Cybertelecom
Cybertelecom
Federal Internet Law & Policy
An Educational Project

ECPA Nutshell

Navigation Links:
ECPA
- Nutshell
- What Gets What Chart
- Rule by Exception
- - Privacy
- - Consent
- - Court Order
- Service Providers
- - Network Ops
- - Protection
- - Accident
- - Emergency
- - Hackers
- - Child Protection
- Law Enforcement
- - Interception
- - Emergency
- - Stored Content
- - Transactional
- - Subscriber Info
- - Preservation
- - Carnivore
- - CALEA
- Enforcement
- Cost Recovery
- FISA
- Reference
- Privacy
- Agencies
- Cryptography

Crimes Against Network
- Worms, Viruses, Attacks
- Hackers
- DOS
- Cyberwar
- Network Reliability
- Infrastructure Protection

Crimes Over Network
- CyberStalking
- Fraud
- - Auctions
- - Phishing
- Gambling
- Hoaxes
- ID Theft
- Offensive Words

Info Gathering
- Wiretaps
- CALEA
- ECPA
- FISA
- Forensics
- Carnivore
- Patriot Act
- Data Retention
- Safe Web Act

Emergency
- EAS
- Assessment
- Reliability
- Vulnerabilities
:: Home ::
:: Feedback ::
:: Disclaimer ::
:: Sitemap ::

ECPA was passed by the US Congress in 1986 as an amendment to the Wiretap Act. In so doing, Congress sought to revise to the federal wiretap law to reflect the privacy concerns of modern communications. A significant advancement for ECPA was recognition of privacy rights not merely in the interception of a communication but also, with the new network, in the access of stored communications. Nevertheless, stored communications receive smaller protections than the interception of transmitted communications.

Creating a clear picture of the new protections that ECPA brings is less than easy. Multiple federal courts, forced to apply ECPA in novel situations, have described ECPA as "famous (if not infamous) for its lack of clarity," that ECPA is "fraught with trip wires," and that it is "a fog of inclusions and exclusions." For example, it is not always easy to determine which is a communication that is being transmitted or that is a stored communication.

ECPA dramatically expanded the definition of “communications.” Previously wiretaps were of voice communications. ECPA expanded this to include non-voice communications including “signs, signals, writings, images, sound, data, or intelligence of any nature transmitted in whole or in part by wire, radio, electromagnetic, photoelectric or photo-optical systems.” [18 U.S.C. § 2510(12)] [H.R. Rep. No. 99-647 at 35 (commenting on definition of "Electronic Communications")][Councilman (ECPA covers email including email in storage during transmission)]. If it’s out there, Congress wanted to reach out and touch it.

ECPA applies differently to public ISPs, private networks, remote computer processing services, and a subscriber’s computer. How ECPA applies can be significantly different for a network that only provides private services to a particular company, like a corporate network or university network.

[Note that what follows is DOJ's interpretation of ECPA and not necessarily what the courts might conclude ECPA holds]

An electronic communication service (“ECS”) is “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510(15). [Councilman] For example, “telephone companies and electronic mail companies” generally act as providers of electronic communication services. See S. Rep. No. 99-541 (1986), reprinted in 1986 USCCAN 3555, 3568; see also FTC v. Netscape Communications Corp., 196 FRD 559, 560 (ND Cal. 2000) (noting that Netscape, a provider of email accounts through netscape.net, is a provider of ECS). [S&S Manual Sec. III.B.] [Bohach] [Mullins] [SEGA] [Tokai] [Crowley]

. . . . .

The term remote computing service” (“RCS”) is defined by 18 U.S.C. § 2711(2) as “provision to the public of computer storage or processing services by means of an electronic communications system.” An “electronic communications system is “any wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission of wire or electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications” 18 U.S.C. § 2510(14).

Roughly speaking, a remote computing service is provided by an off-site computer that stores or processes data for a customer. See S. Rep. No. 99-541 (1986), reprinted in 1986 USCCAN 3555, 3564-65. For example, a service provider that processes data in a time-sharing arrangement provides an RCS. See HR Rep. No. 99-647, at 23 (1986). A mainframe computer that stores data for future retrieval also provides an RCS. See Steven Jackson Games, Inc. v. US Secret Service, 816 F.Supp. 432, 443 (WDTex 1993) (holding that provider of bulletin board services was a remote computing service). In contrast with a provider of ECS, a provider of RCS does not hold customer files on their way to a third intended destination; instead, they are stored or processed by the provider for the convenience of the account holder. Accordingly, files held by a provider acing as an RCS cannot be in “electronic storage” according to § 2510(17).

Under the definition provided by § 2711(2), a service can only be a "remote computing service" if it is available "to the public." Services are available to the public if they are available to any member of the general population who complies with the requisite procedures and pays any requisite fees. For example, America Online is a provider to the public: anyone can obtain an AOL account. (It may seem odd at first that a service can charge a fee but still be considered available "to the public," but this mirrors commercial relationships in the physical world. For example, movie theaters are open "to the public" because anyone can buy a ticket and see a show, even though tickets are not free.) In contrast, providers whose services are open only to those with a special relationship with the provider are not available to the public. For example, employers may offer network accounts only to employees. See Andersen Consulting LLP v. UOP, 991 F. Supp. 1041, 1043 (N.D. Ill. 1998) (interpreting the "providing . . . to the public" clause in § 2702(a) to exclude an internal e-mail system that was made available to a hired contractor but was not available to "any member of the community at large"). Such providers cannot provide remote computing service because their network services are not available to the public.

Whether an entity is a provider of "electronic communication service," a provider of "remote computing service," or neither depends on the nature of the particular communication sought. For example, a single provider can simultaneously provide "electronic communication service" with respect to one communication and "remote computing service" with respect to another communication.

An example can illustrate how these principles work in practice. Imagine that Joe sends an e-mail from his account at work ("joe@goodcompany.com") to the personal account of his friend Jane ("jane@localisp.com"). The e-mail will stream across the Internet until it reaches the servers of Jane's Internet service provider, here the fictional LocalISP. When the message first arrives at LocalISP, LocalISP is a provider of ECS with respect to that message. Before Jane accesses LocalISP and retrieves the message, Joe's e-mail is in "electronic storage." See Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457, 461 (5th Cir. 1994). Once Jane retrieves Joe's e-mail, she can either delete the message from LocalISP's server, or else leave the message stored there. If Jane chooses to store the e-mail with LocalISP, LocalISP is now a provider of RCS (and not ECS) with respect to the e-mail sent by Joe. The role of LocalISP has changed from a transmitter of Joe's e-mail to a storage facility for a file stored remotely for Jane by a provider of RCS. See H.R. Rep. No. 99-647, at 64-65 (1986) (noting Congressional intent to treat opened e-mail stored on a server under provisions relating to remote computing services, rather than services holding communications in "electronic storage").

Next imagine that Jane responds to Joe's e-mail. Jane's return e-mail to Joe will stream across the Internet to the servers of Joe's employer, Good Company. Before Joe retrieves the e-mail from Good Company's servers, Good Company is a provider of ECS with respect to Jane's e-mail (just like LocalISP was with respect to Joe's original e-mail before Jane accessed it). When Joe accesses Jane's e-mail message and the communication reaches its destination (Joe), Good Company ceases to be a provider of ECS with respect to that e-mail (just as LocalISP ceased to be a provider of ECS with respect to Joe's original e-mail when Jane accessed it). Unlike LocalISP, however, Good Company does not become a provider of RCS if Joe decides to store the opened e-mail on Good Company's server. Rather, for purposes of this specific message, Good Company is a provider of neither ECS nor RCS. Good Company does not provide RCS because it does not provide services to the public. See 18 U.S.C. § 2711(2) ("[T]he term 'remote computing service' means the provision to the public of computer storage or processing services by means of an electronic communications system.") (emphasis added); Andersen Consulting, 991 F. Supp. at 1043. Because Good Company provides neither ECS nor RCS with respect to the opened e-mail in Joe's account, ECPA no longer regulates access to this e-mail, and such access is governed solely by the Fourth Amendment. Functionally speaking, the opened e-mail in Joe's account drops out of ECPA.

Finally, consider the status of the other copies in this scenario: Jane has downloaded a copy of Joe's e-mail from LocalISP's server to her personal computer at home, and Joe has downloaded a copy of Jane's e-mail from Good Company's server to his office desktop computer at work. ECPA governs neither. Although these computers contain copies of e-mails, these copies are not stored on the server of a third-party provider of RCS or ECS, and therefore ECPA does not apply. Access to the copies of the communications stored in Jane's personal computer at home and Joe's office computer at work is governed solely by the Fourth Amendment. See generally Chapters 1 and 2.

As this example indicates, a single provider can simultaneously provide ECS with regard to some communications and RCS with regard to others, or ECS with regard to some communications and neither ECS nor RCS with regard to others. As a practical matter, however, agents do not need to grapple with these difficult issues in most cases. Instead, agents can simply draft the appropriate order based on the information they seek. For example, if the police suspect that Jane and Joe have conspired to commit a crime, the police might seek an order or subpoena compelling LocalISP to divulge all files in Jane's account except for those in "electronic storage." In plain English, this is equivalent to asking for all of Jane's opened e-mails and stored files. Alternatively, the police might seek an order compelling Good Company to disclose files in "electronic storage" in Joe's account. This is equivalent to asking for unopened e-mails in Joe's account. A helpful chart appears in Part F of this chapter. Sample language that may be used appears in Appendices B, E, and F.

[Search & Seizure Manual]

Web services provided by Wyoming.com
: Home : About Us : Contact Us : Sitemap : Discussion : Search : Newsletter : RSS :
: ADA : Broadband : Crime : Copyright : DNS : ECommerce : EGovt : First Amendment : Digital Divide :
: Network Neutrality : Intl : Privacy : Security : SPAM : Statistics : VoIP : Vote : And Much More! :
:: Feedback : Disclaimer ::
© Cybertelecom.