Electronic Communications Privacy Act
Total Page:16
File Type:pdf, Size:1020Kb
Electronic Communications Privacy Act Law/Act: Electronic Communications Privacy Act U.S. Code Citation: 18 U.S.C. §§ 2510–2522, 2701–2712, 3121–3127 Responsible Regulator: Federal Communications Commission BYU Responsible Officer: Information Security & Privacy Committee Updated: Feb. 2019 Updated By: CJH Version 1.0 Effective Date: 1986 I. PURPOSE The purpose of the Electronic Communications Privacy Act (ECPA) is to protect the privacy of wire, oral, and electronic communications while in transmission and when stored on computers.1 II. HISTORY The ECPA was passed in 1986, and included both amendments to the previous Wiretap Act and the creation of the Stored Communications Act and the Pen Register Act.2 The ECPA was created to expand federal restrictions on wiretapping and electronic eavesdropping.3 The ECPA was heavily modified by the Communications Assistance to Law Enforcement Act (CALEA) in 1994 to allow law enforcement agencies the ability to conduct electronic surveillance.4 The ECPA was also significantly amended in 2001 and again in 2006 by the USA PATRIOT Act, which was created to increase protection against domestic terrorism in response to the 9/11 attacks.5 Significant changes were also made by the enactment of the Foreign Intelligence Surveillance Act of 1978 and Amendments (FISA) in 2008 to allow electronic surveillance for the collection of foreign intelligence information.6 III. APPLICABILITY TO BYU Because BYU provides electronic and wire communications services and stores records of such communications, it would be deemed a “communications provider,”7 and as such is subject to the provisions of the EPCA and responsible for protecting the privacy of covered communications. These services include email and telephone service, as well as electronic transfer of funds, all of which BYU provides. Additionally, to the extent that University Police engage in the interception of oral, wire, or electronic communication for law enforcement purposes, they also would be subject to the ECPA. 1 18 U.S.C. § 2510(1) (2018); Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2510-22, U.S. DEPARTMENT OF JUSTICE, OFFICE OF JUSTICE PROGRAMS, BUREAU OF JUSTICE ASSISTANCE, https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285 (last revised July 30, 2013). The term “wire communication” is defined as any “aural transfer . through . wire, cable, or other like connection between the point of origin and the point of reception.” 2 Electronic Communications Privacy Act of 1986, Pub. L. 99-508, 100 Stat. 1848. 3 Electronic Communications Privacy Act (ECPA), ELECTRONIC PRIVACY INFORMATION CENTER, https://epic.org/privacy/ecpa/ (last visited Jan. 3, 2018). 4 Electronic Communications Privacy Act of 1986 (ECPA), FEDERAL PRIVACY COUNCIL, https://www.fpc.gov/electronic- communications-privacy-act-of-1986-ecpa/ (last visited Jan. 3, 2018). 5 Id. 6 Id. 7 See 18 U.S.C § 2510(15) (2018) (defining “communications provider” as a person or entity that provides to users the ability to send or receive wire or electronic communications); see also 18 U.S.C. §§ 2711(1), 3127(1) (same). 1 Electronic Communications Privacy Act IV. REQUIREMENTS The following are the requirements outlined in the ECPA for the Wiretap Act, the Stored Communications Act, and the Pen Register Act. A. Wiretap Act 1. Interception and Disclosure of Communications Under the Wiretap Act, it is unlawful for any person to intentionally intercept any wire, oral, or electronic communication,8 unless otherwise authorized by law, including the exceptions set forth below. This prohibition also applies when procuring another person to engage in such interception, and using any electronic, mechanical, or other device to intercept oral communication.9 It is also unlawful to intentionally disclose or attempt to disclose any wire, oral, or electronic communication while knowing that the information was obtained illegally.10 Communications providers must not intentionally divulge the contents of any such communication to anyone other than the intended recipient.11 However, a person or entity may divulge the contents of such communication under the following conditions: 1. with lawful consent from any intended recipient or the originator;12 2. to an employed or authorized person for the task of forwarding the communication to its destination;13 or 3. if the communication was inadvertently obtained by the service provider and appears to pertain to the commission of a crime.14 It is not unlawful for switchboard operators or officers, employees, or agents of a communications provider to intercept, disclose, or use communication in the normal course of employment.15 Communications providers may provide information, facilities, or technical assistance to persons legally authorized to intercept communications or conduct electronic surveillance.16 However, the communications provider must be provided with a court order directing such action or a certification in writing that no warrant or court order is required by law and all statutory requirements have been met.17 8 18 U.S.C. § 2511(1)(a). Use of the terms “communication” or “communications” throughout the rest of this memo refer to and include wire, oral, or electronic communication. 9 Id. § 2511(1)(b). 10 Id. § 2511(1)(c). 11 Id. § 2511(3)(a). 12 Id. § 2511(3)(b)(ii). 13 Id. § 2511(3)(b)(iii). 14 Id. § 2511(3)(b)(iv). 15 Id. § 2511(2)(a)(i). 16 Id. § 2511(2)(a)(ii). 17 Id. § 2511(2)(a)(ii)(A)–(B). 2 Electronic Communications Privacy Act It is not unlawful to intercept communications if the person is the sender or receiver, or one of them has given consent prior to interception, unless such interception is done with the intent to commit a crime.18 It is not unlawful to intercept communications that are made available to the general public.19 It is also not unlawful to intercept an unencrypted satellite transmission if it is being transmitted to a broadcasting stations for retransmission to the general public.20 However, interception of satellites transmission is considered unlawful if it is for “direct commercial advantage or private financial gain.”21 2. Communication Interception Devices The Wiretap Act prohibits manufacturing, assembling, distributing, possessing, or advertising any device whose primary purpose is the clandestine interception of wire, oral, or electronic communications,22 unless otherwise authorized by law.23 For example, as an exception to this prohibition, communications providers or any persons under contract with a provider may mail or transport devices primarily used for the purpose of surreptitious interception of communications during the normal course of business.24 3. Disclosure and Use of Intercepted Communications Investigative or law enforcement officers that learns of the contents of any wire, oral, or electronic communication, or evidence derived from such, are permitted to disclose the contents to other officers as long as such disclosure is appropriate to the performance of official duties of all officers involved.25 Officers may also use such contents to the extent of what is “appropriate in the proper performance of official duties.”26 Any investigative or law enforcement officer that obtains knowledge of the contents of a communication that includes foreign intelligence or counterintelligence may disclose such contents to any other federal law enforcement, intelligence, protective, immigration, national defense, or national security official.27 They may also disclose the contents of a communication that reveals a threat of “actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power” to any appropriate federal, state, local, or foreign government official.28 Investigative or law enforcement officers may submit an application to an authorized judge to receive permission to intercept communication.29 B. Stored Communications Act Under the Stored Communications Act (SCA), it is unlawful to intentionally gain unauthorized access to a facility where electronic communication service is provided and obtain, alter, or prevent authorized 18 Id. § 2511(2)(d). 19 Id. § 2511(2)(g). 20 Id. § 2511(4)(b). 21 Id. 22 Id. § 2512(1)(a). 23 See id. § 2513 (providing that any such devices may be seized and forfeited to the US). 24 Id. § 2512(2). 25 Id. § 2517(1). 26 Id. § 2517(2). 27 Id. § 2517(6). 28 Id. § 2517(8). 29 See id. § 2518 (explaining how to submit an application). 3 Electronic Communications Privacy Act access to stored wire or electronic communication,30 unless otherwise authorized by law, including the exceptions set forth below. 1. Disclosure of Customer Records Communications providers must not knowingly divulge the contents of any communications stored by that service.31 Providers of “remote computer services”32 to the public must not knowingly divulge the contents of any communications that are carried or stored by that service on behalf of a subscriber or customer.33 Communications providers must not knowingly divulge records or other information concerning subscribers or customers of the service to any governmental entity.34 2. Required Disclosure of Customer Communications or Records Communications providers may be required to disclose the contents of a wire or electronic communication to a governmental entity only in accordance with a warrant or through the “procedures described in the Federal Rules of Criminal Procedure.”35 A governmental entity may require a disclosure without required notice to the subscriber or customer if such action