Electronic Communications Privacy Act

(Redirected from ECPA)

The Electronic Communications Privacy Act of 1986 (ECPA) was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer (18 U.S.C. § 2510 et seq.), added new provisions prohibiting access to stored electronic communications, i.e., the Stored Communications Act (SCA, 18 U.S.C. § 2701 et seq.), and added so-called pen trap provisions that permit the tracing of telephone communications (18 U.S.C. § 3121 et seq.). ECPA was an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (the Wiretap Statute), which was primarily designed to prevent unauthorized government access to private electronic communications. The ECPA has been amended by the Communications Assistance for Law Enforcement Act (CALEA) of 1994, the USA PATRIOT Act (2001), the USA PATRIOT reauthorization acts (2006), and the FISA Amendments Act (2008).[1]

Electronic Communications Privacy Act of 1986
Great Seal of the United States
Long titleAn Act to amend title 18, United States Code, with respect to the interception of certain communications, other forms of surveillance, and for other purposes.
Acronyms (colloquial)ECPA
Enacted bythe 99th United States Congress
EffectiveOctober 21, 1986
Citations
Public lawPub. L. 99–508
Statutes at Large100 Stat. 1848
Codification
Acts amendedOmnibus Crime Control and Safe Streets Act of 1968
Titles amended18
Legislative history
  • Introduced in the House as H.R. 4952 by Robert Kastenmeier (DWI) on June 5, 1986
  • Committee consideration by Judiciary
  • Passed the House on June 23, 1986 (Voice Vote)
  • Passed the Senate on October 1, 1986 (Voice Vote) with amendment
  • House agreed to Senate amendment on October 2, 1986 (Unanimous Consent)
  • Signed into law by President Ronald Reagan on October 21, 1986
Major amendments
Communications Assistance for Law Enforcement Act
USA PATRIOT Act
FISA Amendments Act

Overview

edit

"Electronic communications" means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptic system that affects interstate or foreign commerce, but excludes the following:[2]

Title I of the ECPA protects wire, oral, and electronic communications while in transit. It sets down requirements for search warrants that are more stringent than in other settings.[3] Title II of the ECPA, the Stored Communications Act (SCA), protects communications held in electronic storage, most notably messages stored on computers. Its protections are weaker than those of Title I, however, and do not impose heightened standards for warrants. Title III prohibits the use of pen register and/or trap and trace devices to record dialing, routing, addressing, and signaling information used in the process of transmitting wire or electronic communications without a court order.

History

edit

The law was first brought to attention after the Captain Midnight broadcast signal intrusion, where electrical engineer John R. MacDougall hacked into the HBO signal on April 27, 1986.

As a consequence, this act was passed. This act also made satellite hijacking a felony.[4]

Provisions

edit

The ECPA extended government restrictions on wire taps from telephone calls to include transmissions of electronic data by computer (18 U.S.C. § 2510 et seq.), added new provisions prohibiting access to stored electronic communications, i.e., the Stored Communications Act (18 U.S.C. § 2701 et seq.), and added so-called pen/trap provisions that permit the tracing of telephone communications (18 U.S.C. § 3121 et seq.).

18 U.S.C. § 3123(d)(2) provides for gag orders which direct the recipient of a pen register or trap and trace device order not to disclose the existence of the pen/trap or the investigation.[5]

Employee privacy

edit

The ECPA extended privacy protections provided by the Omnibus Crime Control and Safe Streets Act of 1968 (of employers monitoring of employees phone calls) to include also electronic and cell phone communications.[6][7] See also Employee monitoring and Workplace privacy.

Case law

edit

Several court cases have raised the question of whether e-mail messages are protected under the stricter provisions of Title I while they were in transient storage en route to their final destination. In United States v. Councilman, a U.S. district court and a three-judge appeals panel ruled they were not, but in 2005, the full United States Court of Appeals for the First Circuit reversed this opinion. Privacy advocates were relieved; they had argued in amicus curiae briefs that if the ECPA did not protect e-mail in temporary storage, its added protections were meaningless as virtually all electronic mail is stored temporarily in transit at least once and that Congress would have known this in 1986 when the law was passed. (see, e.g., RFC 822). The case was eventually dismissed on grounds unrelated to ECPA issues.[citation needed]

The seizure of a computer, used to operate an electronic bulletin board system, and containing private electronic mail which had been sent to (stored on) the bulletin board, but not read (retrieved) by the intended recipients, does not constitute an unlawful intercept under the Federal Wiretap Act, 18 U.S.C. s 2510, et seq., as amended by Title I of ECPA.[8] Governments can actually track cell phones in real time without a search warrant under ECPA by analyzing information as to antennae being contacted by cell phones, as long as the cell phone is used in public where visual surveillance is available.[9]

In Robbins v. Lower Merion School District (2010), also known as "WebcamGate", the plaintiffs charged that two suburban Philadelphia high schools violated ECPA by remotely activating the webcams embedded in school-issued laptops and monitoring the students at home. The schools admitted to secretly snapping over 66,000 webshots and screenshots, including webcam shots of students in their bedrooms.[10][11]

Criticism

edit

ECPA has been criticized for failing to protect all communications and consumer records, mainly because the law is so outdated and out of touch with how people currently share, store, and use information.

Under ECPA, it is relatively easy for a government agency to demand service providers hand over personal consumer data stored on the service provider's servers.[12] Email that is stored on a third party's server for more than 180 days is considered by the law to be abandoned. All that is required to obtain the content of the emails by a law enforcement agency is a written statement certifying that the information is relevant to an investigation, without judicial review.[13] When the law was initially passed, emails were stored on a third party's server for only a short period of time, just long enough to facilitate transfer of email to the consumer's email client, which was generally located on their personal or work computer. Now, with online email services prevalent such as Gmail and Hotmail, users are more likely to store emails online indefinitely, rather than to only keep them for less than 180 days.[14] If the same emails were stored on the user's personal computer, it would require the police to obtain a warrant first for seizure of their contents, regardless of their age. When they are stored on an internet server however, no warrant is needed, starting 180 days after receipt of the message, under the law. In 2013, members of the U.S. Congress proposed to reform this procedure.[15]

ECPA also increased the list of crimes that can justify the use of surveillance, as well as the number of judicial members who can authorize such surveillance. Data can be obtained on traffic and calling patterns of an individual or a group without a warrant, allowing an agency to gain valuable intelligence and possibly invade privacy without any scrutiny, because the actual content of the communication is left untouched. While workplace communications are, in theory, protected, all that is needed to gain access to communiqué is for an employer to simply give notice or a supervisor to report that the employee's actions are not in the company's interest. This means that, with minimal assumptions, an employer can monitor communications within the company. The ongoing debate is, where to limit the government's power to see into civilian lives, while balancing the need to curb national threats.[citation needed][16]

In 2011, The New York Times published "1986 Privacy Law Is Outrun by the Web", highlighting that:[17]

...the Justice Department argued in court that cellphone users had given up the expectation of privacy about their location by voluntarily giving that information to carriers. In April, it argued in a federal court in Colorado that it ought to have access to some e-mails without a search warrant. And federal law enforcement officials, citing technology advances, plan to ask for new regulations that would smooth their ability to perform legal wiretaps of various Internet communications.

The analysis went on to discuss how Google, Facebook, Verizon, Twitter and other companies are in the middle between users and governments.

See also

edit

References

edit
  1. ^ "Office of Justice Programs (OJP), U.S. Department of Justice (DOJ)".
  2. ^ 18 U.S.C.A. § 2510 (2012)
  3. ^ Theohary, Catherine A. (2010). Cybersecurity: Current Legislation, Executive Branch Initiatives, and Options for Congress. DIANE Publishing. ISBN 978-1-4379-2434-3.
  4. ^ Bloombecker, J. J. B. (July 1988). "Captain Midnight and the Space Hackers". Security Management. 32 (7): 77–79, 82. Archived from the original on September 24, 2017. Retrieved September 24, 2017.
  5. ^ "In Re: Sealing and Non-disclosure of Pen/Trap/2703(d) Orders of May 30, 2008, p. 5" (PDF). steptoe.com.
  6. ^ Kubasek, Nancy; Browne, M. Neil; Heron, Daniel; Dhooge, Lucien; Barkacs, Linda (2016). Dynamic Business Law: The Essentials (3d ed.). McGraw-Hill. p. 528. ISBN 978-1-259-41565-4.
  7. ^ Slide 22 of Chapter 24 Powerpoint Archived 2017-03-12 at the Wayback Machine for text: Kubasek, Nancy; Browne, M. Neil; Heron, Daniel; Dhooge, Lucien; Barkacs, Linda (2013). Dynamic Business Law: The Essentials (2d ed.). McGraw-Hill. ISBN 978-0-07-352497-9.
  8. ^ 36 F.3d 457 (5th Cir. 1994).
  9. ^ 402 F. Supp. 2d 597 (D. Md. 2005).
  10. ^ Doug Stanglin (February 18, 2010). "School district accused of spying on kids via laptop webcams". USA Today. Retrieved February 19, 2010.
  11. ^ "Initial LANrev System Findings" (PDF). Lower Merion School District. May 2010. Archived from the original (PDF) on 15 June 2010. Retrieved 17 October 2016. LMSD Redacted Forensic Analysis, L-3 Services – prepared for Ballard Spahr (LMSD's counsel)
  12. ^ Schwartz, Ari; Mulligan, Deirdre; Mondal, Indrani (2004–2005). "Storing Our Lives Online: Expanded Email Storage Raises Complex Policy Issues". I/S: A Journal of Law and Policy for the Information Society. 1: 597.
  13. ^ "18 U.S. Code § 2703". Legal Information Institute. Cornell Law School. Retrieved 7 September 2020.
  14. ^ "Modernizing the Electronic Communications Privacy Act (ECPA)". American Civil Liberties Union. Retrieved 2021-09-04.
  15. ^ Andrea Peterson, "Privacy Protections for Cloud E-mail", Think Progress, March 20, 2013.
  16. ^ Bambara, Joseph (Spring 2014). "Information Privacy and the Law within these United States" (PDF). International In-house Counsel Journal. 7 (27): 1–5 – via iicj.
  17. ^ Helft, Miguel and Claire Cain Miller, “News Analysis: 1986 Privacy Law Is Outrun by the Web”, The New York Times, January 9, 2011. Retrieved 2011-01-10.