Communications Privacy

Communications privacy laws protect the content of communications (including e-mails, text messages, phone calls, and more) and protect the personal information about users of communications service. 

Passage of the Communications Act of 1934 marked the dawn of modern communications privacy law. The Act established the Federal Communications Commission, which administers many of the federal laws that protect the privacy of our messages and communications services . Several states have also enacted their own communications privacy laws, which expand on or complement federal rights.

Regulating Interception, Use, and Disclosure of Communications Content

One of the original provisions of the Communications Act, Section 605, created a robust set of protections for private communications. 

The law makes clear that providers of communications services, and anyone assisting in the transmission of communications, are bound by law to keep those messages in confidence and not to disclose them to anyone other than the recipient. And the law goes further to prohibit any person from intercepting a private message and then goes even further to prohibit any person who has received or even “become acquainted with the contents . . . or meaning of such communication” from divulging or using that information. Violations of this law carry civil and criminal penalties and give rise to a private right of action by any person whose messages have been unlawfully intercepted or used. Section 605 provides for private messages some of the strongest legal protections in the world, and it was enacted in 1934.

Congress has passed many other laws over the last hundred years that build upon the protections of Section 605 and apply them to new types of communications services. Several states recognize even more expansive rights to control the content of communications. For instance, some states require that both parties to a call consent to its recording. These states are commonly referred to as “two-party consent states.”

Regulating Flow of Customer Data

Laws regulating the collection, use, and disclosure of customer data are tailored to specific sectors of the communications market—that is, there is not one overriding law governing the flow of communications customer data, but many sectoral ones. Here are some examples of federal communications privacy laws:

• The Cable Communications Policy Act, which restricts the information cable providers can collect, retain, and disclose about their subscribers;
• The Electronic Communications Privacy Act, which restricts electronic service providers’ ability to access and disclose both the contents of customer communications and other information about customers’ electronic communications;
• The Telecommunications Act, which restricts telecommunications providers’ use and disclosure of “consumer proprietary network information,” or information the providers keep on their customers, such as their calling plans and information generated from the customers’ use of the telephone;
• The Video Privacy Protection Act, which restricts disclosure of individuals’ video viewing histories.

Many of these laws contain private rights of action, which allow individuals to sue for violations of their privacy rights.

Evolving Threats to Communications Privacy

While new technologies can unlock new capabilities they also often introduce new vulnerabilities; some of these vulnerabilities go unrealized for years—for example, exploitation of the Border Gateway Protocol upon which the internet relies. Policy changes can also introduce new vulnerabilities—for example the perennial attempts by law enforcement and intelligence organizations to bypass end-to-end encryption. Recent proposals include setting government-reviewed standards for online platforms’ automated scanning of private photos and data, requirements that communications providers preserve an ability to decrypt any data or communication that they store or process, and orders that would compel a device manufacturer to create new tools to circumvent its own device security settings. Changes in business models can also create incentives to mine communications data—for example to develop marketing insights or to train artificial intelligence models.

Security vulnerabilities in communications systems remain a major, persistent threat to communications privacy. Most prominently these threats include breaches of wireless carriers’ systems, including systems created to provide court-ordered access to law enforcement as in Salt Typhoon (see below). While not every one of these breaches expose the actual content of communications, even metadata can be very revealing, especially in large enough quantities to detect patterns—for example, knowing what initiating phone number called what destination phone number at what time, for what duration, and via what cell towers (cell site location information).

Vulnerabilities in Signaling System 7 (SS7) Short Message System (SMS) “Texts”

Signaling System 7 (SS7) and Diameter are protocols for transmitting Short Message System (SMS) messages, more commonly referred to as text messages. Officials have warned of vulnerabilities in these systems for many years. In February 2024, Sen. Ron Wyden sent a letter to President Biden requesting disclosure of an unclassified independent expert report commissioned by the Cybersecurity and Infrastructure Security Agency (CISA), which includes details “that are relevant to policymakers and Americans who care about the security of their phones.” EPIC has repeatedly urged the FCC to publish this report; in 2025, EPIC commenced FOIA litigation when its FOIA request to DHS (of which CISA is a component agency) was denied.

The Communications Assistance for Law Enforcement Act (CALEA) and Salt Typhoon

Congress passed CALEA in 1994, to give law enforcement easy access to a lawful process for surveilling communications, by requiring telecommunications carriers to facilitate interception of communications by law enforcement. Experts, including EPIC, warned for decades that there is no such thing as a process that only good guys can use, and that malicious actors would enjoy access to the sensitive communications data of Americans if a process existed for law enforcement to obtain such privileged access. In 2024, officials from the FBI and CISA recommended that Americans switch to using an end-to-end encrypted messaging application in the wake of the Salt Typhoon hacking campaign, in which foreign actors compromised the CALEA system. Unfortunately, the Trump Administration disbanded the Cyber Safety Review Board before it could complete its report on Salt Typhoon so the full extent of the compromise of America’s communications networks is unknown and likely still ongoing, despite claims that it is “largely contained.” 

EPIC’s Work

EPIC supports strong enforcement of communications privacy rights. EPIC files amicus briefs supporting individual litigants and government agencies, petitions the FCC to pursue enforcement actions against violators, and files comments supporting strong FCC regulations.