Electronic Communications Privacy Act of 1986 (ECPA), Pub. L. No. 99-508, 100 Stat. 1848 (Oct. 21, 1986), codified at 18 U.S.C. §§2510-22, 2701-11, 3121-26 (full-text). The ECPA has been amended several times.
The Act amended title III of the Omnibus Crime Control and Safe Streets Act of 1968 — the federal wiretap law — to protect against the unauthorized interception of electronic communications. The bill amended the 1968 law to update and clarify federal privacy protections and standards in light of dramatic changes in new computer and telecommunications technologies.
The Act attempts to strike a balance between the fundamental privacy rights of citizens and the legitimate needs of law enforcement with respect to data shared or stored in various types of electronic and telecommunications services. Since the Act was passed the Internet and associated technologies have expanded exponentially.
Title I - Wiretap Act (18 U.S.C. §2510 et seq.)
Title I of the ECPA (referred to as the "Wiretap Act") addresses the interception of wire, oral and electronic communications. It sought to bring the law in line with technological developments and changes in the structure of the telecommunications industry.
As it applies to Internet and network investigations, Title I focuses on the interception of the content of communications while the communications are in transit and governs the disclosure of intercepted communications. Examples of such interceptions may include —
As a basic rule, the Wiretap Act prohibits anyone who is not a participating party to a private communication from intercepting the communication between or among the participating parties using an "electronic, mechanical, or other device," unless one of several statutory exceptions applies.
One exception is the issuance of an order by a court of competent jurisdiction that authorizes interception. The requirements to obtain such an order are substantial. Violation of the Wiretap Act can lead to criminal and civil liability. In the case of wire and oral communications, a violation by government officials may result in the suppression of evidence.
To ensure compliance, law enforcement must determine whether —
- The communication to be monitored is one of the protected communications defined in the statute.
- The proposed surveillance constitutes an “interception” of the communication.
If both conditions are present, an evaluation should be conducted to determine whether a statutory exception applies that permits the interception.
Title II - Stored Wire and Electronic Communications Act (18 U.S.C. §2701 et seq.)
Title II of the ECPA (referred to as the "Stored Communications Act" or "SCA") provides customers and subscribers of certain communications service providers with privacy protections. The statute protects records held, such as billing, as well as files stored (e.g., e-mail, uploaded files) by providers for customers and subscribers. The ECPA provides a higher level of privacy protection to the contents of communications and files stored with a provider than to records detailing the use of the service or the subscriber's identity.
Depending on the type of provider, the ECPA may dictate what type of legal process is necessary to compel the provider to disclose specific types of customer/subscriber information to law enforcement. The ECPA also limits what a provider may and may not voluntarily disclose to others, including the government.
Law enforcement agents may use a subpoena, if allowed by their State law, to obtain certain information relating to the identity of a customer/subscriber, the customer/subscriber's relationship with the service provider, and basic session connection records. Specifically, a subpoena is effective to compel a service provider to disclose the following information about the customer/subscriber:
- Local and long distance telephone connection records or records of session times and durations
- Length of service (including start date) and types of service utilized
- Telephone or instrument number or other subscriber number or identity, the Internet Protocol address used to establish the account, and any temporarily assigned network IP address
- The means and source of payment for such service (including any credit card or bank account numbers)
Notably, extensive transaction-related records, such as logging information revealing the e-mail addresses of persons with whom a customer corresponded during prior sessions or "buddy lists," are not available by subpoena. However, the use of a subpoena with notice can allow the discovery of the same evidence as a 2703(d) order and can be utilized when seeking this type of information.
Generally speaking, the more sensitive the information (from basic subscriber information to transactional information to content of certain kinds of stored communications), the higher the level of legal process required to compel disclosure (from subpoena to court order under 2703(d) to search warrant).
As the level of government process escalates from subpoena to 2703(d) order to search warrant, the information available under the less exacting standard is included at the higher level (e.g., a search warrant grants access to basic subscriber information, transactional information, and content of stored communications).
A law enforcement agent will need to obtain a court order under 18 U.S.C. §2703(d) to compel a provider to disclose more detailed, noncontent subscriber and session information, commonly referred to as transactional information, about the use of the services by a customer/subscriber. These records could include —
Content of stored communications
The ECPA distinguishes between communications in storage that have already been retrieved by the customer or subscriber and those that have not. The statute also distinguishes between retrieved communications that are held by an electronic communications service, which can be public or private, and those held by a remote computing service, which only provides service to the public.
Subpoena: retrieved communications held by private provider
The ECPA applies to stored communications that a customer or subscriber has retrieved but left on the server of the communications service provider, if the service provider offers those services to the public. Under the statute, such a provider is considered a “remote computing service” and is not permitted to voluntarily disclose such content to the government unless certain circumstances exist. These communications include any files that a customer may have stored on the public provider’s system. If the provider does not offer those services to the public, no constraints are imposed by the ECPA on the right of the provider to disclose such information voluntarily.
The ECPA does not require any heightened or particular legal process to compel disclosure of such records. For example, the ECPA does not apply to a government request to compel an employer to produce the retrieved e-mail of a particular employee if the employer offers e-mail services and accounts to its employees but not to the public generally. Where the ECPA does not apply, such information may be available through traditional legal processes.
Subpoena or 2703(d), with notice: retrieved communications, unretrieved communications older than 180 days, and other files stored with a public provider
The ECPA applies to stored communications that a customer or subscriber has retrieved but left on the server of a communications services provider if the provider offers those services to the public. Such communications include text files, pictures, and programs that a customer may have stored on the public provider’s system. Under the statute, such a provider is considered a “remote computing service” and is not permitted to disclose voluntarily such content to the government.
Law enforcement may also use a subpoena or a 2703(d) order with prior notice to compel a service provider to disclose communications that are unretrieved but have been on the server more than 180 days. As a practical matter, most providers will not allow unretrieved messages to stay on a server unaccessed for such a long period.
If law enforcement is using a search warrant or seeking noncontent information, no notice is required.
Prior notice to subscriber
Law enforcement may use either a subpoena or a 2703(d) court order to compel a public service provider to disclose the contents of stored communications that have been retrieved or communications that are unretrieved but have been on the server more than 180 days by a customer or subscriber. In both cases, law enforcement is required to either give prior notice to the subscriber or comply with delayed notice provisions of section 2705(a). Law enforcement can also use a search warrant, which does not require notice to the subscriber to obtain this information.
Section 2705(a) in ECPA allows agents to delay notice to the customer or subscriber when notice would jeopardize a pending investigation or endanger the life or physical safety of an individual. However, pursuant to 2705(b), a “no-notice provision” included with the subpoena or search warrant may prevent the ISP from making disclosure to the subscriber.
At the end of the delayed notice period, law enforcement must send a copy of the request or process to the customer or subscriber, along with a letter explaining the delay.
Note: If the investigating agency is located within the jurisdiction of the U.S. Court of Appeals for the Ninth Circuit (California, Oregon, Washington, Arizona, Montana, Idaho, Nevada, Alaska, Hawaii, Guam, and the Northern Mariana Islands), the investigator must use a search warrant to compel disclosure of all communications, retrieved or unretrieved. If the investigating agency is located outside the Ninth Circuit, the investigator may follow the traditional ECPA interpretation, under which retrieved communications are available pursuant to a subpoena or 2703(d) court order with notice, even if the provider is located in the Ninth Circuit. However, many large providers, including AOL, Yahoo!, and Hotmail, may only provide content information pursuant to a search warrant based on Theofel v. Farey-Jones.
Search warrant: Unretrieved communications
Unretrieved communications (including voice mail) held by the provider for 180 days or fewer have the highest level of protection available under the ECPA. The ECPA covers such communications whether the service provider is private or public.
For example, under the ECPA an e-mail sent to a customer is considered unretrieved if it resides on the server of the customer’s provider (i.e., an ISP or the customer’s employer), but the customer has not yet logged on and accessed the message. Once the customer accesses the e-mail (but a copy remains on the server of the provider), the e-mail is deemed retrieved.
Law enforcement may seek a search warrant to compel the production of unretrieved communications in storage with a service provider. No prior notice to the customer/subscriber is required if information is obtained with a search warrant. A search warrant may also be used to obtain subscriber and transactional information.
Voluntary disclosure of electronic communications — 18 U.S.C. § 2702(b)(6)(C)
Providers of services not available to the public may freely disclose both contents and other records relating to stored communications. ECPA imposes restrictions on voluntary disclosures by providers of services to the public, but it also includes exceptions to those restrictions.
ECPA provides for the voluntary disclosure of contents of electronic communications when the provider “reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay.”
Note: Some States may have applicable laws that are more restrictive than the ECPA. The ECPA does not preempt these laws unless Federal agents are conducting the investigation. State and local law enforcement agents must comply with any such State act, even if there is no violation of the Federal statute.
Remedy: Civil damages
Civil damages are the exclusive remedy for violations of Title II of the ECPA. The ECPA does not contain a provision to suppress evidence obtained in violation of Title II of the Act.
Disclosure Rules of Title II of the ECPA
Title III - Pen Register and Trap and Trace Statute (18 U.S.C. §3121 et seq.)
Title III of the ECPA regulates the use of pen registers, and trap and trace devices. It governs the real-time acquisition of dialing, routing, addressing, and signaling information relating to communications. Unlike the Wiretap Act, Title III does not cover the acquisition of the content of communications; rather, it covers the transactional information about communications.
The statute generally forbids the nonconsensual, real-time acquisition of non-content information by any person about a wire or electronic communication (telephone and Internet communications) unless a statutory exception applies. For example, every e-mail communication contains “to” and “from” information. A pen register or trap and trace device captures such information in real-time.
When no exception to this prohibition applies, law enforcement must obtain a pen register order from the court before acquiring non-content information covered by the statute. A pen register order authorizes the recording of outgoing connection information including every phone number that a specific phone dialed. A pen register order does not authorize the collection of numbers dialed after the connection is established (e.g., account number or PIN) because they constitute content. Conversely, a trap and trace order authorizes the recording of incoming connection information.
The statute also applies to real-time capture of transactional information related to Internet and network communications. For example, every e-mail communication contains “to” and “from” information. Also, Internet/network packets may contain source and destination addresses.
The ECPA authorizes court orders for the installation and use of pen registers as well as trap and trace devices, which identify source and address of communications, but not the contents of the conversation. These orders may be issued on the basis of relevancy to a criminal investigation and their results need not be disclosed to the individuals whose communications are their targets. Perhaps because in the case of Internet communications header information is more revealing than the mere identification of source and addressee telephone numbers, results of such orders must be reported to the issuing court under seal.
ECPA reform efforts focus on crafting a legal structure that is up-to-date, can be effectively applied to modern technology, and that protects users’ reasonable expectations of privacy. ECPA is viewed by many stakeholders as unwieldy, complex, and difficult for judges to apply. Cloud computing poses particular challenges to the ECPA framework. For example, when law enforcement officials seek data or files stored in the cloud, such as web-based e-mail applications or online word processing services, the privacy standard that is applied is often lower than the standard that applies when law enforcement officials seek the same data stored on an individual’s personal or business hard drive.
An ECPA reform advocacy coalition has advanced the following principles:
- A governmental entity may require an entity covered by ECPA (a provider of wire or electronic communication service or a provider of remote computing service) to disclose communications that are not readily accessible to the public, but only with a search warrant issued based on a showing of probable cause, regardless of the age of the communications, the means or status of their storage or the provider’s access to or use of the communications in its normal business operations.
- A governmental entity may access, or may require a covered entity to provide, prospectively or retrospectively, location information regarding a mobile communications device, but only with a warrant issued based on a showing of probable cause.
- A governmental entity may access, or may require a covered entity to provide, prospectively or in real time, dialed number information, e-mail to and from information or other data currently covered by the authority for pen registers and trap and trace devices, but only after judicial review and a court finding that the governmental entity has made a showing at least as strong as the showing under §2703(d).
- Where the Stored Communications Act authorizes a subpoena to acquire information, a governmental entity may use such subpoenas only for information related to a specified account(s) or individual(s). All nonparticularized requests must be subject to judicial approval.
The House Republican Cybersecurity Task Force recommended changes to laws governing the protection of electronic communications to facilitate sharing of appropriate cybersecurity information, including the development of an anonymous reporting mechanism.
- The ECPA was amended, and its privacy protections weakened, by the USA PATRIOT Act, Pub. L. No. 107-56, Oct. 26, 2001. It was again amended by the USA PATRIOT Act Improvement and Reauthorization Act of 2005 (Pub. L. No. 109-177, Mar. 9, 2006). Finally, it was again amended by the FISA Amendments Act of 2008, Pub. L. No. 110-261, July 10, 2008.
- 100 Stat. 1848; see also House Committee on the Judiciary, “Electronic Communications Privacy Act of 1986,” H.R. Rpt. 99-647, 99th Cong. 2d Sess. 2, at 19 (1986).
- ECPA Reform and the Revolution in Cloud Computing (statement of Edward W. Felton, Professor Princeton University):
“ In 1986, when ECPA was passed, the Internet consisted of a few thousand computers. The network was run by the U.S. government for research and education purposes, and commercial activity was forbidden. There were no web pages, because the web had not been invented. Google would not be founded for another decade. Twitter would not be founded for another two decades. Mark Zuckerberg, who would grow up to start Facebook, was two years old. In talking about advances in computing, people often focus on the equipment. Certainly the advances in computing equipment since 1986 have been spectacular. Compared to the high-end supercomputers of 1986, today’s mobile phones have more memory, more computing horsepower, and a better network connection not to mention a vastly lower price. ”
- Some States have versions of the Wiretap Act that are more restrictive than the federal act. The federal act does not preempt these laws unless federal agents are conducting the investigation. State and local law enforcement agents must comply with any such State act, even if there is no violation of the federal Wiretap Act.
- See 18 U.S.C. §2702(b) and 18 U.S.C. §2701(c) for information on the “circumstances”.
- The ECPA may apply if the e-mail sought resides on the employer’s server and has not yet been retrieved by the employee.
- 359 F.3d 1066 (9th Cir. 2004).
- The USA PATRIOT Improvement and Reauthorization Act of 2005 (Pub. L. No. 109–177) made permanent section 209 of the USA PATRIOT Act, which allows retrieval of voice mail with a search warrant rather than an intercept order.
- Some States have versions of the Pen Register and Trap and Trace Statute that are more restrictive than the federal Act. The federal Act does not preempt these laws unless federal agents conduct the investigation. State and local law enforcement agents must comply with any such State act, even if there is no violation of the federal statute.
- J. Beckwith Burr, “The Electronic Communications Privacy Act of 1986: Principles for Reform” (Mar. 30, 2010) (full-text)
- House Committee on the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, "ECPA Reform and the Revolution in Cloud Computing" (statement of Michael Hintze, Associate General Counsel, Microsoft Corp.).
- Digital Due Process Coalition, “Our Principles” (2010) (full-text)
- House Republican Cybersecurity Task Force Report, at 14.
- ECPA Reform and the Revolution in Cloud Computing
- ECPA Reform and the Revolution in Location Based Technologies and Services
- Legal Issues, A Site Manager's Nightmare