This bill revises Idaho Code §19-3004A to set out what a provider of electronic communication or remote computing services must produce to a prosecuting attorney or the attorney general when served with an administrative subpoena. It lists the categories of subscriber and connection records that are subject to subpoena, requires delivery within 14 days, and bars the subpoenaing of message content or subscriber account records that disclose internet locations visited (with a narrow exception).
The statute cross-references existing definitions for electronic communication and remote computing services.
The change matters because it creates a formal administrative subpoena pathway for Idaho prosecutors to collect metadata-level records without a court-issued warrant, while also giving providers a statutory mechanism to seek relief if production is unusually voluminous or imposes an undue burden. The bill also grants providers immunity for complying with these subpoenas, and preserves the government's ability to use warrants or traditional subpoenas where appropriate — all of which shifts investigative practice and compliance responsibilities for service providers operating in Idaho.
At a Glance
What It Does
Requires providers transacting business in Idaho to produce specific subscriber and connection records to prosecutors or the attorney general on an administrative subpoena. The statute forbids demands for the content of electronic communications and for records that reveal internet locations accessed, but allows a narrow exception for servers used to initially access the internet.
Who It Affects
Applies to providers of 'electronic communication service' and 'remote computing service' as defined in Idaho law who transact business in the state — including ISPs, cloud storage and processing vendors, and messaging platforms that maintain subscriber or connection metadata. It also directly affects county and state prosecuting attorneys and the attorney general.
Why It Matters
Creates a low-friction path for metadata collection in investigations of a set of enumerated offenses, potentially accelerating investigations while shifting compliance costs and legal risk to providers. The immunity and quash/motion provisions will shape how providers negotiate or litigate production demands.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill spells out that Idaho prosecutors (including the attorney general) may issue administrative subpoenas to providers of electronic communication services and remote computing services for certain categories of records. Those categories include basic subscriber identifiers (name, address), telephone connection records, session times and durations, account start dates and length of service, types of service used, telephone or subscriber numbers and temporarily assigned network addresses, and payment records tied to a subscriber or customer.
Providers must deliver the requested records within fourteen days of receiving the subpoena.
To invoke this administrative route, the subpoena must include a certification on its face by the prosecuting attorney or attorney general that there is reason to believe the requested records are relevant to a legitimate law-enforcement investigation into violations of a closed list of Idaho criminal statutes (the bill cites specific code sections). The statute relies on existing statutory definitions for 'electronic communication service' and 'remote computing service' rather than redefining them within the section.The bill draws a hard line on content: a subpoena under this section cannot demand the content of electronic communications or subscriber account records that disclose internet locations accessed (examples listed include websites, chat channels, newsgroups).
The text explicitly excludes from that prohibition 'servers used to initially access the internet,' which leaves a narrow avenue for certain server-origin data to be requested. Providers can move to quash or modify the subpoena before the production deadline if they can show the request is unusually voluminous or would impose an undue burden.Finally, the statute provides civil immunity for providers, their officers and employees for complying with a subpoena issued under this section, preserves the state's ability to obtain records by warrant, other court order, or grand-jury or trial subpoena, and authorizes contempt proceedings against persons who fail to comply.
The bill also declares an emergency effective date, making the statutory obligations operative as provided in the act.
The Five Things You Need to Know
The subpoenaable records are limited to subscriber identifiers, connection/session logs (including start date and duration), types of service, subscriber numbers or temporarily assigned network addresses, and payment-related records tied to the account.
The provider must deliver responsive records within fourteen (14) days of receiving the administrative subpoena.
A prosecutor must certify on the face of the subpoena that there is reason to believe the records are relevant to an investigation of one of several enumerated Idaho crimes (the statute lists specific code sections).
The subpoena expressly cannot demand the content of communications or subscriber account records that disclose internet locations accessed (websites, chat channels, newsgroups), but the prohibition excludes 'servers used to initially access the internet.', Providers may move to quash or modify a subpoena before the production date if the records are unusually voluminous or compliance would create an undue burden, and the statute grants civil immunity for compliant disclosures.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Scope of records subject to administrative subpoena
Lists the specific categories of records a provider must produce when served: name and address, telephone connection records, session times and durations, length and start date of service, types of service, subscriber/telephone numbers and temporary network addresses, and payment information tied to a subscriber. Practically, this focuses the statute on metadata rather than on message content and makes clear what investigators may seek without a warrant.
Fourteen-day production requirement
Mandates delivery of responsive records within fourteen days of receipt of the subpoena. That deadline establishes a predictable compliance window but may compress operational time for providers to locate, review, and export records, particularly for companies handling large volumes of cross-border data.
Cross-referenced definitions
Refers to existing Idaho Code definitions for 'electronic communication service' and 'remote computing service' rather than redefining them. This keeps the provision tethered to the broader statutory framework but requires providers and prosecutors to consult those earlier definitions to determine applicability, which can raise questions about coverage of newer cloud or edge services.
Certification tied to specific crimes
Requires the prosecutor to certify on the subpoena that the records are relevant to an investigation into one of a closed list of Idaho offenses (the bill cites multiple statutory sections). That certification is the statutory trigger for an administrative subpoena — it is not a probable-cause warrant standard but is a defined threshold for use of this mechanism.
Prohibition on content and browsing-history disclosure (with narrow exception)
Prohibits subpoenas under this section from demanding the content of electronic communications or subscriber account records that disclose internet locations accessed, explicitly naming websites, chat channels, and newsgroups as examples. The text carves out an exception for 'servers used to initially access the internet,' a term that is ambiguous in practice and could be interpreted to allow access to certain origin-server logs or gateway records.
Quash/modification, immunity, contempt, and preservation of other authorities
Allows providers to seek a court order to quash or modify a subpoena before the production deadline if compliance would be unusually voluminous or unduly burdensome. It grants civil immunity to providers and specified persons for complying with such subpoenas, authorizes contempt proceedings against noncompliant persons, and makes clear that the statute does not curtail the state's ability to obtain records via warrant, court order, or grand-jury/trial subpoena — preserving existing judicial avenues for content or other records.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- County and state prosecuting attorneys: Gain a formal administrative subpoena tool for obtaining subscriber and connection metadata without seeking a warrant, which can accelerate investigative leads in the enumerated offenses.
- Law enforcement investigators: Can access standardized categories of account and connection records quickly, helping to reconstruct timelines or identify accounts tied to investigations.
- Victims of the listed offenses: May see faster investigative progress when metadata provides corroboration or lead generation, particularly in time-sensitive cases.
- Providers receiving subpoenas: Receive statutory clarity about what must be produced, an explicit immunity shield for compliant disclosures, and a defined process to seek relief from unduly burdensome requests.
Who Bears the Cost
- Internet service providers, cloud hosts, and messaging platforms transacting business in Idaho: Face operational and legal costs to locate, process and produce requested metadata within a 14-day window, and to litigate quash motions when necessary.
- Service subscribers and users: Risk disclosure of connection and payment metadata to prosecutors without a warrant, which may reveal sensitive associations or patterns even absent message content.
- State and federal courts: May experience increased docket activity from motions to quash, modification requests, and contempt proceedings tied to administrative subpoenas.
- Small or out-of-state providers doing business in Idaho: Could encounter disproportionate burdens complying with Idaho-specific subpoenas while also responding to other jurisdictions' legal demands.
Key Issues
The Core Tension
The bill trades off speed and investigatory efficiency against privacy safeguards and procedural checks: it empowers prosecutors to obtain rich metadata quickly for certain crimes, while relying on a lower evidentiary certification and placing the onus on providers to challenge burdensome requests — a choice that accelerates investigations but reduces the judicial gatekeeping that accompanies warrants.
The statute hinges on a certification standard — 'reason to believe' — that is significantly lower than a probable-cause warrant standard. That lowers the bar for prosecutors to deploy administrative subpoenas but leaves open who evaluates the sufficiency of the certification: the subpoena itself can be challenged by the provider, but the initial threshold is designed to favor investigative access.
The closed list of enumerated offenses limits use to certain crimes, but it also raises questions about investigations that fall outside that list and whether prosecutors will attempt to stretch relevance to bring matters within this statute.
Several practical ambiguities could matter in litigation and operational practice. The bill ties applicability to providers 'transacting or having transacted any business in the state,' a phrase that invites hotly litigated jurisdictional questions for global cloud and platform providers.
The carve-out for 'servers used to initially access the internet' is compact but vague — it may be read to permit gateway or access-provider logs that effectively reveal origin paths, undermining parts of the content/location prohibition. Finally, the statutory immunity for providers protects compliant disclosures, but it does not resolve potential conflicts with federal law (for example, the Stored Communications Act) or constitutional claims; those intersections will shape how providers assess the risk of production versus resistance.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.