Cybertelecom
Cybertelecom
Federal Internet Law & Policy
An Educational Project
ECPA: Service Provider Exceptions Dont be a FOOL; The Law is Not DIY

Between the Man with the Badge and the sinister figure frequently lies the service provider. Where The Man wants to reach out and touch someone, the service provider will almost necessarily be involved.

Rules:

Definitions

See Chart Below comparing different service provider exceptions for the Wiretap Act, the Stored Communications Act, and the Pen Register Act.
See also Common Carrier :: Right to Refuse Service

Service Provider Exceptions:

Necessary Incident to Rendition of Service

A certain degree of traffic interception is incident to the normal operation of a network; in these cases, service providers will be glad to know, such interception will not land them in the slammer.

Courts have interpreted this exception narrowly; in cases where operators have used “network operation” as a pretense for capturing information for other agendas, they have not escaped the attention of the law.

Observing or Random Monitoring

"In applying the second clause only to wire communications, this provision reflects an important technical distinction between electronic communications and traditional voice telephone service. The provider of electronic communications services may have to monitor a stream of transmissions in order to properly route, terminate, and otherwise manage the individual messages they contain. These monitoring functions, which may be necessary to the provision of an electronic communication service, do not involve humans listening in on voice conversations. Accordingly, they are not prohibited. In contrast, the traditional limits on service 'observing' and random 'monitoring' do refer to human aural interceptions and are retained with respect to voice or 'wire' communications." S. Rep. 99-541, p. 19 (1986).

Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal InvestigationsPDF Computer Crime and Intellectual Property Section, Criminal Division, DOJ p 173 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

The "normal course of his employment" and "necessary to the rendition of his service" clauses of § 2511(2)(a)(i) provide additional contexts in which the provider exception applies. Courts have held that the first of these exceptions authorizes a business to receive email sent to an account provided by the business to a former employee or to an account associated with a newly acquired business. See Freedom Calls Found. v. Bukstel, 2006 WL 845509, at *27 (E.D.N.Y. 2006) (employer entitled in the normal course of business to intercept emails sent to account of former employee because, inter alia, "monitoring is necessary to ensure that . . . email messages are answered in a timely fashion"); Ideal Aerosmith, Inc. v. Acutronic USA, Inc., 2007 WL 4394447, at *5-6 (E.D. Pa. 2007) (corporation entitled in the normal course of business to intercept emails sent to business it acquired). The "necessary to the rendition of his service" clause permits providers to intercept, use, or disclose communications in the ordinary course of business when the interception is unavoidable. See United States v. New York Tel. Co., 434 U.S. 159, 168 n.13 (1977) (noting that § 2511(2)(a)(i) "excludes all normal telephone company business practices" from the prohibition of Title III). These cases generally arose when analog phone lines were in use. For example, a switchboard operator may briefly overhear conversations when connecting calls. See, e.g., Savage, 564 F.2d at 731-32; Adams v. Sumner, 39 F.3d 933, 935 (9th Cir. 1994). Similarly, repairmen may overhear snippets of conversations in the course of repairs. See United States v. Ross, 713 F.2d 389, 392 (8th Cir. 1983). These cases concerning wire communications suggest that the "necessary incident to the rendition of his service" language would likewise permit a system administrator to intercept communications in the course of repairing or maintaining a computer network.

Compare Network Neutrality: Reasonable Network Management debate

Switchboard Operators

"Initial intercept by hotel operator or clerk was not "willful" (pre-ECPA mens rea), and continued eavesdropping when distress or possible crime was overheard was not intended by Congress to be unlawful. U.S. v. Savage, 564 F.2d 728 (5th Cir. 1977); Adams v. Sumner, 39 F.3d 933 (9th Cir. 1994)." [DOJ Electronic Surveillance Issues p. 10 (2005)]

"Switchboard operator's exception (2511(2)(a)(i)) is limited only to that moment or so during which the operator must listen to be sure the call is placed. Berry v. Funk, 146 F.3d 1003 (D.C. Cir. 1998)." [DOJ Electronic Surveillance Issues p. 10 (2005)]

Berry v. Funk , 146 F. 3d 1003, 1010 (DC Cir. 1998) ("A switchboard operator is authorized to overhear (and disclose and use) only that part of a conversation "which is a necessary incident to the rendition of his service." We think it rather obvious from the statutory language that Congress recognized switchboard operators, when connecting calls, inevitably would overhear a small part of a call, but the exception permitting them to use that content is limited only to that moment or so during which the operator must listen to be sure the call is placed. (It has been held that the operator also may stay on the line on those rare occasions when he hears something troubling during that moment, such as the planning of a murder.) See, e.g., Adams v. Sumner , 39 F.3d 933 (9th Cir.1994); United States v. Axselle, 604 F.2d 1330 (10th Cir.1979); United States v. Savage, 564 F.2d 728 (5th Cir. 1977). In short, the switchboard operator, performing only the switchboard function, is never authorized simply to monitor calls.")

United States v. Axselle , 604 F.2d 1330 (10th Cir.1979) (interception of the defendant's telephone conversation by a motel switchboard operator while connecting his call was not willful).

United States v. Savage , 564 F. 2d 728, 731 (5th Cir. 1977) (where hotel switchboard operator, in the normal course of receiving an incoming call, overheard evidence of criminal activity, and reported that activity to the police, such inadvertent interception did not violate ECPA)

People v. Sierra, 74 Misc. 2d 332, 343 (N.Y. Sup. 1973) (long distance operator may stay on the line long enough to ensure that the call went through)

State ex rel. Flournoy v. Wren, 108 Ariz. 356, 498 P.2d 444 (1972) ("the inadvertent or accidental overhearing of a telephone conversation by an operator is not a willful interception as proscribed by 18 U.S.C. § 2511. ")

U.S. v. Murdock , 63 F.3d 1391, 1397 (6 th Cir. 1995) ("We find that the indiscriminate recording of both incoming and and outgoing calls by Mrs. Murdock does not constitute conduct within the ordinary course of the funeral home business in which she had an interest as a part owner.")

State v Dwyer , 120 Ariz 291 (Ct. App. Ariz/ 1978)

U.S. v. Murdock , 63 F.3d 1391, 1397 (6 th Cir. 1995) ("We find that the indiscriminate recording of both incoming and and outgoing calls by Mrs. Murdock does not constitute conduct within the ordinary course of the funeral home business in which she had an interest as a part owner.")

Protection of the Network

Compare 39 CFR 233.11 - Mail reasonably suspected of being dangerous to persons or property. ((b) "Mail, sealed or unsealed, reasonably suspected of posing an immediate danger to life or limb or an immediate and substantial danger to property may, without a search warrant, be detained, opened, removed from postal custody, and processed or treated") . See USPS.

Exception

Internet companies consistently are given the right to maintain the integrity of their systems. Internet companies may monitor communications for the purpose of protecting the network.

It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.

18 U.S.C. § 2511(2)(a)(i). 18 U.S.C. § 2702(b)(5) (“a provider described in subsection (a) may divulge the contents of a communication – as may be necessarily incident … to the protection of the rights or property of the provider of that service.”); 18 U.S.C. § 2702(c)(3) (customer records); 18 U.S.C. § 3121(b) (pen registers or trap and traces). [Search & Seizure Manual Appendix G]

This could include such actions as logging the keystrokes typed and actions taken by a suspected hacker. It was used in the 1970s by telephone companies to stop the theft of their services through the use of “blue boxes.” [Criminal Resource Manual] But such interceptions must be legitimately for the purpose of protecting the network, and not merely using protection of the network as a pretense to spy on stuff well beyond the legitimate scope of this exception. [McClelland] Furthermore, exception would not apply where networks are merely operating at the direction of and therefore as agents of the feds. [Pervaz]

Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal InvestigationsPDF Computer Crime and Intellectual Property Section, Criminal Division, DOJ p 173 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

The "rights or property of the provider" clause of § 2511(2)(a)(i) grants providers the right "to intercept and monitor [communications] placed over their facilities in order to combat fraud and theft of service." United States v. Villanueva, 32 F. Supp. 2d 635, 639 (S.D.N.Y. 1998). ... The exception also permits providers to monitor misuse of a system in order to protect the system from damage or invasions of privacy. For example, system administrators can track intruders within their networks in order to prevent further damage. See Mullins, 992 F.2d at 1478 (need to monitor misuse of computer system justified interception of electronic communications pursuant to § 2511(2)(a)(i)).

The blue box built by Steve Wozniak, on display at the Computer History Museum, taken by Rad man

In the early 1970s, Cap'n Crunch cereal came with a toy whistle that emitted at tone of 2600 hertz - the tone that controlled the telephone network. A hacker, or "phone phreak" named John Thomas Draper reportedly used the whistle to build Blue Boxes. Draper nickname was "Captain Crunch." In the mid 1970s he was hired by Apple Computer. Image by Wapteck at Wikipedia

Blue Box Cases

The protection of property provision of ECPA probably saw its greatest application during the 1970s with what is known as the Blue Box Cases. Out of the 1960s and into the 1970s the hacker culture was growing. "Hackers," by the traditional definition of the word, are not necessarily people who illegally break into systems. Rather, they are individuals intrigued by technology, particularly in an era when innovation in the field is nascent, who love to take things apart and put them back together again in new, innovative, and unanticipated ways. They like to test systems and devices and they like to see if they can build something new. Many of the original hackers have gone on to be executives in leading technology companies. [Hafner p 18 ("Stephen Wozniak and Steven Jobs, who cofounded Apple Computer in 1976, got their start in the consumer electronics business several years earlier, peddling blue boxes in college dormitories.")]

A subgroup of the hackers was the "Phone Phreaks." "Phone Phreaks" are "people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks." As AT&T introduced automatic switches into their networks, Phreaks discovered that they could control the network if they emitted certain tones into the network. They discovered that a specific tone, 2600 Hz, could trick the telephone network into giving them control, at which point the Phreaks could set up long distance telephone calls without charge. Using this knowledge, Phreaks began to build "Blue Boxes" which could emit the 2600 Hz tone and set up calls. [Hafner p 18] Blue Boxes gained notoriety in 1971 with the publication of a feature article in Esquire magazine entitled Secrets of the Little Blue Box: A story so incredible it may even make you feel sorry for the phone company. [Ron Rosenbaum, Secrets of the Little Blue Box , Esquire Magazine (Oct. 1971)]

One federal court described how a Blue Box works as follows: A "Blue Box" is a

"device which permits the user to make long distance telephone calls not reflected in the telephone company's billing records. Such a fraud is perpetrated by applying the blue-box to a telephone line and dialing a toll free number on the telephone. When the receiving phone rings, the box is activated to emit a 2600 cycle tone. This tone disconnects the number dialed but allows the user to remain within the long distance toll network. The user then causes the box to generate a series of multi-frequency tones which correspond to the tones ordinarily generated by an operator placing a long distance call. Since the telephone company's billing system only registers the original toll free call, no one is ever billed for the long distance toll call made with the blue-box." [Freeman 339 7th Cir. 1975].

The telephone companies viewed the use of Blue Boxes as fraud and began to take enforcement action. This, in turn, led to legal challenges to the authority of the telephone networks to tap or monitor their own networks, and an exploration of the protection of rights and property exception to the Wiretap Act.

When the telephone companies had reason to believe that a Blue Box was in use, generally the telephone company would attach a device to the line that would record the use of the Blue Box, record the numbers that were dialed, and then record that the call went through and the salutations (in order to determine who were the parties on the call). According to the courts, telephone companies would generally not record any more of the telephone call and would not record calls where the 2600 Hz tone was not detected. Based on these facts, courts concluded that the telephone companies' had reasonable cause and that their actions were narrowly tailored, and therefore fell within the "protection of rights and property" exception to the Wiretap Act. See ECPA Reference Caselaw BlueBox Cases for more complete list of cases
"Captain Crunch" and "Computer Hacking" (1983 TV Interview)

12F683 Bluebox (demonstrating and explaining a Blue Box)
Discovery Channel - The Secret History of Hacking
The Last HOPE: The History of Phone Phreaking, 1960-1980 (Complete)

 

Clone Mobile Phones

Stored Communications Act Cell Phones

Not Unlimited

Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal InvestigationsPDF Computer Crime and Intellectual Property Section, Criminal Division, DOJ p 173 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

Importantly, the rights and property clause of the provider exception does not permit providers to conduct unlimited monitoring. See United States v. Auler, 539 F.2d 642, 646 (7th Cir. 1976). Instead, the exception permits providers and their agents to conduct reasonable monitoring that balances the providers' needs to protect their rights and property with their subscribers' right to privacy in their communications. See United States v. Harvey, 540 F.2d 1345, 1351 (8th Cir. 1976) ("The federal courts . . . have construed the statute to impose a standard of reasonableness upon the investigating communication carrier."); United States v. Councilman, 418 F.3d 67, 82 (1st Cir. 2005) ("indisputable" that provider exception did not permit provider to read customer email when done in the hope of gaining a commercial advantage).

Thus, providers investigating unauthorized use of their systems have broad authority to monitor and disclose evidence of unauthorized use under § 2511(2)(a)(i), but should attempt to tailor their monitoring and disclosure to that which is reasonably related to the purpose of the monitoring. See, e.g., United States v. Freeman, 524 F.2d 337, 341 (7th Cir. 1975) (phone company investigating use of illegal devices designed to steal long-distance service acted permissibly under § 2511(2)(a)(i) when it intercepted the first two minutes of every illegal conversation but did not intercept legitimately authorized communications). Expressed another way, there should be a "substantial nexus" between the monitoring and the threat to the provider's rights or property. United States v. McLaren, 957 F. Supp. 215, 219 (M.D. Fla. 1997); see also Bubis v. United States, 384 F.2d 643, 648 (9th Cir. 1967) (interpreting Title III's predecessor statute, 47 U.S.C. § 605, and holding impermissible provider monitoring to convict blue box user of interstate transmission of wagering information).

Reasonable Cause

Substantial Nexus

"Under 2511(2)(a)(i), there must be some substantial nexus between the use of the telephone instrument to be monitored and the specific fraudulent activity being investigated so that the service provider can show that such monitoring is "necessary . . . to the protection of the rights or property of the provider." AT&T had right to monitor employee's communications on company-issued cellphone in furtherance of the employee's fraudulent cellphone cloning scheme where AT&T did not have the capability of intercepting the cloned instruments themselves. U.S. v. McLaren, 957 F. Supp. 215 (M.D. Fla. 1997)." [DOJ Electronic Surveillance Issues p. 9 (2005)]

Narrowly Tailored

The actions of the ECS must be narrowly tailored to the threat to the network. Interceptions in excess of the reasonable cause for the interception have been found to be unreasonable by the courts and outside of the exception. [Bubis 9th Cir. 1967 (suppressing telephone call evidence of over-the-phone gambling where telephone company suspected use of a BlueBox and three month recording of all calls "after ample evidence had been secured of the illegal use by [suspect] of the company's facilities, was unreasonable and unnecessary.")]

Obscene Phone Calls

See also >> Obscenity; Sec. 223

  • Hodge v. Mountain States Tel. & Tel. Co., 555 F. 2d 254 - Court of Appeals, 9th Circuit 1977
  • Acting as Government Agent

    "Cellular One employees were not acting as government agents when, after being informed by the Secret Service that its customers were being defrauded by a clone phone operation, without the knowledge of the government exercised its right under 18 U.S.C. 2511(2)(a)(i) to conduct warrantless interceptions to detect fraudulent use of its services and located the residence from which the clone phone radio signal was being transmitted. Cellular One then provided that information to the Secret Service which then used that information to obtain a search warrant for the residence being used by the clone cell phone users. U.S. v. Pervaz, 118 F.3d 1 (1st Cir. 1997)." [DOJ Electronic Surveillance Issues p. 9 (2005)]

    "A jury could reasonably find that Cellular One was acting as an instrument or agent of the government when police officers conducting a kidnaping investigation, having been informed that Cellular One could conduct, under 18 U.S.C. 2511(2)(a)(i), a warrantless wiretap of a clone cellphone being used by the kidnaping suspect, asked Cellular One to relay to the police the contents of calls monitored by Cellular One. Cellular One appeared to be motivated by its desire to help the officers rather to protect its own property pursuant to the provisions of 18 U.S.C. 2511(2)(a)(i).(The intercepted message relayed to the police, that the caller wouldn't be at work that day, is irrelevant to a cloned phone investigation but very useful to a kidnaping investigation.) Officers are not entitled to qualified immunity because the wiretap statute clearly establishes the rights of someone using a telephone as against the police, and accordingly "it has been crystal clear in this circuit, at least since 1976, that in no situation may the Government direct the telephone company to intercept wire communications in order to circumvent the warrant requirements of a reasonable search." U.S. v. Auler, 539 F.2d 642 (7th Cir. 1976). "This is why the courts in Pervaz and McLaren . . . go to such lengths to determine whether the phone companies . . . were acting at the request or direction of police officers." McClelland v. McGrath, 31 F. Supp.2d 616 (N.D. Ill. 1998)." [DOJ Electronic Surveillance Issues p. 9 (2005)]

    Inadvertent Acquisition

    A service provider may disclose intercepted communications where such communications were intercepted accidentally and such communications “appear to pertain to the commission of a crime.”

    (b) A person or entity providing electronic communication service to the public may divulge the contents of any such communication- . . . or (iv) which were inadvertently obtained by the service provider and which appear to pertain to the commission of a crime, if such divulgence is made to a law enforcement agency.

    18 U.S.C. § 2511(3)(b)(iv). 18 U.S.C. § 2702(b)(6)(A).

    Emergencies

    Computer Trespassers

    Service providers can voluntarily authorize law enforcement officials to intercept the communications of a trespasser on the network.

    (i) It shall not be unlawful under this chapter for a person acting under color of law to intercept the wire or electronic communications of a computer trespasser transmitted to, through, or from the protected computer, if-

    (I) the owner or operator of the protected computer authorizes the interception of the computer trespasser's communications on the protected computer;

    (II) the person acting under color of law is lawfully engaged in an investigation;

    (III) the person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser's communications will be relevant to the investigation; and

    (IV) such interception does not acquire communications other than those transmitted to or from the computer trespasser.

    18 U.S.C. § 2511(2)(i). [Search & Seizure Manual Appendix H] This is another new addition brought by the Patriot Act. DOJ thought it curious that where there is a trespasser illegally on a network and where the network operator desires the government’s assistance, law enforcement officials still would need a court order (of course a response might be that it remains to be seen whether the individual in question is in fact a trespasser). The activities of the law enforcement officer are required to be limited to the illegal activities of the trespasser and the law enforcement officer must be engaged in an investigation.

    A computer trespasser
    (A) means a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer; and

    (B) does not include a person known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer.

    18 U.S.C. § 2510(21).

    Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal InvestigationsPDF Computer Crime and Intellectual Property Section, Criminal Division, DOJ p 173 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

    Under this exception, law enforcement-or a private party acting at the direction of law enforcement-may intercept the communications of a computer trespasser transmitted to, through, or from a protected computer. Before interception can occur, the four requirements found in § 2511(2)(i)(I)-(IV) must be met. Under the first of these requirements, the owner or operator of the computer must authorize the interception. In general, although not specifically required by Title III, it is good practice for investigators to seek written consent for the interception from the computer's owner or a high-level agent of that owner. Under § 2511(2)(i)(IV), investigators may not invoke the computer trespasser exception unless they are able to avoid intercepting communications of authorized users. Critically, however, the computer trespasser exception may be used in combination with other authorities, such as the consent exception of § 2511(2)(d) and the provider exception of § 2511(2)(a)(I), and in such cases it may be permissible for investigators to also intercept communications of authorized users. For example, if all non-trespassing users of a network have consented to the monitoring their communications by law enforcement, and if the computer trespasser exception can be used to monitor the communications of all trespassers on the network, then law enforcement will be able to monitor all network communications. Similarly, a provider who has monitored its system to protect its rights and property under § 2511(2)(a)(i), and who has subsequently contacted law enforcement to report some criminal activity, may continue to monitor the criminal activity of trespassers on its system under the direction of law enforcement using the computer trespasser exception. In such circumstances, the provider will then be acting under color of law as an agent of the government.

    Child Protection

    A service provider may disclose content to a law enforcement officer where required to do so by the Child Protection and Sexual Predator Punishment Act of 1998. 42 U.S.C. § 13032, 18 U.S.C. § 2702(b)(6)(B). Under this law, service providers who become aware of child pornography must report it; this does not require them or permit them to intercept communications for the purposes of searching out child pornography.

    ISP Liability & Immunity

    ISPs who rely in good faith upon a court order, warrant, a section 2518(7) emergency certification, or grand jury subpoena are not liable - even where the court order might prove invalid. 18 U.S.C. § 2511(2)(a)(ii), § 2520(d), § 2703(3), & § 2707(e), § 3124(d)&(e). [Davis 1484] [Sams 9th Cir. 2013] McCready v. eBay, Inc., 453 F.3d 882, 892 (7th Cir. 2006) (adopting objective test of good faith); Freedman v. America Online, Inc., 325 F. Supp. 2d 638, 647-48 (E.D. Va. 2004) (adopting test of good faith with both an objective and subjective component); Fox v. CoxCom Inc., No. CV-11-594, 2012 WL 6019016, at *3 (D. Ariz. Dec. 3, 2012) (same). Sinaloa Lake Owners Ass'n v. City of Simi Valley, 70 F.3d 1095, 1099 (9th Cir. 1995) ("whether a particular defendant satisfies the requirements to establish "good faith reliance" is a mixed question of law and fact."). United States v. Crews, 502 F.3d 1130, 1136-38 (9th Cir. 2007) (finding good faith reliance as a matter of law where search warrant affidavit contained sufficient indicia of probable cause on its face).

    "A service provider who knowingly or intentionally violates the prohibition is subject to civil liability, but there are no criminal penalties for the breach." [CRS p. 14 2009]

    Conversely, ISPs who failed to comply with authorized interceptions or searches may be liable up to $10,000 per day. 18 U.S.C. § 2522; § 3124(d), (e).

    18 USC § 2707(e) Defense.- A good faith reliance on-

    (1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization (including a request of a governmental entity under section 2703 (f) of this title);

    (2) a request of an investigative or law enforcement officer under section 2518 (7) of this title; or

    (3) a good faith determination that section 2511 (3) of this title permitted the conduct complained of;

    is a complete defense to any civil or criminal action brought under this chapter or any other law.

     

    Network Neutrality and ECPA

    When an ISP engaged in network management activity which is not necessary incident to rendition of service or to protection of the network, is it possible that the ISP has violated ECPA? Did ISPs who partnered with the NebuAd service violate ECPA? There are several experts who have noted the correlation between ECPA and Network Neutrality and there are several pending court cases exploring this connection:

    Literature

    Litigation

     

    News


    Provider Monitoring Letter , Example

    Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal InvestigationsPDF Computer Crime and Intellectual Property Section, Criminal Division, DOJ, p 220 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

    This letter is intended to inform [law enforcement agency] of [Provider's] decision to conduct monitoring of unauthorized activity within its computer network pursuant to 18 U.S.C. § 2511(2)(a)(i), and to disclose some or all of the fruits of this monitoring to law enforcement if [Provider] deems disclosure will assist in protecting its rights or property. On or about [date], [Provider] became aware that it was the victim of unauthorized intrusions into its computer network. [Provider] understands that 18 U.S.C. § 2511(2)(a)(i) authorizes

    an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service[.]

    This statutory authority permits [Provider] to engage in reasonable monitoring of unauthorized use of its network to protect its rights or property and also to disclose intercepted communications to [law enforcement] to further the protection of [Provider]'s rights or property. Under 18 U.S.C. §§ 2702(b)(5) and 2702(c)(3), [Provider] is also permitted to disclose customer communications, records, or other information related to such monitoring if such disclosure protects the [Provider]'s rights and property.

    To protect its rights and property, [Provider] plans to [continue to] conduct reasonable monitoring of the unauthorized use in an effort to evaluate the scope of the unauthorized activity and attempt to discover the identity of the person or persons responsible. [Provider] may then wish to disclose some or all of the fruits of its interception, records, or other information related to such interception, to law enforcement to help support a criminal investigation concerning the unauthorized use and criminal prosecution for the unauthorized activity of the person(s) responsible.

    [Provider] understands that it is under absolutely no obligation to conduct any monitoring whatsoever, or to disclose the fruits of any monitoring, records, or other information related to such monitoring, and that [law enforcement] has not directed, requested, encouraged, or solicited [Provider] to intercept, disclose, or use monitored communications, associated records, or other information for law enforcement purposes.

    Accordingly, [Provider] will not engage in monitoring solely or primarily to assist law enforcement absent an appropriate court order or a relevant exception to the Wiretap Act (e.g., 18 U.S.C. § 2511(2)(i)). Any monitoring and/or disclosure will be at [Provider's] initiative. [Provider] also recognizes that the interception of wire and electronic communications beyond the permissible scope of 18 U.S.C. § 2511(2)(a)(i) may potentially subject it to civil and criminal penalties.

    Sincerely, General Counsel

    Sample Authorization for Monitoring of Computer Trespasser Activity , Example

    Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal InvestigationsPDF Computer Crime and Intellectual Property Section, Criminal Division, DOJ, p 220 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

    I am [Name of Owner/Operator or person acting on behalf of Owner/ Operator, Title] of [Name and Address of Organization]. I am the [Owner] [Operator] [person acting on behalf of the Owner or Operator], and own or have the authority to supervise, manage, or control operation of the [relevant part of the] [Organization's] computer system or the data and communications on and through the network. An unauthorized user(s), who I understand has no contractual basis for any access to this computer system, has accessed this computer and is a trespasser(s). I hereby authorize [law enforcement agency] to intercept communications to, through, or from a trespasser(s) transmitted to, through, or from [Organization's] computer system. The general nature of the communications to be monitored are [general description of the identifying characteristics of the communications to be monitored.] [Organization will assist law enforcement agency to conduct such interception under the direction of law enforcement agency.] Such interception may occur at any location on the computer system or network, including at multiple or changed locations, which may facilitate the interception of communications to or from the trespasser.

    This authorization does not extend to the interception of communications other than those to, through, or from a trespasser(s). This authorization does not restrict monitoring under any other appropriate exception to the Wiretap Act, 18 U.S.C. § 2510 et seq.

    This authorization is valid [for a specified time period] [indefinitely, until withdrawn in writing by me or a person acting for me]. I understand I may withdraw authorization for monitoring at any time, but I agree to do so in writing.

    Signature of Owner/Operator Date

    Exception Title I: Wiretap Act Title II: SCA Disclosure (not access) Contents of Stored Communications Title II: SCA Customer Records Title III: Pen Register Act

    47 USC § 605

    To addressee or intended recipient

    18 USC § 2511(2)(d)

    18 USC § 2511(3)(a) (ECS to the public)

    18 USC 2702(b)(1) 18 USC 2702(c)(6) ("to any person other than a government entity")  

    47 USC § 605(a)(1)

    Lawful consent

    18 USC § 2511(2)(d)

    18 USC § 2511(3)(b)(ii) (ECS to Public)

    18 USC 2702(b)(3) 18 USC 2702(c)(2) 18 USC § 3121(b)(3) 47 USC § 605(a) (Except as authorized by Wiretap Act)
    Forwarding Facilities 18 USC § 2511(3)(b)(iii) (ECS to Public) 18 USC 2702(b)(4) 18 USC 2702(c)(6) ("to any person other than a government entity")   47 USC § 605(a)(2)&(3)
    Necessary Incident to Rendition of Service

    18 USC § 2511(2)(a)(i)

    18 USC § 2511(3)(b)(i) (ECS to Public, as authorized in Sec. 2511(2)(a))

    18 USC 2702(b)(5) 18 USC 2702(c)(3) 18 USC § 3121(b)(1) 47 USC § 605(a) (Except as authorized by Wiretap Act)
    Protection of Property and Service

    18 USC § 2511(2)(a)(i)

    18 USC § 2511(2)(h)(ii) (protection from fraudulent, unlawful or abusive use of such service)

    18 USC § 2511(3)(b)(i) (ECS to Public, as authorized in Sec. 2511(2)(a))

    18 USC 2702(b)(5) 18 USC 2702(c)(3) 18 USC § 3121(b)(1)&(2) 47 USC § 605(a) (Except as authorized by Wiretap Act)
    Radio Communications 18 USC § 2511(2)(g)       47 USC § 605(a) (Except as authorized by Wiretap Act)
    to the NCMED (child protection)   18 USC 2702(b)(6) 18 USC 2702(c)(5)    
    In Response to Legal Authority

    18 USC § 2511(2)(a)(ii) (FISA)

    18 USC § 2511(3)(b)(i) (ECS to Public)

    18 USC § 2511(2)(i) (computer trespassers)

    18 USC § 2511(3)(b)(i) (ECS to Public, as authorized in Sec. 2511(2)(a))

    See 18 USC § 2518 Authorization for interception of wire, oral or electronic communications

    18 USC 2702(b)(2) 18 USC 2702(c)(1) 18 USC § 3121(a) 47 USC § 605(a)(5)&(6)
    Law Enforcement if received inadvertent and appears to pertain to crime 18 USC § 2511(3)(b)(iv) (ECS to Public) 18 USC 2702(b)(7)     47 USC § 605(a) (Except as authorized by Wiretap Act)
    To Government if emergency   18 USC 2702(b)(8) 18 USC 2702(c)(4)