Between the Man with the Badge and the sinister figure frequently lies the service provider. Where The Man wants to reach out and touch someone, the service provider will almost necessarily be involved.

Rules:

• Interception of Content
• Non Content, Acquisition of

Exceptions to the Rule

Definitions

Electronic Communications Service

Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Computer Crime and Intellectual Property Section, Criminal Division, DOJ (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

An electronic communication service (“ECS”) is “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 USC § 2510(15). [] For example, “telephone companies and electronic mail companies” generally act as ECS providers. See S. Rep. No. 99-541 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3568; Quon v. Arch Wireless Operating Co., 529 F.3d 892, 900-03 (9th Cir. 2008) (text messaging service provider is an ECS); In re Application of United States, 509 F. Supp. 2d 76, 79 (D. Mass. 2007) (cell phone service provider is an ECS); Kaufman v. Nest Seekers, LLC, 2006 WL 2807177, at *5 (S.D.N.Y. Sept. 26, 2006) (host of electronic bulletin board is ECS); Freedman v. America Online, Inc., 325 F. Supp. 2d 638, 643 n.4 (E.D. Va. 2004) (AOL is an ECS).

Any company or government entity that provides others with the means to communicate electronically can be a “provider of electronic communication service” relating to the communications it provides, regardless of the entity’s primary business or function. See Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 114-15 (3d Cir. 2004) (insurance company that provided email service to employees is an ECS); Bohach v. City of Reno, 932 F. Supp. 1232, 1236 (D. Nev. 1996) (city providing pager service to its police officers was a provider of ECS); United States v. Mullins, 992 F.2d 1472, 1478 (9th Cir. 1993) (airline that provides travel agents with computerized travel reservation system accessed through separate computer terminals can be a provider of ECS). In In re Application of United States, 349 F.3d 1132, 1138-41 (9th Cir. 2003), the Ninth Circuit held that a company operating a system that enabled drivers to communicate with designated call centers over a cellular telephone network was an ECS, though it also noted that the situation would have been entirely different “if the Company merely used wire communication as an incident to providing some other service, as is the case with a street-front shop that requires potential customers to speak into an intercom device before permitting entry, or a ‘drive-thru’ restaurant that allows customers to place orders via a two-way intercom located beside the drive-up lane.” Id. at 1141 n.19.

A provider cannot provide ECS with respect to a communication if the service did not provide the ability to send or receive that communication. See Sega Enterprises Ltd. v. MAPHIA, 948 F. Supp. 923, 930-31 (N.D. Cal. 1996) (video game manufacturer that accessed private email of users of another company’s bulletin board service was not a provider of electronic communication service); State Wide Photocopy, Corp. v. Tokai Fin. Servs., Inc., 909 F. Supp. 137, 145 (S.D.N.Y. 1995) (financing company that used fax machines and computers but did not provide the ability to send or receive communications was not provider of electronic communication service).

Significantly, a mere user of ECS provided by another is not a provider of ECS. For example, a commercial website is not a provider of ECS, even though it may send and receive electronic communications from customers. In Crowley v. CyberSource Corp., 166 F. Supp. 2d 1263, 1270 (N.D. Cal. 2001), the plaintiff argued that Amazon.com (to whom plaintiff sent his name, credit card number, and other identification information) was an electronic communications service provider because “without recipients such as Amazon. com, users would have no ability to send electronic information.” The court rejected this argument, holding that Amazon was properly characterized as a user rather than a provider of ECS. See id. See also United States v. Steiger, 318 F.3d 1039, 1049 (11th Cir. 2003) (a home computer connected to the Internet is not an ECS); In re Jetblue Airways Corp. Privacy Litigation, 379 F. Supp. 2d 299, 309-10 (E.D.N.Y. 2005) (airline that operated website that enabled it to communicate with customers was not an ECS); Dyer v. Northwest Airlines Corp., 334 F. Supp. 2d 1196, 1199 (D.N.D. 2004) (ECS “does not encompass businesses selling traditional products or services online”); In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 508-09 (S.D.N.Y. 2001) (distinguishing ISPs that provide ECS from websites that are users of ECS). However, “an online business or retailer may be considered an electronic communication service provider if the business has a website that offers customers the ability to send messages or communications to third parties.” Becker v. Toca, 2008 WL 4443050, at *4 (E.D. La. Sept. 26, 2008).

Remote Computing Service

Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Computer Crime and Intellectual Property Section, Criminal Division, DOJ (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

The term “remote computing service” (“RCS”) is defined by 18 U.S.C. § 2711(2) as “the provision to the public of computer storage or processing services by means of an electronic communications system.” An “electronic communications system” is “any wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission of wire or electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications.” 18 U.S.C. § 2510(14).

Roughly speaking, a remote computing service is provided by an off-site computer that stores or processes data for a customer. See S. Rep. No. 99-541 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3564-65. For example, a service provider that allows customers to use its computing facilities in “essentially a time-sharing arrangement” provides an RCS. H.R. Rep. No. 99-647, at 23 (1986). A server that allows users to store data for future retrieval also provides an RCS. See Steve Jackson Games, Inc. v. United States Secret Service, 816 F. Supp. 432, 442-43 (W.D. Tex. 1993) (provider of bulletin board services was a remote computing service), aff’d on other grounds, 36 F.3d 457 (5th Cir. 1994). Importantly, an entity that operates a website and its associated servers is not an RCS, unless of course the entity offers a storage or processing service through the website. For example, an airline may compile and store passenger information and itineraries through its website, but these functions are incidental to providing airline reservation service, not data storage and processing service; they do not convert the airline into an RCS. See In re Jetblue Airways Corp. Privacy Litigation, 379 F. Supp. 2d at 310; see also United States v. Standefer, 2007 WL 2301760, at *5 (S.D. Cal. Aug. 8, 2007) (holding that e-gold payment website was not an RCS because e-gold customers did not use the website “to simply store electronic data” or to “outsource tasks,” but instead used e-gold “to transfer gold ownership to other users”).

Under the definition provided by § 2711(2), a service can only be a “remote computing service” if it is available “to the public.” Services are available to the public if they are available to any member of the general population who complies with the requisite procedures and pays any requisite fees. For example, Verizon is a provider to the public: anyone can obtain a Verizon account. (It may seem odd at first that a service can charge a fee but still be considered available “to the public,” but this approach mirrors commercial relationships in the physical world. For example, movie theaters are open “to the public” because anyone can buy a ticket and see a show, even though tickets are not free.) In contrast, providers whose services are available only to those with a special relationship with the provider do not provide service to the public. For example, an employer that provides email accounts to its employees will not be an RCS with respect to those employees, because such email accounts are not available to the public. See Andersen Consulting LLP v. UOP, 991 F. Supp. 1041, 1043 (N.D. Ill. 1998) (interpreting the “to the public” clause in § 2702(a) to exclude an internal email system that was made available to a hired contractor but was not available to “any member of the community at large”).

In Quon v. Arch Wireless Operating Co., the Ninth Circuit held that a text messaging service provider was an ECS and therefore not an RCS. See Quon, 529 F.3d at 902-03. However, this “either/or” approach to ECS and RCS is contrary to the language of the statute and its legislative history. The definitions of ECS and RCS are independent of each other, and therefore nothing prevents a service provider from providing both forms of service to a single customer. In addition, an email service provider is certainly an ECS, but the House report on the SCA also stated that an email stored after transmission would be protected by a provision of the SCA that protects contents of communications stored by an RCS. See H.R. Rep. No. 99-647, at 65 (1986). One subsequent court has rejected the Ninth Circuit’s analysis in Quon and stated that a provider “may be deemed to provide both an ECS and an RCS to the same customer.” Flagg, v. City of Detroit, 252 F.R.D. 346, 362 (E.D. Mich. 2008). The key to determining whether the provider is an ECS or RCS is to ask what role the provider has played and is playing with respect to the communication in question.

Exceptions:

Network Operation

A certain degree of traffic interception is incident to the normal operation of a network; in these cases, service providers will be glad to know, such interception will not land them in the slammer.

• 18 U.S.C. § 2511(2)(A)(i) “It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.”.
• 18 U.S.C. § 2702(b)(5) “a provider described in subsection (a) may divulge the contents of a communication – as may be necessarily incident to the rendition of the service…”
• 18 U.S.C. § 2702(c)(3) (customer records).

However, courts have interpreted this exception narrowly; in cases where operators have used “network operation” as a pretense for capturing information for other agendas, they have not escaped the attention of the law.

Compare Network Neutrality: Reasonable Network Management debate

Protection of the Network

Internet companies consistently are given the right to maintain the integrity of their systems. Internet companies may monitor communications for the purpose of protecting the network.

It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.

18 U.S.C. § 2511(2)(a)(i). 18 U.S.C. § 2702(b)(5) (“a provider described in subsection (a) may divulge the contents of a communication – as may be necessarily incident … to the protection of the rights or property of the provider of that service.”); 18 U.S.C. § 2702(c)(3) (customer records); 18 U.S.C. § 3121(b) (pen registers or trap and traces). [Search & Seizure Manual Appendix G] This could include such actions as logging the keystrokes typed and actions taken by a suspected hacker. It was used in the 1970s by telephone companies to stop the theft of their services through the use of “blue boxes.” [Criminal Resource Manual] But such interceptions must be legitimately for the purpose of protecting the network, and not merely using protection of the network as a pretense to spy on stuff well beyond the legitimate scope of this exception. [McClelland] Furthermore, exception would not apply where networks are merely operating at the direction of and therefore as agents of the feds. [Pervaz]

Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Computer Crime and Intellectual Property Section, Criminal Division, DOJ p 173 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

The “rights or property of the provider” clause of § 2511(2)(a)(i) grants providers the right “to intercept and monitor [communications] placed over their facilities in order to combat fraud and theft of service.” United States v. Villanueva, 32 F. Supp. 2d 635, 639 (S.D.N.Y. 1998). For example, employees of a cellular phone company may intercept communications from an illegally “cloned” cell phone in the course of locating its source. See United States v. Pervaz, 118 F.3d 1, 5 (1st Cir. 1997). The exception also permits providers to monitor misuse of a system in order to protect the system from damage or invasions of privacy. For example, system administrators can track intruders within their networks in order to prevent further damage. See Mullins, 992 F.2d at 1478 (need to monitor misuse of computer system justified interception of electronic communications pursuant to § 2511(2)(a)(i)).

Importantly, the rights and property clause of the provider exception does not permit providers to conduct unlimited monitoring. See United States v. Auler, 539 F.2d 642, 646 (7th Cir. 1976). Instead, the exception permits providers and their agents to conduct reasonable monitoring that balances the providers’ needs to protect their rights and property with their subscribers’ right to privacy in their communications. See United States v. Harvey, 540 F.2d 1345, 1351 (8th Cir. 1976) (“The federal courts . . . have construed the statute to impose a standard of reasonableness upon the investigating communication carrier.”); United States v. Councilman, 418 F.3d 67, 82 (1st Cir. 2005) (“indisputable” that provider exception did not permit provider to read customer email when done in the hope of gaining a commercial advantage).

Thus, providers investigating unauthorized use of their systems have broad authority to monitor and disclose evidence of unauthorized use under § 2511(2)(a)(i), but should attempt to tailor their monitoring and disclosure to that which is reasonably related to the purpose of the monitoring. See, e.g., United States v. Freeman, 524 F.2d 337, 341 (7th Cir. 1975) (phone company investigating use of illegal devices designed to steal long-distance service acted permissibly under § 2511(2)(a)(i) when it intercepted the first two minutes of every illegal conversation but did not intercept legitimately authorized communications). Expressed another way, there should be a “substantial nexus” between the monitoring and the threat to the provider’s rights or property. United States v. McLaren, 957 F. Supp. 215, 219 (M.D. Fla. 1997); see also Bubis v. United States, 384 F.2d 643, 648 (9th Cir. 1967) (interpreting Title III’s predecessor statute, 47 U.S.C. § 605, and holding impermissible provider monitoring to convict blue box user of interstate transmission of wagering information).

. . . . .

The “normal course of his employment” and “necessary to the rendition of his service” clauses of § 2511(2)(a)(i) provide additional contexts in which the provider exception applies. Courts have held that the first of these exceptions authorizes a business to receive email sent to an account provided by the business to a former employee or to an account associated with a newly acquired business. See Freedom Calls Found. v. Bukstel, 2006 WL 845509, at *27 (E.D.N.Y. 2006) (employer entitled in the normal course of business to intercept emails sent to account of former employee because, inter alia, “monitoring is necessary to ensure that . . . email messages are answered in a timely fashion”); Ideal Aerosmith, Inc. v. Acutronic USA, Inc., 2007 WL 4394447, at *5-6 (E.D. Pa. 2007) (corporation entitled in the normal course of business to intercept emails sent to business it acquired). The “necessary to the rendition of his service” clause permits providers to intercept, use, or disclose communications in the ordinary course of business when the interception is unavoidable. See United States v. New York Tel. Co., 434 U.S. 159, 168 n.13 (1977) (noting that § 2511(2)(a)(i) “excludes all normal telephone company business practices” from the prohibition of Title III). These cases generally arose when analog phone lines were in use. For example, a switchboard operator may briefly overhear conversations when connecting calls. See, e.g., Savage, 564 F.2d at 731-32; Adams v. Sumner, 39 F.3d 933, 935 (9th Cir. 1994). Similarly, repairmen may overhear snippets of conversations in the course of repairs. See United States v. Ross, 713 F.2d 389, 392 (8th Cir. 1983). These cases concerning wire communications suggest that the “necessary incident to the rendition of his service” language would likewise permit a system administrator to intercept communications in the course of repairing or maintaining a computer network.

Accidental Acquisition

A service provider may disclose intercepted communications where such communications were intercepted accidentally and such communications “appear to pertain to the commission of a crime.”

(b) A person or entity providing electronic communication service to the public may divulge the contents of any such communication— . . . or (iv) which were inadvertently obtained by the service provider and which appear to pertain to the commission of a crime, if such divulgence is made to a law enforcement agency.

18 U.S.C. § 2511(3)(b)(iv). 18 U.S.C. § 2702(b)(6)(A).

Emergencies

Computer Trespassers

Service providers can voluntarily authorize law enforcement officials to intercept the communications of a trespasser on the network.

(i) It shall not be unlawful under this chapter for a person acting under color of law to intercept the wire or electronic communications of a computer trespasser transmitted to, through, or from the protected computer, if—

(I) the owner or operator of the protected computer authorizes the interception of the computer trespasser's communications on the protected computer;

(II) the person acting under color of law is lawfully engaged in an investigation;

(III) the person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser's communications will be relevant to the investigation; and

(IV) such interception does not acquire communications other than those transmitted to or from the computer trespasser.

18 U.S.C. § 2511(2)(i). [Search & Seizure Manual Appendix H] This is another new addition brought by the Patriot Act. DOJ thought it curious that where there is a trespasser illegally on a network and where the network operator desires the government’s assistance, law enforcement officials still would need a court order (of course a response might be that it remains to be seen whether the individual in question is in fact a trespasser). The activities of the law enforcement officer are required to be limited to the illegal activities of the trespasser and the law enforcement officer must be engaged in an investigation.

A computer trespasser

(A) means a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer; and

(B) does not include a person known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer.

18 U.S.C. § 2510(21).

Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Computer Crime and Intellectual Property Section, Criminal Division, DOJ p 173 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

Under this exception, law enforcement—or a private party acting at the direction of law enforcement—may intercept the communications of a computer trespasser transmitted to, through, or from a protected computer. Before interception can occur, the four requirements found in § 2511(2)(i)(I)-(IV) must be met. Under the first of these requirements, the owner or operator of the computer must authorize the interception. In general, although not specifically required by Title III, it is good practice for investigators to seek written consent for the interception from the computer’s owner or a high-level agent of that owner. Under § 2511(2)(i)(IV), investigators may not invoke the computer trespasser exception unless they are able to avoid intercepting communications of authorized users. Critically, however, the computer trespasser exception may be used in combination with other authorities, such as the consent exception of § 2511(2)(d) and the provider exception of § 2511(2)(a)(I), and in such cases it may be permissible for investigators to also intercept communications of authorized users. For example, if all non-trespassing users of a network have consented to the monitoring their communications by law enforcement, and if the computer trespasser exception can be used to monitor the communications of all trespassers on the network, then law enforcement will be able to monitor all network communications. Similarly, a provider who has monitored its system to protect its rights and property under § 2511(2)(a)(i), and who has subsequently contacted law enforcement to report some criminal activity, may continue to monitor the criminal activity of trespassers on its system under the direction of law enforcement using the computer trespasser exception. In such circumstances, the provider will then be acting under color of law as an agent of the government.

Child Protection

A service provider may disclose content to a law enforcement officer where required to do so by the Child Protection and Sexual Predator Punishment Act of 1998. 42 U.S.C. § 13032, 18 U.S.C. § 2702(b)(6)(B). Under this law, service providers who become aware of child pornography must report it; this does not require them or permit them to intercept communications for the purposes of searching out child pornography.

Law Enforcement

Provider Monitoring Letter , Example

Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Computer Crime and Intellectual Property Section, Criminal Division, DOJ, p 220 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

Sample Authorization for Monitoring of Computer Trespasser Activity , Example

Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Computer Crime and Intellectual Property Section, Criminal Division, DOJ, p 220 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)