Electronic Communications Privacy Act

Law/Act: Electronic Communications Privacy Act U.S. Code Citation: 18 U.S.C. §§ 2510–2522, 2701–2712, 3121–3127 Responsible Regulator: Federal Communications Commission BYU Responsible Officer: Information Security & Privacy Committee Updated: Feb. 2019 Updated By: CJH Version 1.0 Effective Date: 1986 I. PURPOSE The purpose of the Electronic Communications Privacy Act (ECPA) is to protect the privacy of wire, oral, and electronic communications while in transmission and when stored on computers.1

II. HISTORY The ECPA was passed in 1986, and included both amendments to the previous Wiretap Act and the creation of the Stored Communications Act and the Pen Register Act.2 The ECPA was created to expand federal restrictions on wiretapping and electronic eavesdropping.3

The ECPA was heavily modified by the Communications Assistance to Law Enforcement Act (CALEA) in 1994 to allow law enforcement agencies the ability to conduct electronic surveillance.4 The ECPA was also significantly amended in 2001 and again in 2006 by the USA PATRIOT Act, which was created to increase protection against domestic terrorism in response to the 9/11 attacks.5 Significant changes were also made by the enactment of the Foreign Intelligence Surveillance Act of 1978 and Amendments (FISA) in 2008 to allow electronic surveillance for the collection of foreign intelligence information.6

III. APPLICABILITY TO BYU Because BYU provides electronic and wire communications services and stores records of such communications, it would be deemed a “communications provider,”7 and as such is subject to the provisions of the EPCA and responsible for protecting the privacy of covered communications. These services include email and telephone service, as well as electronic transfer of funds, all of which BYU provides. Additionally, to the extent that University Police engage in the interception of oral, wire, or electronic communication for law enforcement purposes, they also would be subject to the ECPA.

1 18 U.S.C. § 2510(1) (2018); Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2510-22, U.S. DEPARTMENT OF JUSTICE, OFFICE OF JUSTICE PROGRAMS, BUREAU OF JUSTICE ASSISTANCE, https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285 (last revised July 30, 2013). The term “wire communication” is defined as any “aural transfer . . . through . . . wire, cable, or other like connection between the point of origin and the point of reception.” 2 Electronic Communications Privacy Act of 1986, Pub. L. 99-508, 100 Stat. 1848. 3 Electronic Communications Privacy Act (ECPA), ELECTRONIC PRIVACY INFORMATION CENTER, https://epic.org/privacy/ecpa/ (last visited Jan. 3, 2018). 4 Electronic Communications Privacy Act of 1986 (ECPA), FEDERAL PRIVACY COUNCIL, https://www.fpc.gov/electronic- communications-privacy-act-of-1986-ecpa/ (last visited Jan. 3, 2018). 5 Id. 6 Id. 7 See 18 U.S.C § 2510(15) (2018) (defining “communications provider” as a person or entity that provides to users the ability to send or receive wire or electronic communications); see also 18 U.S.C. §§ 2711(1), 3127(1) (same).

1

Electronic Communications Privacy Act

IV. REQUIREMENTS The following are the requirements outlined in the ECPA for the Wiretap Act, the Stored Communications Act, and the Pen Register Act.

A. Wiretap Act 1. Interception and Disclosure of Communications Under the Wiretap Act, it is unlawful for any person to intentionally intercept any wire, oral, or electronic communication,8 unless otherwise authorized by law, including the exceptions set forth below. This prohibition also applies when procuring another person to engage in such interception, and using any electronic, mechanical, or other device to intercept oral communication.9 It is also unlawful to intentionally disclose or attempt to disclose any wire, oral, or electronic communication while knowing that the information was obtained illegally.10

Communications providers must not intentionally divulge the contents of any such communication to anyone other than the intended recipient.11 However, a person or entity may divulge the contents of such communication under the following conditions:

1. with lawful consent from any intended recipient or the originator;12 2. to an employed or authorized person for the task of forwarding the communication to its destination;13 or 3. if the communication was inadvertently obtained by the service provider and appears to pertain to the commission of a crime.14

It is not unlawful for switchboard operators or officers, employees, or agents of a communications provider to intercept, disclose, or use communication in the normal course of employment.15

Communications providers may provide information, facilities, or technical assistance to persons legally authorized to intercept communications or conduct electronic surveillance.16 However, the communications provider must be provided with a court order directing such action or a certification in writing that no warrant or court order is required by law and all statutory requirements have been met.17

8 18 U.S.C. § 2511(1)(a). Use of the terms “communication” or “communications” throughout the rest of this memo refer to and include wire, oral, or electronic communication. 9 Id. § 2511(1)(b). 10 Id. § 2511(1)(c). 11 Id. § 2511(3)(a). 12 Id. § 2511(3)(b)(ii). 13 Id. § 2511(3)(b)(iii). 14 Id. § 2511(3)(b)(iv). 15 Id. § 2511(2)(a)(i). 16 Id. § 2511(2)(a)(ii). 17 Id. § 2511(2)(a)(ii)(A)–(B).

2

Electronic Communications Privacy Act

It is not unlawful to intercept communications if the person is the sender or receiver, or one of them has given consent prior to interception, unless such interception is done with the intent to commit a crime.18

It is not unlawful to intercept communications that are made available to the general public.19 It is also not unlawful to intercept an unencrypted satellite transmission if it is being transmitted to a broadcasting stations for retransmission to the general public.20 However, interception of satellites transmission is considered unlawful if it is for “direct commercial advantage or private financial gain.”21

2. Communication Interception Devices The Wiretap Act prohibits manufacturing, assembling, distributing, possessing, or advertising any device whose primary purpose is the clandestine interception of wire, oral, or electronic communications,22 unless otherwise authorized by law.23 For example, as an exception to this prohibition, communications providers or any persons under contract with a provider may mail or transport devices primarily used for the purpose of surreptitious interception of communications during the normal course of business.24

3. Disclosure and Use of Intercepted Communications Investigative or law enforcement officers that learns of the contents of any wire, oral, or electronic communication, or evidence derived from such, are permitted to disclose the contents to other officers as long as such disclosure is appropriate to the performance of official duties of all officers involved.25 Officers may also use such contents to the extent of what is “appropriate in the proper performance of official duties.”26

Any investigative or law enforcement officer that obtains knowledge of the contents of a communication that includes foreign intelligence or counterintelligence may disclose such contents to any other federal law enforcement, intelligence, protective, immigration, national defense, or national security official.27 They may also disclose the contents of a communication that reveals a threat of “actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power” to any appropriate federal, state, local, or foreign government official.28

Investigative or law enforcement officers may submit an application to an authorized judge to receive permission to intercept communication.29

B. Stored Communications Act Under the Stored Communications Act (SCA), it is unlawful to intentionally gain unauthorized access to a facility where electronic communication service is provided and obtain, alter, or prevent authorized

18 Id. § 2511(2)(d). 19 Id. § 2511(2)(g). 20 Id. § 2511(4)(b). 21 Id. 22 Id. § 2512(1)(a). 23 See id. § 2513 (providing that any such devices may be seized and forfeited to the US). 24 Id. § 2512(2). 25 Id. § 2517(1). 26 Id. § 2517(2). 27 Id. § 2517(6). 28 Id. § 2517(8). 29 See id. § 2518 (explaining how to submit an application).

3

Electronic Communications Privacy Act

access to stored wire or electronic communication,30 unless otherwise authorized by law, including the exceptions set forth below.

1. Disclosure of Customer Records Communications providers must not knowingly divulge the contents of any communications stored by that service.31 Providers of “remote computer services”32 to the public must not knowingly divulge the contents of any communications that are carried or stored by that service on behalf of a subscriber or customer.33 Communications providers must not knowingly divulge records or other information concerning subscribers or customers of the service to any governmental entity.34

2. Required Disclosure of Customer Communications or Records Communications providers may be required to disclose the contents of a wire or electronic communication to a governmental entity only in accordance with a warrant or through the “procedures described in the Federal Rules of Criminal Procedure.”35 A governmental entity may require a disclosure without required notice to the subscriber or customer if such action is

in accordance with a lawfully obtained warrant;36 or performed with prior notice to the customer or subscriber if the governmental entity uses a) “an administrative subpoena authorized by a Federal or State statute;37 or b) “a Federal or State grand jury or trial subpoena” or a court order for such disclosure.38 All communications providers (including those that provide remote computing services) may be required to disclose records or other customer or subscriber information only when the governmental entity

obtains a warrant;39 obtains a court order;40 has consent from the subscriber or customer;41 or submits a formal written request in relation to a law enforcement investigation regarding telemarketing fraud.42

30 Id. § 2701(a). 31 Id. § 2702(a). 32 Id. § 2711(2). “Remote computer service” means providing public computer storage or processing services by means of an electronic communications system. Id. 33 Id. § 2702(a)(1). 34 Id. § 2702(a)(3). 35 Id. § 2703(a). 36 Id. § 2703(b)(1)(A). 37 Id. § 2703(b)(1)(B)(i). 38 Id. § 2703(b)(1)(B)(ii). 39 Id. § 2703(c)(1)(A). 40 Id. § 2703(c)(1)(A). 41 Id. § 2703(c)(1)(C). 42 Id. § 2703(c)(1)(D).

4

Electronic Communications Privacy Act

Governmental entities may request the following user43 information from providers of electronic communication or remote computing services when using “an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena”:

name;44 address;45 l “ ocal and long distance telephone connection records, or records of session times and durations”;46 start date of service, length of service, and types of service used;47 t “ elephone or instrument number or other subscriber number or identity, including any temporarily assigned network address”;48 and method of payment for service (including any credit card or bank account numbers).49

A governmental entity that receives records or information through these methods are not required to give notice to customers or subscribers.50

Communications providers, upon request of a governmental entity, must “take all necessary steps to preserve records and other evidence in [their] possession pending the issuance of a court order.”51 In such a case, records must be retained for a ninety-day period, which may be extended to an additional ninety-day period by renewed request.52

Service providers may be required to create a backup copy of the contents of electronic communications for preservation if requested by a governmental entity with a subpoena or court order.53

3. Exceptions Communications providers may divulge the contents of a communication

to the intended recipient or an agent of the intended recipient of such communication;54 with lawful consent from the creator or intended recipient of such communication, or the subscriber;55 to an employee or person otherwise authorized, or a person whose facilities are used to send such communications to their destinations;56

43 A “user” is any person or entity who uses an electronic communication service. Id. § 2510(13)(A). 44 Id. § 2703(c)(2)(A). 45 Id. § 2703(c)(2)(B). 46 Id. § 2703(c)(2)(C). 47 Id. § 2703(c)(2)(D). 48 Id. § 2703(c)(2)(E). 49 Id. § 2703(c)(2)(F). 50 Id. § 2703(c)(3). 51 Id. § 2703(f)(1). 52 Id. § 2703(f)(2). 53 Id. § 2704(a)(1); see generally id. § 2704 (detailing the specific requirements for backup preservation). 54 18 U.S.C. § 2702(b)(1). 55 Id. § 2702(b)(3). 56 Id. § 2702(b)(4).

5

Electronic Communications Privacy Act

as may be necessary to the normal operation of the service, or to protect the rights or property of the service provider;57 to the National Center for Missing and Exploited Children in connection to a lawfully submitted report;58 to a law enforcement agency if the contents were inadvertently obtained by the service provider, or if the contents contain information regarding the commission of a crime;59 or to a government entity, if the provider believes the communication pertains to an emergency involving danger or death or serious physical injury to any person, and the event requires that the communication must be immediately disclosed.60

Providers of electronic communication or remote computing services may divulge records or other information pertaining to subscribers or customers of such service

with lawful consent from the customer or subscriber;61 as may be necessary to the normal operation of the service, or to protect the rights or property of the service provider;62 to a government entity, if the provider believes the communication pertains to an emergency involving danger, death, serious physical injury to any person, and the event requires that the communication must be immediately disclosed;63 to the National Center for Missing and Exploited Children in connection to a lawfully submitted report;64 or “to any person other than a governmental entity.”65 C. Pen Register Act Under the Pen Register act, it is unlawful for any person to install or use a pen register or a trap and trace device without a court order,66 unless otherwise authorized by law, including the exceptions set forth below. Providers of wire or electronic communication services, landlords, custodians, or other persons must submit to any request from an authorized government attorney or officer of a law enforcement agency to install and use a pen register or a trap and trace device.67

57 Id. § 2702(b)(5). 58 Id. § 2702(b)(6). 59 Id. § 2701(b)(7). 60 Id. § 2701(b)(8). 61 Id. § 2701(c)(2). 62 Id. § 2702(c)(3). 63 Id. § 2702(c)(4). 64 Id. § 2702(c)(5). 65 Id. § 2702(c)(6). 66 Id. § 3121(a). The term “pen register” refers to any device or process that “records or decodes dialing, routing addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.” The term “trap and trace device” refers to any device or process that captures incoming electronic or other impulses that identify the originating number or other dialing, routing, address, and signaling information. 67 Id. § 3124(a)–(b); see also id. § 3214(b) (explaining the procedures for cooperating with authorized individuals should they need to use a pen register or trap and trace device).

6

Electronic Communications Privacy Act

It is not unlawful for a provider of electronic or wire communication services to install or use a pen register or a trap and trace device if:

the action is in relation to the “operation, maintenance, and testing of a wire or electronic communication service,” or the protection of the property or rights of the provider, or the protection of users from abuse of service or unlawful use of service;68 or “to record the fact that a wire or electronic communication was initiated or completed” in order to protect the provider, “another provider furnishing service toward the completion of the wire communication,” or a user from fraudulent, unlawful, or abusive use of service;69 or the provider has obtained consent from the user.70 V. PENALTIES Violations of the Wiretap Act may result in a fine, or up to five years of imprisonment, or both.71

Violations of the Stored Communications Act committed for “commercial advantage, malicious destruction or damage, or private commercial gain, or in furtherance of any criminal or tortious act” will result in a fine and imprisonment for up to five years but not more than ten, or both.72 Violations in any other case will result in a fine or imprisonment for up to one year or both.73

Anyone who knowingly violates the Pen Register Act will be fined and imprisoned for up to one year, or both.74

VI. STAYING UP-TO-DATE The following websites provide valuable information regarding this law and its applicability.

DOCUMENT/REFERENCE DESCRIPTION Electronic Communications Privacy Act (ECPA) This article by the Electronic Privacy Information Center (EPIC) provides some background and overview information on the ECPA. Electronic Communications Privacy Act of 1986 (ECPA) This article by the Federal Privacy Council clarifies the general and specific provisions of the ECPA, including the sections in the U.S.C. where those provisions are found. Privacy: An overview of the Electronic A summary and overview of the ECPA by the Communications Privacy Act Congressional Research Service.

68 18 U.S.C. § 3121(b)(1). 69 Id. § 3121(b)(2). 70 Id. 71 Id. § 2511(4)(a). 72 Id. § 2701(b)(1). 73 Id. § 2701(b)(2). 74 Id. § 3121(d).

7