A Gentle Introduction to the Electronic Communications PrivAcy Act

A Gentle Introduction to the Electronic Communications Privacy ActPaul OhmAssociate Professor, CU LawInitiative Director, Silicon FlatironsDecember 4, 2009

Overview:

Introduction to Silicon Flatirons

ECPA is a very complex statute, and some of the people we have invited are deep in the weeds.We wanted to provide an optional tutorial for those who have never been exposed to the statute.

1RoadmapBackground and HistoryWiretap Act and Pen Register and Trap and Trace ActStored Communications ActRoadmapBackground and HistoryWiretap Act and Pen Register and Trap and Trace ActStored Communications ActHistory1928: Olmstead v. United States1934: Communications Act1967: Katz v. United States1968: Omnibus Crime Control and Safe Street Acts: Title IIIWiretap Act1986: Electronic Communications Privacy Act2001: USA PATRIOT Act

ECPA Regulates PrivacyPrivacy on telephone and data networksRules for government accessRules for sharing by providersCriminalizes certain privacy invasions

RoadmapBackground and HistoryWiretap Act and Pen Register and Trap and Trace ActStored Communications ActReal-Time MonitoringThe Wiretap Act governs monitoring in real-timeTraditional telephone wiretapsInternet packet sniffersProhibitionThe Wiretap Act prohibits the interception of wire or electronic communicationsFive-year felonyUnless an exception appliesExceptionsDozensSeveral used commonly in criminal investigationsCourt orderConsent of a party to the communicationProvider self defenseCourt OrderWiretap order permits interceptionMany hurdlesSuper warrantProbable causeLimited timeMinimizationNecessityConsentInterception allowed if a party to the communication has given prior consent to such interceptionPossible sources:BannerTerms of serviceEmployment agreementsProvider Self DefenseProvider can monitor to protect the rights or property of the providerProvider can share results of past monitoring with law enforcementTransactional SurveillanceThe Pen Register and Trap and Trace Act governs real-time collection of non-content information about a user such as:Addresses on inbound/outbound emailInternet addresses for websites visited by a userList of addresses from which visitors to website originateDoes not include contentAlmost no hurdle for government whatsoeverRoadmapBackground and HistoryWiretap Act and Pen Register and Trap and Trace ActStored Communications Act

Stored Communications ActThe Stored Communications Act governs stored information held by certain communications providersDichotomiesType of ProviderTo the public versus only non-publicProviding communications versus storage/processing servicesProviding those services versus other servicesFor ContentFresh versus staleUnopened email versus opened emailFor Non-contentDetailed transactional records versus basic subscriber informationWhich Providers?Electronic Communications ServicesEmail PhoneIMText messagesRemote Computing ServicesComputer storageOnline backup services, photo hostingProcessing servicesAmazons EC2Unregulated?Google searchGoogle booksCNN.comAmazon / eBayThe SCA Chart

CompellingBasic Subscriber InformationBasic Subscriber Information can be obtained with a mere subpoenaMeansName & addressLocal and LD telephone toll billing recordsTelephone number or other account identifier (such as username or screen name)Length & type of service providedSession times and durationTemporarily assigned network addressMeans and source of payment

CompellingOther Non-Content InformationEverything that is not basic subscriber information but is also not contentMeansAudit trails / logfilesIdentities of e-mail correspondentsCan be obtained with a court order2703(d) orderspecific and articulable facts showing that there are reasonable grounds to believe that [the requested records] are relevant and material to an ongoing criminal investigationCompelling ContentRules are somewhat in flux due to Theofel v. Farey-Jones, 341 F.3d 978 (9th Cir. 2003)Some contents require a search warrantPre-Theofel: Unopened emailTheofel: All emailCompelling Content 2Some contents obtainable with mere subpoenaPre-Theofel: Opened emailTheofel: Almost no emailAlso: Non-email stored files, stale emailSubpoena must include notice to subscriberMay be delayed 90 daysVoluntary Disclosure: Default RulesProviders not to the public may disclose anything to anyone. Unregulated by SCAProviders to the public must look to statutory exceptionsVoluntary Disclosure: Exceptions for Public ProvidersPublic providers may voluntarily share non-content with any non-governmental party for any reasonVoluntary Disclosure: Exceptions for Public Providers 2Public providers may voluntarily share non-content and content with government only when:Consent to do so exists (terms of service)To protect rights and propertyIf provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosurePreviewing the ConferenceThree panelsTwo on ECPA reformSheet1Traditional UnderstandingTheofel v. Farey Jones-JonesVoluntary Disclosure Allowed?Mechanisms to Compel DisclosurePublic ProviderNon-Public ProviderPublic ProviderNon-Public ProviderColumn1Column2Column3Column4Column5Column6ECS: Unopened e-mail in storage 180 days or lessECS: E-mail in storage 180 days or lessNo, unless 2702(b) exception applies [ 2702(a)(1) ]Yes [ 2702(a)(1) ]Search Warrant [ 2703(a) ]Search Warrant [ 2703(a) ]ECS: Unopened e-mail in storage more than 180 daysECS: E-mail in storage more than 180 daysNo, unless 2702(b) exception applies [ 2702(a)(1) ]Yes [ 2702(a)(1) ]Subpoena with notice; 2703(d) order with notice; or search warrant [ 2703(a,b) ]Subpoena with notice; 2703(d) order with notice; or search warrant [ 2703(a,b) ]RCS: Opened e-mail, other content files being remotely stored or processedRCS: Files not covered above being remotely stored or processedNo, unless 2702(b) exception applies [ 2702(a)(2) ]Yes [ 2702(a)(2) ]Subpoena with notice; 2703(d) order with notice; or search warrant [ 2703(b) ]SCA doesn't apply [ 2711(2) ] Most non-content recordsMost non-content recordsNo, unless 2702(c) exception applies [ 2702(a)(3) ]Yes [ 2702(a)(3) ]2703(d) order or search warrant [ 2703(c)(1) ]2703(d) order or search warrant [ 2703(c)(1) ]Basic subscriber information, session logs, IP addressesBasic subscriber information, session logs, IP addressesNo, unless 2702(c) exception applies [ 2702(a)(3) ]Yes [ 2702(a)(3) ]Subpoena; 2703(d) order; or search warrant [ 2703(c)(2) ]Subpoena; 2703(d) order; or search warrant [ 2703(c)(2) ]Stored Communications Act (Title II of the Electronic Communications Privacy Act of 1986)

Sheet2

Sheet3