The Obama administration released a report on Thursday asking Congress to pass a set of privacy laws aimed at adding more protections for Americans’ personal data and emails under the Electronic Communications Privacy Act (ECPA).
Obama has been under fire since former National Security Agency contractor Edward Snowden revealed that the United States has routinely collected data from unsuspecting people worldwide.
The report calls for Congress to clarify the Consumer Bill of Rights, extend privacy protections to non-U.S. citizens, protect data collected on students from misuse, and expand efforts to prevent discrimination by data.
One of recommendations is for Congress to ensure there is a mechanism to alert consumers when their personal data has been hacked.
"As organizations store more information about individuals, Americans have a right to know if that information has been stolen or otherwise improperly exposed," the report reads.
The key provisions of the 68-page report require action from Congress, something that is unlikely before midterm elections in November.
Written more than 25 years ago, the ECPA has three parts — the Wiretap Act, the Pen-Register Act and the Stored Communications Act.
It establishes rules for when government and law enforcement officials can place a "tap" on an individual's phones, track where communications are coming from and going, and when law enforcement needs to obtain a warrant for access electronic communications such as emails stored on remote servers.
While the wiretapping and pen-register provisions have mostly held up over the years, there have been renewed calls to update the stored communications portion of the law. A pen register is an electronic device that records all numbers called from a particular telephone line.
Alan Butler, appellate advocacy counsel for the Electronic Privacy Information Center, explained that right now law enforcement officials only need to obtain a warrant to access someone’s email if it is stored on a remote server, unread and less than 180 days old. Anything on a server that has been read or is older than the 180 days is open to government investigation without a warrant.
Virtually all email is kept on remote servers by email service providers.
"If you kept letters at home, law enforcement would have to get a warrant," Butler said. "The ECPA was established to extend that protection to electronic data, but the law was passed in the earliest phases of the Internet."
"At the time, because of the costs associated with storage, no one expected that historical communications would be stored on a remote server for any significant length of time."
If Congress were to enact the White House’s proposal, the law would be updated so that a warrant would be required for all emails, regardless of their read or unread status or age. Butler told Al Jazeera that numerous groups have tried for years to update the provision, but the efforts have languished in Congress.
At least three separate bills to update the ECPA have languished in Congress for the last four years. There is also a petition on whitehouse.gov calling for the law to be updated.
While the proposal released Thursday would finally change the email provision, Butler said Obama’s proposal is "modest at best."
"This is the bare minimum proposal," he said, noting that the Department of Justice already seeks warrants for all emails, and this proposal would only make the practice official and apply it to all law enforcement, not just federal agencies.
The White House report does nothing to address concerns over protections for location-based data. This has become an important issue for privacy advocates due to the widespread use of cell phones which track locations, and growing concerns over how law enforcement can use such data. It also doesn’t establish when the government can collect such metadata from cell phones or what they are allowed to do with it after it’s obtained.
"A more complete proposal would have a warrant protection for location data as well," Butler told Al Jazeera. "At the moment the rules really don’t address what happens to all this data after it’s been collected.