Electronic Communications Privacy Act (ECPA) Beau Kellogg
Structure of the ECPA Broken down into three titles Title I: The Wire Tap Act – restricts interception of communications in actual transmission (recall last weeks class) Title II: The Stored Communications Act (SCA) – restricts government access to stored electronic records and communications Title III: Pen Register Act – restricts and regulates the use of pen & trap devices (again, recall last weeks class) This will focus on the SCA; 18 U.S.C. 2701-2712
Overview Purposes of the SCA Defining key terms in the SCA Using investigative instruments under the SCA Voluntary disclosure Remedies Preservation of evidence and reimbursement Constitutional issues
Legislative History of the SCA Purpose: fear that 3rd parties had little incentive to protect the private electronic communications and records of their customers Stories of law enforcement having unfettered access to ISP servers (ex. AOL) Other important things to take from the legislative history It is clear both houses intended a relationship between the level of protection and the degree of the privacy interest Ex. stricter rules for providers of services, “to the public” Ex. Stricter rules for content revealing disclosures Law is attempting to keep current with modern technology; it used to be that stored records could be literally locked away but in the computer age this is no longer the case A fear that people would not take advantage of these new technologies due to privacy concerns As an example, one senator stated a key goal was to give people the same sense of security in their e-mail as they have in regular mail
Definitions Note: This is a very poorly drafted statute made exponentially worse by even poorer judicial interpretation; You’ll also be glad to hear it’s a highly technical statute Easiest way to approach this statute is to work backwards and start by defining key terms before turning to the substantive rules First two key terms 1) “Electronic Communication Service” (ECS); 18 U.S.C. 2510(15) 2) Remote Computing Service” (RCS); 18 U.S.C. 2711(2) Important because determines who the SCA applies to (applies to communications held by companies providing ECS & RCS) and also because at times different rules apply to the two
Defining Electronic Communication Service (ECS) “Any service which provides to users thereof the ability to send or receive wire or electronic communications” – 18 U.S.C. 2510(15) Legislative history: Primary target of this definition is “telephone companies and electronic mail companies” Keeping up with changing technological trends Text message service provider is an ECS; Quon v. Arch Wireless Operating Co., 529 F.3d 892 (9th Cir. 2008) Host of bulletin boards is an ECS; Kaufman v. Nest Seekers, LLC, 2006 WL 2807177 (S.D.N.Y. 2006) Any provider of ECS is subject to the SCA True even if these services are provided incidentally Ex. Any company that gives its employees e-mail Ex. Company that provides drivers with network of call centers accessible via a cellular phone is an ECS; In Re Application of the United States, 349 F.3d 1132 (9th Cir. 2003) Area of confusion: what happens when a business is using the services of an ECS provider to provide their customers with the ability to send and receive communications? Are they then a provider of ECS themselves? Ex. Amazon.com
Defining Remote Computer Service (RCS) A remote computing service is, “the provision to the public of computer storage or processing services by means of an electronic communications system” – 18 U.S.C. 2711(2) Electronic communications system is given its own definition elsewhere as, ““any wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission of wire or electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications” – 18 U.S.C. 2510(14) Legislative history: designed to cover any entity that provides, “an off-site computer that stores or process data for a customer” Two important limitations 1) Storage must be the primary purpose of the entity; I.e. any storage by a business for incidental purposes does not make it an RCS (ex. Standefer – “e-gold” not an RCS even though it held electronic data for customers because it held this data incident to the primary purpose of facilitating gold exchange) 2) Provision of RCS must be “to the public” for SCA to apply to entity; I.e. an employer who provides RCS to their employees only is not covered
Modern Confusion in Distinguishing Between ECS & RCS Many modern technologies are actually both Ex. Comcast which provides its customers with internet service (ECS) but also provides them with storage accounts for their e-mail (RCS) Circuit spilt: Can a company function as both an ECS and an RCS? Majority: Yes, a company can be both; what rules apply to it depend on what it was doing at the time in question Minority (9th Cir.): While a company may provide both on an entity wide basis, on the basis of the individual customer the entity can only be providing one or the other Legislative history: unclear, but tends to support the majority
Definitions Continued – Defining the Type of Information Held by the ECS or RCS Type I: Non-content revealing information such as basic subscriber information – 18 U.S.C. 2703(c)(1 & 2) Type II: Content revealing information such as the actual files in the account) – 18 U.S.C. 2510(8)
Non-Content revealing formation Non-content revealing information includes, “(A) name; (B) address; (C) local and long distance telephone connection records, or records of session times and durations; (D) length of service (including start date) and types of service utilized; (E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and (F) means and source of payment for such service (including any credit card or bank account number)” – 18 U.S.C. 2703(c)(2) The statute also has a catch all provision designed to catch non-content revealing information missed by the specifically enumerated categories above; ““a record or other information pertaining to a subscriber or customer of such service (not including the contents of communications)” – 18 U.S.C. 2703(c)(1)
Content Revealing Information “‘Contents,’ when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication” – 18 U.S.C. 2510(8) Note: includes subject lines; see Brown v. Waddell, 50 F.3d 285, 292 (4th Cir. 1995) SCA breaks content revealing information into two categories 1) “Electronic Storage” maintained by an ECS which includes “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication” – 18 U.S.C. 2510(17) 2) “Electronic Storage” maintained by an by an RCS
Major Circuit Spilt in Defining ECS vs. RCS Storage Majority: entity is acting as ECS only when the communication is in transition (I.e. not opened by the recipient yet) and when it makes back ups of intermediate communications to ensure system integrity; once a communication is opened, should the user chose to save the it, the entity is acting as an RCS Minority (9th cir.): entity is always acting as an ECS because even after the communication is opened it stores a back-up; Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004) Debate: the majority view seems to read subsection B out of the “electronic storage” definition but the minority view seems to read out RCS because it effectively makes almost all entities an ECS (conflates “back up protection” with ordinary file storage)
Putting It All Together Person A sends an e-mail from their account (A@aol.com) to Person B (B@netscape.com); when the message is in transit, AOL is acting as an ECS; If A saves a copy of the e-mail in their account, AOL is acting as an RCS; when Netscape receives the e-mail, they are acting as an ECS and remain so while the e-mail sits unopened in B’s account; when B opens the e-mail and saves it to their account, Netscape is now acting as an RCS Note: if this were the 9th circuit, both entities would be acting as an ECS throughout
Compelled Disclosure SCA gives the government five ways to compel a covered entity to disclose information – 18 U.S.C. 2703 1) Subpoena 2) Subpoena w/ prior notice to customer 3) 2703(d) order 4) 2703(d) order w/ prior notice to customer 5) Search warrant These methods are in order from easiest to get to hardest to get and also from least amount of information available to most Note: government can compel disclosure of information on its own volition (I.e. w/ o formal order) in two narrow circumstances 1) When investigating telemarketing fraud, may demand the name, address, and place of business of a subscriber or customer engaged in telemarketing – 18 U.S.C. 2703(c)(1)(D) 2) May compel a service provider to disclose non-content information pertaining to a customer or subscriber when the government has obtained the customer or subscriber’s consent – 18 U.S.C. 2703(c)(1)(C)
Subpoenas A Subpoena allows the government to obtain only non-content revealing information Threshold to get a subpoena is very low; government just must assert its relevant to an on-going investigation If the government gives prior notice of the subpoena to the customer, they can also receive… 1) “the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days.” – 18 U.S.C. § 2703(a) 2) “the contents of any wire or electronic communication held by a provider of remote computing service “on behalf of . . . a subscriber or customer of such remote computing service.” – 18 U.S.C. § 2703(b)(1)(B)(i), § 2703(b)(2) Note: in the 9th circuit, where Theofel applies, the second category will almost never apply and the government will not be able to use subpoenas to obtain any content information less than 180 days old Government may still utilize all the powers of a Subpoena with notice without actually notifying the customer immediately if they get a delayed notice order – 18 U.S.C. 2705(a)(1)(B) Permits notice to be delayed for ninety days “upon the execution of a written certification of a supervisory official that there is reason to believe that notification of the existence of the subpoena may have an adverse result” - 18 U.S.C. § 2705(a)(1)(B) Government may apply for an additional ninety day delay Upon expiration of the delay, the government must send the notification to the customer along with a letter explaining the delay and a copy of the order
Section 2703(d) orders Section 2703(d) order allows the government to receive non-content revealing information plus… All “record[s] or other information pertaining to a subscriber to or customer of such service (not including the contents of communications [held by providers of electronic communications service and remote computing service])” – 18 U.S.C. § 2703(c)(1). Government must offer specific and articulable facts showing the information sought is relevant to an on-going investigation (courts have held the standard is higher than a subpoena but lower than a warrant; one circuit has said its analogous to the Terry stop reasonable suspicion standard); United States v. Perrine, 518 F.3d 1196 (10th Cir. 2008). Government must articulate what they are after and confine their search to this (no fishing expeditions)
Section 2703(d) Order with Prior Notice to the Customer If the government gives prior notice (or gets prior notice waived as described earlier) they can also receive the following with a 2703(d) order… 1) “the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days,” – 18 U.S.C. § 2703(a) “the contents of any wire or electronic communication” held by a provider of remote computing service “on behalf of . . . a subscriber or customer of such remote computing service.” – 18 U.S.C. § 2703(b)(1)(B)(ii), § 2703(b)(2) Again, in the 9th circuit, where Theofel applies, the second category will almost never apply and the government will not be able to use 2703(d) orders to obtain any content information less than 180 days old
Search Warrants With a search warrant, the government may obtain everything that it could get with a 2703(d) order plus “the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less” – 18 U.S.C. § 2703(a). Standard to get is the probable cause standard we’re all familiar with Again, in the 9th circuit, a search warrant is usually the only way to get content information less than 180 days old (outside the 9th circuit, subpoenas and 2703(d) orders can get content information held by an RCS that’s less than 180 days old) Although search warrants are typically only valid w/n the jurisdiction they’re issued, 18 U.S.C. 2703 allows any court of competent jurisdiction (including state courts) to issue search warrants valid anywhere (deals with practical technological reality) Unlike most search warrants, which must be executed by law enforcement, these search warrants can be executed merely by having the entity send the information Note: search warrant requires no notice to the customer
Voluntary Disclosure If the provider is willing to disclose the information, there are circumstances where the SCA allows them to do so – 18 U.S.C. 2702 If the provider of ECS or RCS does not provide the service “to the public” then they are allowed to disclose anything – 18 U.S.C. 2702(a) (drafting confusion note: to be an RCS in the first place it must be “to the public,” so really this only applies to voluntary disclosures by ECS providers that do not provide the service to the public)
Voluntary Disclosure if the Entity Provides Services “to the Public” SCA allows voluntary disclosure of content revealing information when… 1) “The disclosure is made to the intended recipient of the communication, with the consent of the sender or intended recipient, to a forwarding address, or pursuant to specified legal process” – 18 U.S.C. 2702(b)(1)-(4) 2) “In the case of a remote computing service, the disclosure is made with the consent of a subscriber”- 18 U.S.C. 2702(b)(3) 3) “The disclosure “may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service,” – 18 U.SC. 2702(b)(5) 4) “The disclosure is submitted “to the National Center for Missing and Exploited Children, in connection with a report submitted thereto under section 2258A,” – 18 U.S.C. 2702(b)(6) 5) “The disclosure is made to a law enforcement agency “if the contents . . . were inadvertently obtained by the service provider . . . [and] appear to pertain to the commission of a crime,” – 18 U.S.C. 2702(b)(7) 6) “The disclosure is made to a governmental entity, “if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency” – 18 U.S.C. 2702(b)(8). SCA allow voluntary disclosure of non-content revealing information when… 1) “The disclosure is made “with the lawful consent of the customer or subscriber,” or “as otherwise authorized in section 2703,” – 18 US.C. 2702(c)(1)-(2) 2) “The disclosure “may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service” – 18 U.S.C. § 2702(c)(3) 3) “The disclosure is made to a governmental entity, “if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency,” – 18 U.S.C. 2702(c)(4) 4) “The disclosure is made “to the National Center for Missing and Exploited Children, in connection with a report submitted thereto under section 2258A” – 18 U.S.C. 2702(c)(5) Legislative history: designed to cover situations where the public’s interest or the entities interest outweigh the privacy concerns of the customer
Remedies for an SCA Violation *Suppression is explicitly never allowed as a remedy for an SCA violation (unless that violation is also a constitutional violation – see two classes ago)* - 18 U.S.C. 2708 Three groups the victim can sue 1) Suits against entity – 18 U.S.C. 2707(a) Violation must be knowing or intentional Can receive no less than $1,000, equitable or declarartory relief, and reasonable attorney fees & costs If a willful violation, may also receive punitive damages Good faith compliance with a court order is a complete defense – 18 U.S.C. 2707(e) 2) Suits against government agents – same as above except government agents may also be subject to discipline (18 U.S.C. 2707(d)) and will have qualified immunity in addition to the good faith compliance defense 3) Suits against government itself – same as suits against entity except litigant can now receive actual damages or $10,000 (whichever is greater)
SCA & the Preservation of Evidence SCA allows government to, without a formal order, require covered entity to preserve existing records pending the issuance of a formal court order – 18 U.S.C. 2703(f) Cannot preserve records not yet created Note: order could tip off a suspect
SCA & Reimbursement SCA requires government to compensate a covered entity for its cost of compliance – 18 U.S.C. 2706 Costs must be reasonable and ideally agreed upon ahead of time Exception for call history logs held by a common carrier (because they’re so easy to produce) – 18 U.S.C. 2706(c)
Constitutional Issues Defendant’s have argued that the SCA violates the 4th Amendment because it allows the government to obtain information without a warrant and on a finding of less than probable cause State response 1) 4th Amendment usually doesn’t apply to information held by an ECS or RCS because there is usually no reasonable expectation of privacy 2) Even where there is a reasonable expectation of privacy, the warrant clause and the reasonableness clauses of the 4th amendment are separate and courts have long allowed search and seizure with less than a warrant Vast majority of decisions to consider the issue side with the state
Exam & Practice Tips Issue flag: any time the government is seeking information held by a 3rd party this should throw up a red flag that there may be an SCA issue Step 1: Is the entity a covered entity? (are they an ECS or RCS?) Step 2: If so, how can the government obtain the information? (Is voluntary disclosure allowed? If they need an order, what kind?) If your in the in the 9th circuit, the ultimate answer is pretty easy: get a search warrant