Federal Internet Law & Policy
An Educational Project

Title I :: Wiretap Act ::
Law Enforcement Intercepting Content

Dont be a FOOL; The Law is Not DIY

Confused? So are we. Check out the What Gets What Chart.

Rule: Nobody gets to intercept communications.


ECPA gives to law enforcement the authority to intercept messages contemporaneously with transmission. 18 U.S.C. 2518 [Councilman 201-03] [Steiger 1048-49] [Konop 878] [Steve Jackson]. [But See Konop (Reinhardt dissent)]

"'Contents,' when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication." [18 U.S.C. § 2510(8)]

"Intercept" is defined broadly as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." [18 U.S.C. § 2510(4)]

An email in temporary, transient electronic storage is an email during transmission. [Councilman 79 1st Cir 2005]

Legal Process:

In order to obtain a search warrant, law enforcement officers must demonstrate probable cause – in other words that it is more likely than not – that the search will reveal evidence of criminal wrong doing. [18 U.S.C. § 2516(3)] The court order must also specify

[18 U.S.C. § 2518] Not every criminal act is sufficient; the United States Code sets forth the felonies that are sufficient to merit this type of intrusion. [18 U.S.C. § 2516(2)] Note that this list was expanded pursuant to the Patriot Act to include hacking and other violations under the Computer Fraud and Abuse Act. [See Sunset]

The official must also certify that all reasonable and normal investigative procedures have been exhausted and that the facilities to be tapped are owned or commonly used by the targeted individual. [18 U.S.C. § 2518(1)(c)] The Application must also show "must show that the surveillance will be conducted in a way that minimizes the interception of communications that do not provide evidence of a crime. See § 2518(5)." [Search & Seizure 2009 p 168]

"High-level Justice Department approval is required for federal Title III applications, by statute in the case of wire communications, see 18 U.S.C. 2516(1), and by Justice Department policy in the case of electronic communications (except for numeric pagers). See United States Attorneys' Manual 9-7.100." [Search Seizure 2009 p 167]

Time Limit:

The warrant is good for no more than 30 days, and can be extended. [18 U.S.C. § 2518(5)].

Examples of types of actions that law enforcement officers may request in order to intercept communications include recording keystrokes or the cloning of an email account.

Law enforcement officers may only disclose the content of the intercepted communications as authorized by 18 U.S.C. § 2517. [See DOJ US Attorney's Manual Title 9-7.250 Electronic Surveillance: Use and Unsealing of Title III Affidavits]

Execution of Warrant:

“Once a magistrate judge signs the warrant, however, investigators ordinarily do not themselves search through the provider's computers in search of the materials described in the warrant. Instead, investigators serve the warrant on the provider as they would a subpoena, and the provider produces the material described in the warrant.” [US DOJ Search and Seizure Manual, Sec. III.D.5.]

Geographic Scope: Roving Wiretaps:

“Pursuant to 18 U.S.C. § 2518 (11)(a) and (b), the government may obtain authorization to intercept wire, oral, and electronic communications of specifically named subjects without specifying with particularity the premises within, or the facilities over which, the communications will be intercepted. (Such authorization is commonly referred to as "roving" authorization.) As to the interception of oral communications, the government may seek authorization without specifying the location(s) of the interception when it can be shown that it is not practical to do so. See United States v. Bianco, 998 F.2d 1112 (2d Cir. 1993), cert. denied, 114 S. Ct. 1644 (1994); United States v. Orena, 883 F. Supp. 849 (EDNY 1995). An application for the interception of wire and electronic communications of specifically named subjects may be made without specifying the facility or facilities over which the communications will be intercepted when it can be shown that the subject or subjects of the interception have demonstrated a purpose to thwart interception by changing facilities. See United States v. Gaytan, 74 F.3d 545 (5th Cir. 1996); United States v. Petti, 973 F.2d 1441 (9th Cir. 1992), cert. denied, 113 S.Ct. 1859 (1993); United States v. Villegas, 1993 WL 535013 (S.D.N.Y. December 22, 1993).

“When the government seeks authorization for roving interception, the Department's authorization must be made by the Attorney General, the Deputy Attorney General, the Associate Attorney General, an Assistant Attorney General, or an Acting Assistant Attorney General. See 18 U.S.C. § 2518(11)(a)(i) and (b)(i).” [DOJ US Attorney's Manual Title 9-7.111 Electronic Surveillance ]

The location of a wiretap (and thus whether the local authorities have jurisdiction) can be either the location of the phone itself or the location of the listening post. United States v.. Rodriguez, 968 F.2d 130, 136 (2dCir. 1992) ("In sum, the language of § 2510(4), the legislative history of that section, and the police considerations of Title III all persuade us that for purposes of § 2518(3)'s jurisdictional requirement, a communication is intercepted not only where the tapped telephone is located, but also where the contents of the redirected communication are first to be heard."); United States v. Denman, 100 F.3d 399, 402, 403-04 (5thCir. 1996) ("We agree with the reasoning of the Second Circuit and now hold that interception includes both the location of a tapped telephone and the original listening post, and that judges in either jurisdiction have authority under Title III to issue wiretap orders. As the Rodriguez court noted, this interpretation aids an important goal of Title III, to protect privacy interests, by enabling one judge to supervise an investigation that spans more than one judicial district. "If all of the authorizations are sought from the same court, there is a better chance that unnecessary or unnecessarily long interceptions will be avoided.""); United States v. Tavarez, 40 F.3d 1136 (10thCir. 1994) ("We hold that the location of an "interception" for purposes of section 176.9(C) includes the place where the intercepted communication is heard."); United States v. Ramirez, 112 F.3d 849, 852-53 (7thCir. 1997)United States v. Luong, 471 F.3d 1107, 1109  (9thCir. 2006)Castillov. Texas, 761 S.W.2d 495, 505 (Tex. Ct. App. 1988) ("An aural acquisition takes place where the telecommunications are heard and recorded."); Evans v. State, 314 S.E.2d 421 (Ga. 1984); Davis v. State, Md: Court of Special Appeals 2011


Notice is provided to parties to conversations after the expiration of the order. 18 U.S.C. § 2518(8).

Derived From: DOJ US Attorney's Manual Title 9-7.100 - 110 Electronic Surveillance

DOJ Approval: “One of Title III's most restrictive provisions is the requirement that Federal investigative agencies submit requests for the use of certain types of electronic surveillance (primarily the non-consensual interception of wire and oral communications) to the Department of Justice for review and approval before applications for such interception may be submitted to a court of competent jurisdiction for an order authorizing the interception. Specifically, in 18 U.S.C. § 2516(1), Title III explicitly assigns such review and approval powers to the Attorney General, but allows the Attorney General to delegate this review and approval authority to a limited number of high-level Justice Department officials, including Deputy Assistant Attorneys General for the Criminal Division ("DAAGs"). The DAAGs review and approve or deny proposed applications to conduct "wiretaps" (to intercept wire [telephone] communications, 18 U.S.C. § 2510(1)) and to install and monitor "bugs" (the use of microphones to intercept oral [face-to-face] communications, 18 U.S.C. § 2510(2)).”

. . . . .

“When Justice Department review and approval of a proposed application for electronic surveillance is required, the Electronic Surveillance Unit of the Criminal Division's Office of Enforcement Operations will conduct the initial review of the necessary pleadings, which include:

A. The affidavit of an "investigative or law enforcement officer" of the United States who is empowered by law to conduct investigations of, or to make arrests for, offenses enumerated in 18 U.S.C. § 2516(1) or (3) (which, for any application involving the interception of electronic communications, includes any Federal felony offense), with such affidavit setting forth the facts of the investigation that establish the basis for those probable cause (and other) statements required by Title III to be included in the application;

B. The application by any United States Attorney or his/her Assistant, or any other attorney authorized by law to prosecute or participate in the prosecution of offenses enumerated in 18 U.S.C. § 2516(1) or (3) that provides the basis for the court's jurisdiction to sign an order authorizing the requested interception of wire, oral, and/or electronic communications; and

C. A set of orders to be signed by the court authorizing the government to intercept, or approving the interception of, the wire, oral, and/or electronic communications that are the subject of the application, including appropriate redacted orders to be served on any relevant providers of "electronic communication service" (as defined in 18 U.S.C. § 2510(15)).”

What Get's What?

Note that higher levels of legal authority can also obtain the information available through lower levels of authority. In other words, a court order can generally obtain everything that a subpoena would be able to obtain. NB: This information may be somewhat out of date (just like most information on this site)

Level of

Legal Process


Potentially Applicable Federal Law


Voluntary Disclosure / Consent [SSM]

Victim "may voluntarily disclose contents of internal emails relevant to the attack" [Tracking a Computer Hacker]

"Voluntary Disclosure by a provider whose services are available to the public is forbidden unless certain exceptions apply. These exceptions include disclosures 'incident to the rendition of the service or the protection of the rights of property of the provider of the service." [Tracking a Computer Hacker]

Access to everything

18 U.S.C. § 2802(b)

18 U.S.C. § 2702(b)(5)



Retention Letter

Requires ISP "to preserve the records while a court order or other process is being obtained." [Tracking a Computer Hacker]

18 U.S.C. § 2703(f)

Subpoena [SSM Appendix E]

Unopened email older than 180 days


Basic subscriber information - "can be used to obtain basic subscriber info from an ISP, including 'the name, address, local and long distance telephone toll billing records, telephone number or other subscriber number or identity and length of service of a sub to or customer of such service and the type of service the sub or customer utilized." [Tracking a Computer Hacker]

18 U.S.C. § 2703(c)(1)(C)


"used to obtain opened emails [and files[SSM]], but only under certain conditions relating to notice to the subscriber. Notice may be delayed under Section 2705 for successive 90-day periods. Subpoenas may be issued for emails that have been opened, but a search warrant is generally needed for unopened emails." [Tracking a Computer Hacker]

18 U.S.C. § 2703(b)(1)(B)

Order to retain records Backups


§ 2703(d) Court Order

Transactional records - "for account logs and transactional records. Such orders are available if the agent can provide 'articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation." [Tracking a Computer Hacker]

18 U.S.C. § 2703(d)

§ 2073(d) Court Order

"Full contents of a subscriber's account (except for unopened email stored with an ISP for 180 days or less and voice-mail), of the order complies with a notice provision in the statute. Notice to the subscriber can be delayed for up to ninety days when notice would seriously jeopardize the investigation." [Tracking a Computer Hacker] 18 U.S.C. § 2705(a).

18 U.S.C. § 2703(b)(1)(B)(ii) and (b)(2)


Search Warrant [SSM Appendix F]

"can be used to obtain the full contents of an account [including unopened email [SSM]], except for voice-mail in electronic storage (which requires a Title III order). The ECPA does not require notification to the subscriber when the government obtains information from a provider using a search warrant." [Tracking a Computer Hacker]

Rule 41 of the Federal Rules of Criminal Procedure or state equivalent

Real Time



Pen Register, Trap and Trace Orders

Real time traffic data interception ("collection of addressing information for wire and electronic communication")

18 U.S.C. § 3121-27


Title III Order

Real time content interception (actual content of communication), access to voice-mail in electronic storage.

18 U.S.C. § 2510-22, Wiretap Statute

Quick Reference Guide

Voluntary Disclosure Allowed?

How to Compel Disclosure

Public Provider
Public Provider
Basic subscriber, session, and billing information

Not to government, unless § 2702(c) exception applies

[§ 2702(a)(3)]


[§ 2702(a)(3)]

Subpoena; 2703(d) order; or search warrant

[18 U.S.C. § 2703(c)(2)]

Subpoena; 2703(d) order; or search warrant

[18 U.S.C. § 2703(c)(2)]

Other transactional and account records

Not to government, unless § 2702(c) exception applies

[§ 2702(a)(3)]


[§ 2702(a)(3)]

2703(d) order or search warrant

[18 U.S.C. § 2703(c)(1)]

2703(d) order or search warrant

[18 U.S.C. § 2703(c)(1)]

Accessed communications (opened e-mail and voice mail) left with provider and other stored files

No, unless § 2702(b) exception applies

[§ 2702(a)(2)]


[§ 2702(a)(2) ]

Subpoena with notice; § 2703(d) order with notice; or search warrant

[§ 2703(b)] [See Theofel for 9th Cir.]

Subpoena; ECPA doesn't apply

[§ 2711(2)] [See Theofel for 9th Cir.]

Unretrieved communication, including e-mail and voice mail (in electronic storage more than 180 days)

No, unless § 2702(b) exception applies

[§ 2702(a)(1)]


[§ 2702(a)(1)]

Subpoena with notice; § 2703(d) order with notice; or search warrant

[§ 2703(a,b)]

Subpoena with notice; § 2703(d) order with notice; or search warrant

[§ 2703(a,b)]

Unretrieved communication, including e-mail and voice mail (in electronic storage 180 days or less) No, unless § 2702(b) exception applies [§ 2702(a)(1)] Yes [§ 2702(a)(1)] Search warrant [§ 2703(a)] Search warrant [§ 2703(a)]

US DOJ Search and Seizure Manual, Sec. III.F. [Search and Seizure Manual 2009 p 138]

Acquisition in real time

Historical information

Contents of Communications

Title III order or consent generally

Warrant (for unopened email) or consent

Subpoena with notice (for files, opened email) or consent; may delay notice

Other records (subscriber and transactional data)

Pen register / trap and trace order or consent

Subpoena (for basic subscriber info only) consent

18 U.S.C. § 2703(d) specific and articulable facts" court order (for all other non content records), consent

Legal Process

Order if legal process:

1) Subpoena

2) Subpoena with notice to subscriber

3) § 2703(d) Court Order

4) § 2703(d) Court Order with notice

5) Search Warrant

The burden on the government is greater for a warrant than a subpoena but the government is authorized to search more with a warrant than a subpoena.

Subpoena: A subpoena is a court order, signed by a judge, usually requiring that a witness appear. Subpoena's can also be issued that require, instead of a witness appearing, that a witness produce certain documents in question. The threshold for acquiring a subpoena is relatively low. See United States v. Morton Salt Co., 338 U.S. 632, 642-43 (1950).” USDOJ Search and Seizure Manual Sec. III.D.1.

Warrant: A warrant is a court order, signed by a judge. A search warrant is signed by a judge, based upon a declaration of a law enforcement officer, permitting the officer to search a premises for evidence. Pursuant to the 4 th Amendment, a search warrant will be issued only upon probably cause, and must specifically describe the place to be searched and the evidence to be seized.

Probable cause : A thing is more likely than not.

© Cybertelecom ::