ECPA: Network Service Providers

Between the Man with the Badge and the sinister figure frequently lies the service provider. Where The Man wants to reach out and touch someone, the service provider will almost necessarily be involved. Service providers for their part may not always appreciate anxious law enforcement officers mucking about their networks and uttering that feared word, “oops.”

Rule: Service providers may freely disclose non-content information to anyone but law enforcement officials; service providers may not disclose content information to anyone. 18 U.S.C. § 2702(a).

Network Operation

A certain degree of traffic interception is incident to the normal operation of a network; in these cases, service providers will be glad to know, such interception will not land them in the slammer. 18 U.S.C. § 2511(2)(A)(i) (“It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.”). 18 U.S.C. § 2702(b)(5) (“a provider described in subsection (a) may divulge the contents of a communication – as may be necessarily incident to the rendition of the service…”); 18 U.S.C. § 2702(c)(3) (customer records). However, courts have interpreted this exception narrowly; in cases where operators have used “network operation” as a pretense for capturing information for other agendas, they have not escaped the attention of the law.

Protection of the Network

Internet companies consistently are given the right to maintain the integrity of their systems. Internet companies may monitor communications for the purpose of protecting the network. 18 U.S.C. § 2511(2)(a)(i); 18 U.S.C. § 2702(b)(5) (“a provider described in subsection (a) may divulge the contents of a communication – as may be necessarily incident … to the protection of the rights or property of the provider of that service.”); 18 U.S.C. § 2702(c)(3) (customer records); 18 U.S.C. § 3121(b) (pen registers or trap and traces). [Search & Seizure Manual Appendix G] This could include such actions as logging the keystrokes typed and actions taken by a suspected hacker. It was used in the 1970s by telephone companies to stop the theft of their services through the use of “blue boxes.” [Criminal Resource Manual] But such interceptions must be legitimately for the purpose of protecting the network, and not merely using protection of the network as a pretense to spy on stuff well beyond the legitimate scope of this exception. [McClelland] Furthermore, exception would not apply where networks are merely operating at the direction of and therefore as agents of the feds. [Pervaz]

Accidental Acquisition

A service provider may disclose intercepted communications where such communications were intercepted accidentally and such communications “appear to pertain to the commission of a crime.” 18 U.S.C. § 2511(3)(b)(iv); 18 U.S.C. § 2702(b)(6)(A).

Emergencies

See also Law Enforcement: Times of Emergency.
See also Non Content Time of Emergency

A service provider may disclose the content of communications or customer records to a law enforcement officer “if the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay.” 18 U.S.C. § 2702(b)(6)(C) (contents of communications); 2702(c)(4) (customer records). Note that service providers are neither required to make these disclosures – they are voluntary – nor are they required to monitor their networks for these purposes.

Pursuant to the Homeland Security Act, the emergency disclosure of content provision no longer sunsets on December 31, 2005. However, the emergency disclosure of customer records still sunsets on December 31, 2005. [See Patriot Act]

Computer Trespassers

Service providers can voluntarily authorize law enforcement officials to intercept the communications of a trespasser on the network. 18 U.S.C. § 2511(2)(i). [Search & Seizure Manual Appendix H] This is another new addition brought by the Patriot Act. DOJ thought it curious that where there is a trespasser illegally on a network and where the network operator desires the government’s assistance, law enforcement officials still would need a court order (of course a response might be that it remains to be seen whether the individual in question is in fact a trespasser). The activities of the law enforcement officer are required to be limited to the illegal activities of the trespasser and the law enforcement officer must be engaged in an investigation.

A computer trespasser

(A) means a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer; and

(B) does not include a person known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer.

18 U.S.C. § 2510(21).

Computer Trespasser exception sunsets December 31, 2005.

Child Protection

A service provider may disclose content to a law enforcement officer where required to do so by the Child Protection and Sexual Predator Punishment Act of 1998. 42 U.S.C. § 13032, 18 U.S.C. § 2702(b)(6)(B). Under this law, service providers who become aware of child pornography must report it; this does not require them or permit them to intercept communications for the purposes of searching out child pornography.

Law Enforcement (Service Provider Relations)

As further elaborated below, a crucial exception is that a service provider may provide the information in question to a law enforcement officer when the service provider has received proper legal authority.

Whatever the legal process, service providers might be interested to note the law enforcement community’s recommendation to itself:

In general, investigators should communicate with network service providers before issuing subpoenas or obtaining court orders that compel the providers to disclose information.

Law enforcement officials who procure records under ECPA quickly learn the importance of communicating with network service providers. This is true because every network provider works differently. Some providers retain very complete records for a long period of time; others retain few records, or even none. Some providers can comply easily with law enforcement requests for information; others struggle to comply with even simple requests. These differences result from varied philosophies, resources, hardware and software among network service providers. Because of these differences, agents often will want to communicate with network providers to learn how the provider operates before obtaining a legal order that compels the provider to act.

[Search and Seizure Manual, Sec. III.G.]