initiate means to protect information privacy until privacy as we know—or knew—it is gone for good.

Jewel v. National Security Agency: Mass Surveillance

By: Nireeti Gupta

Panel 9

Link 1: http://www.huffingtonpost.com/2015/02/10/nsa-warrantless-searches_n_6656314.html

Link 2: http://www.theregister.co.uk/2015/02/11/eff_loses_nsa_wiretap_appeal_again/

The case before the District Court of California, was filed in 2008 by Electronic Front Frontier on behalf of AT&T customer Carolyn Jewel. The case took on renewed importance in the wake of the Snowden leaks which exposed top-secret information about the National Security Agency’s (‘NSA’) surveillance of Internet communications.

Judge Jeffrey White on February 10, 2015 ruled in favor of NSA in a lawsuit challenging the interception of Internet communications without a warrant.

The Plaintiff had alleged that as part of a system of mass surveillance, the Government receives copies of their Internet communications, then filters the collected communications in an attempt to remove wholly domestic communications, and then search the remaining communications for potentially terrorist-related foreign intelligence information. Plaintiff contended that NSA taps into the fiber cables that make up the backbone of the Internet and gathers information about people’s online and phone communications (‘Upstream Program’).

The Plaintiffs argued that the copying and searching of their private internet communications is conducted without a warrant or any individualized suspicion and, therefore, violates the Fourth Amendment. The Fourth Amendment prohibits the Government from intercepting, copying, or searching through communications without first obtaining a warrant based on probable cause, particularly describing the place to be searched and the things to be seized.

The Government described the collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act. Upon approval by the Foreign Intelligence Surveillance Court, NSA analysts identify non-U.S. persons located outside the United States who are reasonably believed to possess or receive, or are likely to communicate, foreign intelligence information.

Once designated by the NSA as a target, the NSA tries to identify a specific means by which the target communicates, such as an e-mail address or telephone number. That identifier is referred to a “selector.” Selectors are only specific communications accounts, addresses, or identifiers. According to the Government’s admissions, an electronic communications service provider may then be compelled to provide the Government with all information necessary to acquire communications associated with the selector. However, it claimed that the information necessary to litigate Plaintiff’s claims is subject to and excluded from use by the “state secret privilege” and other related privileges and that their cases should be dismissed.

Judge White found that Plaintiff had not established sufficient standing to sue under the Fourth Amendment, that is, they did not present enough evidence to prove that they had been directly harmed by NSA’s actions, and so had no grounds on which to sue. Judge White further added that a potential Fourth Amendment claim would have to be dismissed on the basis that any possible defenses would require impermissible disclosure of state secret information.

February 19

By: Colin Johnson, Panel 9

California Lawmaker Proposes Warrant Requirement for Digital Data Access

Article: http://arstechnica.com/tech-policy/2015/02/california-lawmaker-proposes-warrant-requirement-for-digital-data-access/

Last Monday, a California state senator introduced the California Electronic Communications Privacy Act, a bill that would establish new requirements for law enforcement officials to access suspects’ digital information. If passed, this bill would be the most comprehensive state provision for the protection of digital privacy in the country.

CalECPA, as the bill is known, would provide significantly greater digital privacy rights to individuals than the current federal requirements. While courts have issued rulings clarifying and strengthening the protections of the federal ECPA, the law itself has remained largely unchanged since its implementation in 1986. Until Congress successfully passes a bill to update existing ECPA, citizens must rely on state courts to protect their digital information.

CalECPA would establish a warrant requirement not only for email but for all electronic communications, including contacts, GPS information, and metadata. However, the most interesting provision under the proposed law would allow for the appointment of special masters to ensure that the warrants are narrow and that any legally gathered information that turns out to be beyond the scope of the investigation is destroyed immediately.

If passed, CalECPA would provide a significant victory for digital privacy advocates. The passage of this expansive bill would send a clear message to federal lawmakers that the outmoded ECPA needs to be updated immediately in order to reflect the rapidly changing digital landscape of the twenty-first century.