750 likes | 965 Vues
An Overview of the Electronic Communications Privacy Act. Sean B. Hoar sean.hoar@usdoj.gov. ECPA Overview. In 1986, the ECPA was passed to ensure the security of electronic communications. The ECPA amended the Wiretap Act, and created the Stored Communications Act.
E N D
An Overview of the Electronic Communications Privacy Act Sean B. Hoar sean.hoar@usdoj.gov
ECPA Overview • In 1986, the ECPA was passed to ensure the security of electronic communications. The ECPA amended the Wiretap Act, and created the Stored Communications Act. • It was created to protect access to electronic communications – to “bridge the gap” between the Fourth Amendment & the Wiretap Act • It is a critical component of the law of electronic surveillance due to reliance upon the Internet and creation of large data repositories • It is the primary statutory scheme governing access by the government to stored electronic communications
ECPA Legislative History • In drafting the ECPA, Congress recognized the need for the law to evolve with technology: • “When the Framers of the Constitution acted to guard against the arbitrary use of Government power to maintain surveillance over citizens, there were limited methods of intrusion into the "houses, papers, and effects" protected by the fourth amendment. During the intervening 200 years, development of new methods of communication and devices for surveillance has expanded dramatically the opportunity for such intrusions.”
ECPA Legislative History • In emphasizing its desire to protect individual privacy, Congress reviewed the evolution of technology relative to the law: • “The telephone is the most obvious example. Its widespread use made it technologically possible to intercept the communications of citizens without entering homes or other private places. When the issue of Government wiretapping first came before the Supreme Court in Olmstead v. United States, 277 U.S. 438 (1928), the Court held that wiretapping did not violate the fourth amendment, since there was no searching, no seizure of anything tangible, and no physical trespass.” • “Today, the Olmstead case is often remembered more for Justice Brandeis' prescient dissent than for its holding. Justice Brandeis predicted: • Ways may some day be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home . . . Can it be that the Constitution affords no protection against such invasions of individual security? • Forty years later, the Supreme Court accepted Justice Brandeis‘ logic in Katz v. United States, 389 U.S. 347 (1967), holding that the fourth amendment applies to Government interception of a telephone conversation. At the same time, the Court extended fourth amendment protection to electronic eavesdropping on oral conversations in Berger v. New York, 388 U.S. 41 (1967).”
ECPA Legislative History • In 1968, following the Supreme Court’s decisions in Katz and Berger, Congress responded in a comprehensive fashion by authorizing government interception only under carefully subscribed circumstances in the Wiretap Act. • In 1986, the Wiretap Act was the primary law protecting the security and privacy of business and personal communications in the United States. Its regimen for protecting the privacy of voice communications was expressly limited to the unauthorized aural interception of wire or oral communications. • It only applied where the contents of a communication could be overheard and understood by the human ear. SeeUnited States v. New York Telephone Company, 434 U.S. 159, 167 (1977). • It also only applied to interceptions of communications sent via common carriers. 18 U.S.C. 2510(10).
ECPA Legislative History • In drafting the ECPA, Congress recognized that the Wiretap Act had not kept pace with the development of communications and computer technology. Nor had it kept pace with changes in the structure of the telecommunications industry. • “Today we have large-scale electronic mail operations, computer-to-computer data transmissions, cellular and cordless telephones, paging devices, and video teleconferencing. A phone call can be carried by wire, by microwave or fiber optics. It can be transmitted in the form of digitized voice, data or video. Since the divestiture of AT&T and deregulation, many different companies, not just common carriers, offer a wide variety of telephone and other communications services. It does not make sense that a phone call transmitted via common carrier is protected by the current federal wiretap statute, while the same phone call transmitted via a private telephone network such as those used by many major U .S. corporations today, would not be covered by the statute.”
ECPA Legislative History • In drafting the ECPA, Congress also recognized that among the technological developments, substantial advances had occurred in public and private sector surveillance capacities: • “These tremendous advances in telecommunications and computer technologies have carried with them comparable technological advances in surveillance devices and techniques. Electronic hardware making it possible for overzealous law enforcement agencies, industrial spies and private parties to intercept the personal or proprietary communications of others are readily available in the American market today.”
ECPA Legislative History • The ECPA was comprised of three parts: • Title I amended the Wire Tap Act to restrict interception of communications in actual transmission • Title II created the Stored Communications Act (SCA) (what I often refer to as the ECPA) to restrict government access to stored electronic records and communications • Title III created the Pen Register Act to restrict and regulates the use of pen register & trap and trace devices
ECPA Overview • Important terms: • Electronic Communications Service • Electronic Storage • Remote Computing Service; • Substantive protections • When service providers may disclose • Basic subscriber information • Transactional information • Contents of communication • When service providers must disclose • Remedies
ECPA key term – Electronic Communications Service • An electronic communications service (ECS) is “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510(15). • An electronic communication service, or an “ECS”, is essentially an ISP. When an ECS provides services to the public, the communications and records that result are protected from disclosure under the ECPA.
ECPA key term – Electronic Communications Service • An electronic communications service (ECS) is “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510(15). • Any company or government entity that provides others with a means of communicating electronically can be a provider of an ECS, even if providing the communications service is merely incidental to the provider’s primary function. See Bohach v. City of Reno, 932 F. Supp. 1232, 1236 (D. Nev. 1996) (city that provided pager service to police officers can be an ECS); United States v. Mullins, 992 F.2d 1472, 1478 (9th Cir. 1993) (airline that provided travel agents with computerized travel reservation system accessed through separate computer terminals can be ECS).
ECPA key term – Electronic Storage • Electronic storage (ES) is defined as “any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof, and any storage of such communication by an ECS for purposes of backup protection of such communication.” 18 U.S.C. § 2510(17)(A) & (B). • This definition is the source of considerable confusion because the common meaning of “electronic storage” is long term storage, yet the first part of this statutory definition refers only to temporary storage, made in the course of transmission, by a provider of an ECS. This would mean that an e-mail that has been sent but is pending the recipient’s retrieval is in ES. See Fraser v. Nationwide Mut. Ins. Co., 135 F. Supp. 2d 623, 635-38 (E.D. Pa. 2001) (e-mail acquired from post-transmission storage was not in ES and not protected under ECPA). Once retrieved, however, the e-mail would no longer be in ES. The storage for purposes of backup protection, however, includes messages after transmission. Quon v. Arch Wireless Operating Co., Inc.,529 F.3d 892 (9th Cir. 2008) (messages stored after transmission are in ES and protected under ECPA)
ECPA key term – Remote Computing Service • A remote computing service (RCS) is defined as “the provision to the public of computer storage or processing services by means of an electronic communications system.” 18 U.S.C. § 2711(2). • Generally, an RCS is provided by an off-site computer that stores or processes data for a customer. SeeSteve Jackson Games, Inc. v. United States Secret Service, 816 F. Supp. 432, 443 (W.D. Tex. 1993) (the provider of bulletin board services was an RCS); • Files held by an RCS cannot be in ES; • When an RCS provides services to the public, the communications and records that result are protected from disclosure under the ECPA.
ECPA key terms – ECS, ES & RCS ECS = Electronic communication service provider A ECS B ES = Electronic storage Temporary storage incidental to transmission or for purposes of backup protection: ES A RCS = Remote computing service provider A Long-term storage: RCS
A public ECS or RCS is prohibited from disclosing contents of communications under the ECPA unless certain circumstances exist
Content of communications • The content of communication is defined as “any information concerning the substance, purport, or meaning of that communication.” 18 U.S.C. § 2510(8). • Content includes the body of an e-mail message, or a word processing file stored on a network. • The subject line of an e-mail header may include content if it includes a message. Similarly, digital displays on pagers may contain content.
A public ECS or RCS is prohibited from disclosing contents of communications under the ECPA except: • to an addressee or intended recipient of a communication or an agent of the addressee or intended recipient. 18 U.S.C. § 2702(b)(1). • with an appropriate warrant, court order with notice, or subpoena with notice. 18 U.S.C. § 2702(b)(2). • with the lawful consent of the originator or an addressee or intended recipient of a communication, or from the subscriber of an RCS. 18 U.S.C. § 2702(b)(3).
A public ECS or RCS is prohibited from disclosing contents of communications under the ECPA except: • to a person employed or authorized or whose facilities are used to forward a communication to its destination. 18 U.S.C. § 2702(b)(4). • as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service. 18 U.S.C. § 2702(b)(5).
A public ECS or RCS is prohibited from disclosing contents of communications under the ECPA except: • Under 18 U.S.C. § 2702(b)(6), to NCMEC in connection with a report submitted under 18 U.S.C. § 2258A, which provides that • Whoever, while engaged in providing an electronic communication service or a remote computing service to the public, through a facility or means of interstate or foreign commerce, obtains knowledge of facts or circumstances from which a violation of section 2251, 2251A, 2252, 2252A, 2252B, or 2260 of Title 18, involving child pornography (as defined in section 2256 of that title), or a violation of section 1466A of that title, is apparent, shall, as soon as reasonably possible, make a report of such facts or circumstances to the Cyber Tip Line at the National Center for Missing and Exploited Children, which shall forward that report to a law enforcement agency or agencies designated by the Attorney General.
A public ECS or RCS is prohibited from disclosing contents of communications under the ECPA except: • to a law enforcement agency (1) if the contents were inadvertently obtained by the service provider and (2) appear to pertain to the commission of a crime; 18 U.S.C. § 2702(b)(7). • to a governmental entity if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency. 18 U.S.C. § 2702(b)(8).
A public ECS or RCS is prohibited from disclosing a record or other information – or transactional information –unless certain circumstances exist
Transactional information • Transactional information is defined by statute as “a record or other information”. 18 U.S.C. § 2703(c)(1). • It is referred to as transactional information because it references information about the transaction of a communication. • Transactional information encompasses more than mere data about a subscriber to a service, but less than the content of a communication. • Among other things, transactional information includes account logs that record account usage, cellular site data for cellular telephone calls, and e-mail addresses corresponded with by the subscriber.
A public ECS or RCS is prohibited from disclosing a record or other information (transactional information) under the ECPA except: • with an appropriate warrant or court order. 18 U.S.C. § 2702(c)(1). • with the lawful consent of the customer or subscriber. 18 U.S.C. § 2702(c)(2). • as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service. 18 U.S.C. § 2702(c)(3).
A public ECS or RCS is prohibited from disclosing a record or other information (transactional information) under the ECPA except: • to a governmental entity if the provider, in good faith, believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency. 18 U.S.C. § 2702(c)(4).
A public ECS or RCS is prohibited from disclosing a record or other information (transactional information) under the ECPA except: • Under 18 U.S.C. § 2702(c)(5), to NCMEC in connection with a report submitted under 18 U.S.C. § 2258A, which provides that • Whoever, while engaged in providing an electronic communication service or a remote computing service to the public, through a facility or means of interstate or foreign commerce, obtains knowledge of facts or circumstances from which a violation of section 2251, 2251A, 2252, 2252A, 2252B, or 2260 of Title 18, involving child pornography (as defined in section 2256 of that title), or a violation of section 1466A of that title, is apparent, shall, as soon as reasonably possible, make a report of such facts or circumstances to the Cyber Tip Line at the National Center for Missing and Exploited Children, which shall forward that report to a law enforcement agency or agencies designated by the Attorney General.
A public ECS or RCS is prohibited from disclosing a record or other information (transactional information) under the ECPA except: • to any person other than a governmental entity. 18 U.S.C. § 2702(c)(6).
A public ECS or RCS must disclose information under the ECPA when: • The government provides the appropriate form of compulsory process: subpoena, court order, or warrant. • Depending on the form of process, the following categories of information might be obtained: • subscriber information • transactional information • content of communications
Subscriber information • Subscriber information includes, with regard to a person who has subscribed to an ECS or RCS: • the persons name; • address; • local and long distance telephone connection records, or records of session times and durations; • length of service, including the starting date, and types of service utilized; • telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and • the means and source of payment for service, including any credit card or bank account number. 18 U.S.C. § 2703(c)(2)(A)-(F).
How can subscriber information be obtained? • Subscriber information can be obtained by a governmental entity through an administrative subpoena authorized by a federal or state statute, or a federal or state grand jury or trial subpoena. 18 U.S.C. § 2703(c)(2). • It can also be obtained with a search warrant, an order pursuant to 18 U.S.C. § 2703(d), or consent of the subscriber. • If it is relevant to telemarketing fraud, it can also be obtained through a formal written request for the name, address, and place of business of a subscriber engaged in the telemarketing. 18 U.S.C. § 2703(c)(1)(D).
How can transactional information be obtained? • Transactional information can be obtained by a governmental entity with an order pursuant to 18 U.S.C. § 2703(d) (articulable facts order), consent of the subscriber, or a search warrant. • If it is relevant to telemarketing fraud, it can also be obtained through a formal request for the name, address, and place of business of a subscriber engaged in the telemarketing. 18 U.S.C. § 2703(c)(1)(D).
What is a § 2703(d) Order (an “articulable facts” Order)? • An order authorizing disclosure of information from an ECS or an RCS which may be issued by any “court of competent jurisdiction”, and can only be issued if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation. 18 U.S.C. § 2703(d).
Regarding the 2703(d) Order . . . • A service provider may quash or modify the order if the information or records requested are unusually voluminous in nature or compliance with the order otherwise would cause an undue burden on the provider. 18 U.S.C. § 2703(d).
Compelled disclosure under the ECPA • Due to the protections afforded wire and electronic communications, some form of legal process is generally required to obtain access to that information. • The more revealing the type of communication, the more burdensome the legal process required to access the information. • Section 2703 provides five mechanisms to compel disclosure of information.
Mechanisms to compel disclosure of information under the ECPA • Subpoena without subscriber notice • Subpoena with subscriber notice (immediate or delayed) • Court order without subscriber notice • Court order with subscriber notice • Search warrant
Mechanisms to compel disclosure of information under the ECPA • Subpoena without subscriber notice -- A subpoena can be used to obtain subscriber information without notice to the subscriber. 18 U.S.C. § 2703(c)(2) and (3). • name; • address; • local and long distance telephone connection records, or records of session times and durations; • length of service, including the starting date, and types of service utilized; • telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and • the means and source of payment for service, including any credit card or bank account number.
The Subpoena . . . • The subpoena may be an administrative subpoena authorized by a federal or state statute, or a federal or state grand jury or trial subpoena. 18 U.S.C. § 2703(c)(2).
Mechanisms to compel disclosure of information under the ECPA • Subpoena with subscriber notice (immediate or delayed) -- A subpoena with subscriber notice can be used to obtain everything that can be obtained using a subpoena without notice (basic subscriber information). It can also be used to obtain the following: • the contents of any wire or electronic communication that is held or maintained by a provider of an RCS on behalf of, and received by means of electronic transmission from, or created by means of computer processing of communications received by electronic transmission from, a subscriber or customer of the RCS. 18 U.S.C. § 2703(b)(1)(B)(i) and (b)(2)(A); and • the contents of any wire or electronic communication that has been in electronic storage in an ECS for more than one hundred eighty (180) days. 18 U.S.C. § 2703(a), (b)(1)(B)(i), and (b)(2)(B). • Translation: Opened e-mail, and other stored electronic communications in electronic storage more than 180 days, can be obtained with a subpoena, so long as there is compliance with the prior notice provisions of 18 U.S.C. § 2703(b)(1)(B).
Delayed notice for subpoena • When a subpoena is obtained pursuant to the ECPA, a governmental entity may obtain authorization to provide delayed notice to the subscriber of the existence of the subpoena for a period not to exceed ninety (90) days. • This delayed notice under the ECPA is only authorized “upon the execution of a written certification of a supervisory official that there is reason to believe that notification of the existence of the subpoena may have an adverse result”. 18 U.S.C. §§ 2703(b)(1)(B) and 2705(a)(1)(B).
Delayed notice for subpoena • The term “supervisory official” means the investigative agent in charge or an assistant investigative agent in charge or an equivalent of an investigating agency’s headquarters or regional office, or the chief prosecuting attorney or the first assistant prosecuting attorney or an equivalent of a prosecuting attorney’s headquarters or regional office. 18 U.S.C. § 2705(a)(6).
Delayed notice for subpoena • An adverse result is defined as • endangering the life or physical safety of an individual; • flight from prosecution; • destruction of or tampering with evidence; • intimidation of potential witnesses; or • otherwise seriously jeopardizing an investigation or unduly delaying a trial. 18 U.S.C. § 2705(a)(2).
Delayed notice for subpoena, continued . . . • Extensions of the delayed notification of up to ninety (90) days each may be obtained using the same process as the original order. 18 U.S.C. § 2705(a)(4) and (b).
Notice to subscriber after period of delayed notification has expired • Upon expiration of the period of delayed notification, the governmental entity must serve, or deliver by registered or first-class mail, a copy of the process or request together with a notice that states with reasonable specificity the nature of the law enforcement inquiry; and informs the customer or subscriber of the following: • that information maintained for the customer or subscriber by the service provider was supplied to or requested by the governmental entity, and the date on which the supplying or request took place; • that notification of the customer or subscriber was delayed; • what governmental entity or court made the certification or determination pursuant to which the delay was made; and • which provision of the ECPA allowed the delay. 18 U.S.C. 2705(a)(5).
Mechanisms to compel disclosure of information under the ECPA • Court order without subscriber notice: A court order without subscriber notice can be used to obtain anything that can be obtained using a subpoena without notice (basic subscriber information); and all records or other information pertaining to a subscriber to or customer of an ECS or an RCS (transactional information - not the contents of communications). 18 U.S.C. § 2703(c)(1)(B). • Translation: Both subscriber and transactional information can be obtained with a court order without subscriber notice pursuant to 18 U.S.C. § 2703(c)(1)(B).
Mechanisms to compel disclosure of information under the ECPA • Court order with subscriber notice: A court order with subscriber notice can be used to obtain everything that can be obtained using a § 2703(d) court order without notice (basic subscriber information and all records or other information pertaining to a subscriber to or customer of an ECS or an RCS (not including the contents of communications)). It can also be used to obtain the following: • the contents of any wire or electronic communication that is held or maintained by a provider of an RCS on behalf of, and received by means of electronic transmission from, or created by means of computer processing of communications received by electronic transmission from, a subscriber or customer of the RCS. 18 U.S.C. § 2703(b)(1)(B)(ii) and (b)(2)(A); and • the contents of any wire or electronic communication that has been in electronic storage in an ECS for more than one hundred eighty (180) days. 18 U.S.C. § 2703(a), (b)(1)(B)(ii), and (b)(2)(B). • Translation: The full contents of a subscriber's account, except unopened e-mail which has been in “electronic storage” 180 days or less, can be obtained using a § 2703(d) order so long as there is compliance with the prior notice provisions of § 2703(b)(1)(B).
Delayed notice for court order • Authorization may be obtained to provide delayed notice to the subscriber of the existence of the order for a period not to exceed ninety (90) days when the application for the order includes a request for an order delaying notification for a period not to exceed ninety days, and “the court determines that there is reason to believe that notification of the existence of the court order may have an adverse result”. 18 U.S.C. § 2705(a)(1)(A). • Note – no supervisory certification required
Delayed notice for court order • An adverse result is defined as • endangering the life or physical safety of an individual; • flight from prosecution; • destruction of or tampering with evidence; • intimidation of potential witnesses; or • otherwise seriously jeopardizing an investigation or unduly delaying a trial. 18 U.S.C. § 2705(a)(2).
Delayed notice for court order • Extensions of the delayed notification of up to ninety (90) days each may be obtained using the same process as original order. 18 U.S.C. § 2705(a)(4) and (b).
Mechanisms to compel disclosure of information under the ECPA • Search warrant – A search warrant can be used to obtain everything that can be obtained using a § 2703(d) court order with notice (basic subscriber information and all records or other information pertaining to a subscriber to or customer of an ECS or an RCS (not including the contents of communications). It can also be used to obtain the following: • the contents of any wire or electronic communication that is held or maintained by a provider of an RCS on behalf of, and received by means of electronic transmission from, or created by means of computer processing of communications received by electronic transmission from, a subscriber or customer of the RCS; and the contents of any wire or electronic communication that has been in electronic storage in an ECS for more than one hundred eighty (180) days. 18 U.S.C. § 2703(a), (b)(1)(A), and (b)(2)(B); and • the contents of a wire or electronic communication that is in electronic storage in an ECS for one hundred eighty (180) days or less. 18 U.S.C. § 2703(a). • Note: A warrant may be served without required notice to the subscriber or customer if authorized by a court with jurisdiction over the offense under investigation. 18 U.S.C. § 2703(b)(1)(A).
Execution of the warrant . . . • Does the Fourth Amendment require that a law enforcement official be present during the execution of a search warrant? • No, especially where (1) the actual physical presence of an officer would not have aided the search; (2) the technical expertise of an ISP’s technicians far outweigh that of the officers; (3) the items "seized" were located on a third party ISP’s property; (4) there was a warrant signed by a judge authorizing the search; and (5) the officers complied with the provisions of the ECPA. See United States v. Bach, 310 F.3d 1063 (8th Cir. 2002), and 18 U.S.C. 2703(g).
Execution of the warrant . . . • A request to preserve records should always precede the service of a search warrant upon an ISP. • Barring countervailing circumstances, a § 2703(f) preservation request to the ISP should always precede service of a § 2703 search warrant. This procedure serves the obvious purpose, in every case, of assuring that the records to be sought in the search warrant still exist when the warrant is served. The existence of the prior § 2703(f) preservation request should be pointed out in the affidavit in support of the search warrant. • Note: Some ISPs, notably AOL, may “freeze” the targeted subscriber’s e-mail account upon receipt of a § 2703(f) request for unretrieved e-mail, which may alert the subscriber to the existence of the investigation. Under those circumstances, the benefit of preceding the search warrant with a § 2703(f) request must be balanced against the potential harm to the investigation.