Focusing public attention on emerging privacy and civil liberties issues

Electronic Communications Privacy Act (ECPA)

Top News

Background

Introduction to ECPA

The Electronic Communications Privacy Act ("ECPA") was passed in 1986 to expand and revise federal wiretapping and electronic eavesdropping provisions. It was envisioned to create "a fair balance between the privacy expectations of citizens and the legitimate needs of law enforcement." Congress also sought to support the creation of new technologies by assuring consumers that their personal information would remain safe.

ECPA includes the Wiretap Act, the Stored Communications Act, and the Pen-Register Act. Wire communication refers to "any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection"; in short, it refers to phone conversations. An oral communication is "any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation"; this constitutes any oral conversation in person where there is the expectation no third party is listening.

Individuals who violate ECPA face up to five years of jail time and a $250,000 fine. Victims are also entitled to a civil suit of actual damages, in addition to punitive damages and attorney's fees. The United States itself cannot be sued for a violation, but evidence that is gathered illegally cannot be introduced in court.

Prohibition on Interception of Communications

ECPA does include important provisions that protect a person's wire and electronic communications from being intercepted by another private individual. In general, the statute bars wiretapping and electronic eavesdropping, possession of wiretapping or electronic eavesdropping equipment, and the use or disclosure of information unlawfully obtained through wiretapping or electronic eavesdropping. The Wiretap Act prohibits any person from intentionally intercepting or attempting to intercept a wire, oral or electronic communication by using any electronic, mechanical or other device. To be clear, an electronic device must be used to perform the surveillance; mere eavesdropping with the unaided ear is not illegal under ECPA.

There are exceptions to this blanket prohibition, such as if the interception is authorized by statute for law enforcement purposes or consent of at least one of the parties is given. Although some states prohibit the recording of conversations unless all parties consent, ECPA requires only one party consent; an individual can record his own conversation without violating federal law. In the workplace, an employer would likely not violate ECPA by listening to an employee's communications if, for example, blanket consent was given as part of the employee's contract.

In addition to criminalizing the actual wiretapping or electronic eavesdropping, ECPA also prohibits an individual from disclosing such information obtained illegally if the person has reason to know that it was obtained illegally through the interception of a wire, oral, or electronic communication. Similarly, if a person cannot lawfully disclose a lawful law enforcement wiretapping and if he has reason to know that doing so will obstruct a criminal investigation.

Prohibition on Access of Communications

While the Wiretap Act addresses the interception of communications, the Stored Communications Act addresses access to stored communications at rest. In the modern context, this primarily refers to e-mails that are not in transit. The Act makes it unlawful to intentionally access a facility in which electronic communication services are provided and obtain, alter, or prevent unauthorized access to a wire or electronic communication while it is in electronic storage in such system. This statute also makes exceptions for law enforcement access and user consent.

As with other forms of communication protected under ECPA, an employer is generally forbidden from accessing an employee's private e-mails. However, if consent is given in the form of an employment contract that explicitly authorizes the employer to access e-mails, it may be lawful under ECPA for him to do so.

Pen Registers and Trap and Trace

Pen registers and trap and trace devices provide non-content information about the origin and destination of particular communications. Because this information does not contain the content of the communication, it is subject to lesser restrictions than actual content. The Supreme Court has long held that there is no reasonable expectation of privacy in this information because the telecommunications company has ready access to it; in fact, the company must utilize this information to ensure the communications are properly routed and delivered. The Pen-Register Act covers pen registers/trap and trace.

In the context of phone calls, Pen-Registers display the outgoing number and the incoming number. Because e-mail subject lines contain content, their use on e-mails, per revisions in the USA PATRIOT Act, must include the sender and addressee, but avoid any part of the subject. IP addresses and port numbers associated with the communication are also fair game under the Act.

The regulations specifically apply to "devices" that capture this information. Thus, ECPA generally prohibits the installation or use of any device that serves as a pen register or trap and trace. Amendments in the USA PATRIOT Act allow the term devices to also encompass software.

Also, unlike provisions relating to the interception and access of communications, there is no statutory exclusionary rule that applies when the government illegally uses a pen register/trap and trace device. And there is no private cause of action against the government for violations of this law.

Disclosure of Records

ECPA lays out guidelines for law enforcement access to data. Under the Stored Communications Act, the government is able to access many kinds of stored communications without a warrant.

The following table illustrates the different treatment of the contents of an email at various times:

ecpa table

In addition to the specific government exceptions outlined above, there is other information that the government is empowered to collect from communications providers in the form of customer records. Under § 2703, an administrative subpoena, a National Security Letter ("NSL"), can be served on a company to compel it to disclose basic subscriber information. Section 2703 also allows a court to issue an order for records; whether an NSL or court order is warranted depends upon the information that is sought.

An NSL can be used to obtain the name; address; local and long distance telephone connection records, or records of session times and durations; length of service (including start date) and types of service utilized; telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and means and source of payment for service (including any credit card or bank account number) of a subscriber. Although the breadth of information that can be gathered with an NSL is quite large, and was dramatically expanded with the USA PATRIOT Act, none of this information is supposed to include content.

All other non-content customer records have to be obtained by a court order under § 2703(d). These include transactional records such as "addresses of web sites visited by the customer and e-mail addresses of other individuals with whom the account holder has corresponded." Although an order for these materials is issued by a court, the court is not issuing a warrant based upon probable cause. Instead, § 2703(d) requires only that there be "specific and particularly facts showing that there are reasonable grounds to believe" that the records requested are "relevant and material to an ongoing criminal investigation."

As was stated, ECPA itself does not prohibit the disclosure of customer records to third parties. When the third party is the government, ECPA expressly permits the service provider to share customer records "if the provider reasonably believes than an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information." This authorization is found in § 2702 and was added as part of the USA PATRIOT Act. In practice, it allows law enforcement to forgo even the minimal burden of a subpoena or a court order and claim there is an emergency that necessitates the records being turned over. Although it is voluntary for the provider to act under this provision, many do in practice.

Reform

ECPA embodies many important and useful protections, but much has changed since ECPA was passed in 1986; from personal computing to the Internet and now the ubiquity of mobile devices, much of today's technology (and even much of yesterday's) was not conceived when the law was first drafted. ECPA has been amended several times, but has not been significantly modified since becoming law.

ECPA regulates when electronic communications can be intercepted, monitored, or reviewed by third parties, making it a crime to intercept or procure electronic communications unless otherwise provided for under law or an exception to ECPA. ECPA defines "electronic communication" as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce." This definition focuses on the transfer of the data - the time during which the packets of data are traveling between one point and the other. This creates and "on the wire" versus "off the wire" distinction that is becoming more difficult as technology advances.

ECPA case law is confused in part due to the sharp distinctions drawn between communications in transit and those that are being stored. What was once an clear distinction - particularly with wireline telephones - is now incredibly complex. For example, the packets that make-up a single e-mail are broken apart, transit multiple servers and routers, and are then recombined and stored on remote servers. It is unclear how ECPA applies to these packets: whether the email is in transit, and therefore governed by Title I, or in "electronic storage" and governed by Title II. Title I, the Wiretap Act, and Title II, the Stored Communications Act, have vastly different standards and requirements, which creates uncertainty for users, law enforcement, and the courts.

The adoption of cloud computing, while offering many benefits (such as convenience and ease of access), makes the need for ECPA reform more urgent. Whereas an e-mail stored on a home computer would be fully protected by the 4th Amendment warrant requirement, only the Sixth Circuit has ruled that all e-mail stored on a remote, cloud computing server is protected. More and more information, including documents, e-mails, pictures, personal calendars, and locational data is being stored in the cloud. Much of this data has little or no protection under current law. Protections for locational data, in particular, have been widely discussed, but, to date, have not been added.

The 180 day distinction within ECPA is also the subject of much criticism. When ECPA was passed in 1986, web-based e-mail, such as Gmail, did not exist. Instead, e-mail primarily existed in local intranets where clients would download their messages from the server and the server would, generally, not keep a backup. Congress presumed that any e-mails left on the server for more than 180 days should be treated like abandoned property. This distinction, however, is no longer as relevant today when customers have access to nearly unlimited cloud storage.

Congress has held several hearings on reforming ECPA, with technology companies and digital rights groups lobbying for clear standards that are adaptable to technological advances. Law enforcement has questioned the need to ECPA reform, fearing that reforms could decrease their ability to acquire digital information in a timely manner.

Current ECPA Reform Proposals

On March 19, 2013, Senators Patrick Leahy and Mike Lee introduced the "Electronic Communications Privacy Act Amendments Act of 2013," which was reported favorably to the Senate by the Committee on the Judiciary on April 25, 2013, with an amendment from Sen. Leahy. The bill makes clear that a governmental entity may require disclosure of the contents of an electronic communication "only if the governmental entity obtains a warrant ... that is issued by a court of competent jurisdiction directing the disclosure." This would eliminate the "180-day rule" and the distinction between opened and unopened e-mails for the purposes of law enforcement access. The bill would also impose stricter notice requirements to ensure that any user whose communications are subject to a warrant will be notified promptly.

Additional Resources

Congressional Hearings

Law Reviews

Legal Resources

Websites

Latest News