Electronic Communications Privacy Act (ECPA)
- House Passes Narrow ECPA Update: The Email Privacy Act of 2016 has passed the House 419-0 The Act amends the Electronic Communications Privacy Act of 1986 to extend the warrant requirement to communications stored for more than 180 days. An earlier version of the the Act would have required notice of email searches to the user, with some exceptions. Senator Leahy tweeted that "Long past time to protect American people's emails & info stored in the cloud from warrantless searches." EPIC has recommended several other ECPA updates, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services. (Apr. 27, 2016)
- U.S. Government Sued Over Refusal to Notify Users of E-mail Searches: Microsoft has sued the Department of Justice, arguing that orders which prevent the company from notifying users about surveillance are unconstitutional. These secrecy orders, issued in connection with orders to disclose users’ private information, arise in thousands of cases each year. EPIC has supported similar challenges to “gag orders" and has opposed the expansion of “no notice” searches. EPIC has also recommended notice requirements for e-mail searches. (Apr. 14, 2016) More top news »
Introduction to ECPA
The Electronic Communications Privacy Act ("ECPA") was passed in 1986 to expand and revise federal wiretapping and electronic eavesdropping provisions. It was envisioned to create "a fair balance between the privacy expectations of citizens and the legitimate needs of law enforcement." Congress also sought to support the creation of new technologies by assuring consumers that their personal information would remain safe.
ECPA includes the Wiretap Act, the Stored Communications Act, and the Pen-Register Act. Wire communication refers to "any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection"; in short, it refers to phone conversations. An oral communication is "any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation"; this constitutes any oral conversation in person where there is the expectation no third party is listening.
Individuals who violate ECPA face up to five years of jail time and a $250,000 fine. Victims are also entitled to a civil suit of actual damages, in addition to punitive damages and attorney's fees. The United States itself cannot be sued for a violation, but evidence that is gathered illegally cannot be introduced in court.
Prohibition on Interception of Communications
ECPA does include important provisions that protect a person's wire and electronic communications from being intercepted by another private individual. In general, the statute bars wiretapping and electronic eavesdropping, possession of wiretapping or electronic eavesdropping equipment, and the use or disclosure of information unlawfully obtained through wiretapping or electronic eavesdropping. The Wiretap Act prohibits any person from intentionally intercepting or attempting to intercept a wire, oral or electronic communication by using any electronic, mechanical or other device. To be clear, an electronic device must be used to perform the surveillance; mere eavesdropping with the unaided ear is not illegal under ECPA.
There are exceptions to this blanket prohibition, such as if the interception is authorized by statute for law enforcement purposes or consent of at least one of the parties is given. Although some states prohibit the recording of conversations unless all parties consent, ECPA requires only one party consent; an individual can record his own conversation without violating federal law. In the workplace, an employer would likely not violate ECPA by listening to an employee's communications if, for example, blanket consent was given as part of the employee's contract.
In addition to criminalizing the actual wiretapping or electronic eavesdropping, ECPA also prohibits an individual from disclosing such information obtained illegally if the person has reason to know that it was obtained illegally through the interception of a wire, oral, or electronic communication. Similarly, if a person cannot lawfully disclose a lawful law enforcement wiretapping and if he has reason to know that doing so will obstruct a criminal investigation.
Prohibition on Access of Communications
While the Wiretap Act addresses the interception of communications, the Stored Communications Act addresses access to stored communications at rest. In the modern context, this primarily refers to e-mails that are not in transit. The Act makes it unlawful to intentionally access a facility in which electronic communication services are provided and obtain, alter, or prevent unauthorized access to a wire or electronic communication while it is in electronic storage in such system. This statute also makes exceptions for law enforcement access and user consent.
As with other forms of communication protected under ECPA, an employer is generally forbidden from accessing an employee's private e-mails. However, if consent is given in the form of an employment contract that explicitly authorizes the employer to access e-mails, it may be lawful under ECPA for him to do so.
Pen Registers and Trap and Trace
Pen registers and trap and trace devices provide non-content information about the origin and destination of particular communications. Because this information does not contain the content of the communication, it is subject to lesser restrictions than actual content. The Supreme Court has long held that there is no reasonable expectation of privacy in this information because the telecommunications company has ready access to it; in fact, the company must utilize this information to ensure the communications are properly routed and delivered. The Pen-Register Act covers pen registers/trap and trace.
In the context of phone calls, Pen-Registers display the outgoing number and the incoming number. Because e-mail subject lines contain content, their use on e-mails, per revisions in the USA PATRIOT Act, must include the sender and addressee, but avoid any part of the subject. IP addresses and port numbers associated with the communication are also fair game under the Act.
The regulations specifically apply to "devices" that capture this information. Thus, ECPA generally prohibits the installation or use of any device that serves as a pen register or trap and trace. Amendments in the USA PATRIOT Act allow the term devices to also encompass software.
Also, unlike provisions relating to the interception and access of communications, there is no statutory exclusionary rule that applies when the government illegally uses a pen register/trap and trace device. And there is no private cause of action against the government for violations of this law.
Disclosure of Records
ECPA lays out guidelines for law enforcement access to data. Under the Stored Communications Act, the government is able to access many kinds of stored communications without a warrant.
The following table illustrates the different treatment of the contents of an email at various times:
In addition to the specific government exceptions outlined above, there is other information that the government is empowered to collect from communications providers in the form of customer records. Under § 2703, an administrative subpoena, a National Security Letter ("NSL"), can be served on a company to compel it to disclose basic subscriber information. Section 2703 also allows a court to issue an order for records; whether an NSL or court order is warranted depends upon the information that is sought.
An NSL can be used to obtain the name; address; local and long distance telephone connection records, or records of session times and durations; length of service (including start date) and types of service utilized; telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and means and source of payment for service (including any credit card or bank account number) of a subscriber. Although the breadth of information that can be gathered with an NSL is quite large, and was dramatically expanded with the USA PATRIOT Act, none of this information is supposed to include content.
All other non-content customer records have to be obtained by a court order under § 2703(d). These include transactional records such as "addresses of web sites visited by the customer and e-mail addresses of other individuals with whom the account holder has corresponded." Although an order for these materials is issued by a court, the court is not issuing a warrant based upon probable cause. Instead, § 2703(d) requires only that there be "specific and particularly facts showing that there are reasonable grounds to believe" that the records requested are "relevant and material to an ongoing criminal investigation."
As was stated, ECPA itself does not prohibit the disclosure of customer records to third parties. When the third party is the government, ECPA expressly permits the service provider to share customer records "if the provider reasonably believes than an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information." This authorization is found in § 2702 and was added as part of the USA PATRIOT Act. In practice, it allows law enforcement to forgo even the minimal burden of a subpoena or a court order and claim there is an emergency that necessitates the records being turned over. Although it is voluntary for the provider to act under this provision, many do in practice.
ECPA embodies many important and useful protections, but much has changed since ECPA was passed in 1986; from personal computing to the Internet and now the ubiquity of mobile devices, much of today's technology (and even much of yesterday's) was not conceived when the law was first drafted. ECPA has been amended several times, but has not been significantly modified since becoming law.
ECPA regulates when electronic communications can be intercepted, monitored, or reviewed by third parties, making it a crime to intercept or procure electronic communications unless otherwise provided for under law or an exception to ECPA. ECPA defines "electronic communication" as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce." This definition focuses on the transfer of the data - the time during which the packets of data are traveling between one point and the other. This creates and "on the wire" versus "off the wire" distinction that is becoming more difficult as technology advances.
ECPA case law is confused in part due to the sharp distinctions drawn between communications in transit and those that are being stored. What was once an clear distinction - particularly with wireline telephones - is now incredibly complex. For example, the packets that make-up a single e-mail are broken apart, transit multiple servers and routers, and are then recombined and stored on remote servers. It is unclear how ECPA applies to these packets: whether the email is in transit, and therefore governed by Title I, or in "electronic storage" and governed by Title II. Title I, the Wiretap Act, and Title II, the Stored Communications Act, have vastly different standards and requirements, which creates uncertainty for users, law enforcement, and the courts.
The adoption of cloud computing, while offering many benefits (such as convenience and ease of access), makes the need for ECPA reform more urgent. Whereas an e-mail stored on a home computer would be fully protected by the 4th Amendment warrant requirement, only the Sixth Circuit has ruled that all e-mail stored on a remote, cloud computing server is protected. More and more information, including documents, e-mails, pictures, personal calendars, and locational data is being stored in the cloud. Much of this data has little or no protection under current law. Protections for locational data, in particular, have been widely discussed, but, to date, have not been added.
The 180 day distinction within ECPA is also the subject of much criticism. When ECPA was passed in 1986, web-based e-mail, such as Gmail, did not exist. Instead, e-mail primarily existed in local intranets where clients would download their messages from the server and the server would, generally, not keep a backup. Congress presumed that any e-mails left on the server for more than 180 days should be treated like abandoned property. This distinction, however, is no longer as relevant today when customers have access to nearly unlimited cloud storage.
Congress has held several hearings on reforming ECPA, with technology companies and digital rights groups lobbying for clear standards that are adaptable to technological advances. Law enforcement has questioned the need to ECPA reform, fearing that reforms could decrease their ability to acquire digital information in a timely manner.
Current ECPA Reform Proposals
- Sen. Patrick Leahy & Sen. Mike Lee, Electronic Communications Privacy Act Amendments Act of 2015, S. 356; Rep. Matt Salmon, H.R. 283
- Sen. Ron Wyden, GPS Act, S. 237; Rep. Jason Chaffetz,
- Rep. Kevin Yonder, Email Privacy Act, H.R. 699
- The Electronic Communications Privacy Act (ECPA), Part 2: Geolocation Privacy and Surveillance, House Judiciary Committee, Subcommittee on Crime, Terrorism, Homeland Security and Investigations, April 25, 2013.
- The Electronic Communications Privacy Act (ECPA), Part 1: Lawful Access to Stored Content, House Judiciary Committee, Subcommittee on Crime, Terrorism, Homeland Security and Investigations, March 9, 2013.
- The Electronic Communications Privacy Act: Government Perspectives on Protecting Privacy in the Digital Age, Senate Judiciary Committee, April 6, 2011.
- ECPA Reform and the Revolution in Cloud Computing, House Judiciary Committee," September 23, 2010.
- "The Electronic Communications Privacy Act: Promoting Security and Protecting Privacy in the Digital Age," Senate Judiciary Committee, September 22, 2010.
- ECPA Reform and the Revolution in Location Based Technologies and Services, House Judiciary Committee, June 24, 2010.
- Electronic Communications Privacy Act Reform, House Judiciary Committee, May 5, 2010.
- Andrew Bagley, Don't Be Evil: The Fourth Amendment in the Age of Google, National Security, and Digital Papers and Effects, 21 Albany Law Journal of Science and Technology 153 (2011).
- Nathan Henderson, The Patriot Act's Impact on the Government's Ability to Conduct Electronic Surveillance of Ongoing Domestic Communications, 52 Duke L.J. 179 (2002).
- Ilana Kattan, Cloudy Privacy Protections: Why the Stored Communications Act Fails to Protect the Privacy of Communications Stored in the Cloud, 13 Vanderbilt Journal of Entertainment and Technology Law 617 (2011).
- Haley Plourde-Cole, Back to Katz: Reasonable Expectation of Privacy in the Facebook Age, 38 Fordham Urban Law Journal 571 (2010).
- The Electronic Communications Privacy Act of 1986 (ECPA), Pub. L. 99-508, Oct. 21, 1986, 100 Stat. 1848 (1986).
- Wire and Electronic Communications Interception and Interception of Oral Communications, 18 U.S.C. Chapter 119.
- Stored Wire and Electronic Communications and Transactional Records Access, 18 U.S.C. Chapter 121.
- Pen Registers and Trap and Trace Devices, 18 U.S.C. Chapter 206.
- Katz v. United States, 389 U.S. 347 (1967).
- Smith v. Maryland, 442 U.S. 735 (1979).
- EPIC's National Security Letters Page
- EPIC's Wiretapping and Electronic Surveillance Page
- American Civil Liberties Union (ACLU) Modernizing ECPA
- Digital Due Process ECPA Reform
- Mario Trujillo and David McCabe, Overnight Tech: Senate Gets Late Start on Email Privacy The Hill (Sept. 15, 2015)
- Sen. Patrick Leahy & Sen. Mike Lee, Update Privacy Laws for the Digital Age, Real Clear Policy (Jan. 28, 2015)
- Cyrus Farivar, Unprecedented E-mail Privacy Bill Sent to Texas Governor's Desk, ArsTechnica (May 28, 2103).
- Timothy B. Lee, Eric Holder Endorses Warrants for E-mail. It's About Time, Wash. Post - Wonkblog (May 16, 2013)
- Editorial, Upgrade Protections of Digital Records, Seattle Times, May 16, 2013
- Patrick McGreevy, California Senate Backs Requiring Warrants When Police Want E-mails, L.A. Times, May 13, 2013
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
In Defense of Women: Memoirs of an Unrepentant Advocate by Nancy Gertner