Index: [thread] [date] [subject] [author]
  From: Sze Tan <st2206@columbia.edu>
  To  : <cpc@emoglen.law.columbia.edu>
  Date: Mon, 9 May 2005 16:25:36 -0400

Paper 2: The Electronic Communications Privacy Act: Some Suggestions for Change

The Electronic Communications Privacy Act:
Some Suggestions for Change

The scope of Fourth Amendment protection for electronic communications and 
remotely stored records started out unclear, and remains hazy to this day. 
In the 1970s, a string of Supreme Court cases - concerning the disclosure of 
tax records, bank records and telephone toll records - laid the (shaky) 
foundations for modern electronic privacy jurisprudence[1]. These "records 
cases"[2] stood for the proposition that personal information voluntarily 
disclosed to a business fell outside the scope of Fourth Amendment 
protection.

The precedent laid down by these cases was troubling for those who 
envisioned its literal application to electronic mail, which was then only a 
glimmer in anyone's eye. Unlike transient telephone exchanges, 
electronically communicated mail messages required the creation of 
contemporaneous records, which very often were of an ephemeral nature. 
Copies of these records were in turn left in the hands of any number of 
third parties as the messages were relayed throughout a particular computer 
network. The resulting ambiguity was easily discernible: were the temporary 
copies of e-mail left behind on networks and service providers' servers to 
be classified as records - and thereby devoid of Fourth Amendment protection 
under the "records cases" framework - or were they more akin to telephone 
conversations, and therefore subject to the relevant statutory and 
constitutional safeguards[3]?

Clarification came in the form of the Electronic Communications Privacy Act 
of 1986 ("ECPA") - or at least, some measure of clarification anyway. The 
ECPA itself breaks down into three separate statutes: Title I (the Wiretap 
Act), which addresses the interception and disclosure of different types of 
communications; Title II (the Stored Communications Act), which deals with 
access to stored electronic communications; and Title III (the Pen Register 
Statute), which regulates the use of pen registers and trap and trace 
devices, which in turn are used to record the telephone numbers dialed from 
and into a specific telephone line. Each of the titles operate in the same 
basic way: generally prohibiting unauthorized access to electronic 
communications, stored or in transit, but permitting specified exemptions, 
of which one importantly provides the government with the ability to obtain 
direct access or to subpoena a third party to turn over information.

Unfortunately, the ECPA has proven itself to be as unclear as the precedents 
it was meant to reconcile. The response of the ECPA to the question posed 
earlier was influenced largely by the Department of Justice's hostility 
towards the analogy of e-mail with snail mail and telephone communications. 
The DOJ contended forcefully that an e-mail message, when merged with "part 
of the records in the files of a communications ... carrier," was subject to 
no Fourth Amendment protections whatsoever[4], unlike, say, letters sent by 
first-class mail. Congress ultimately accepted this argument[5] and the ECPA 
today appears to countenance the diametric opposite of existing provisions 
for snail mail searches. Specifically, if an e-mail is in storage on a 
third-party server for more than 180 days, the ECPA allows government access 
with a subpoena based on no more than a mere relevance standard[6]. In other 
words, the "records cases" proposition appears by and large to have been 
extended - fittingly or not - to cover electronic messages.

Despite this, however, the prospect that all records maintained on third 
party servers - ostensibly on an individual's behalf - are sooner or later 
to fall outside the scope of Fourth Amendment protection is a frightening 
one, and certainly is one that should be addressed by Congress as swiftly as 
possible. To be sure, this current approach embraced by the ECPA is 
retrograde to what was originally envisioned in Katz v. United States[7], 
wherein criteria were espoused to help escape the formalistic - and arguably 
unjust - structure of the prior property-based privacy jurisprudence[8].

Additionally, the ECPA also contains no guidelines whatsoever for 
determining whether Title I or Title II applies in a particular given 
situation. The employment of differing terms - "interception" under Title I 
and "access" under Title II - might allow for smooth application in easy 
cases, but in today's capricious technological world, such cases are often 
hard to come by. What is a court to conclude, for instance, when an 
individual reads an e-mail intended for another who has not yet read it, but 
who has left the message open on a computer screen (out of carelessness)? 
Has the first individual intercepted the electronic communication (Title I), 
or has he rather accessed it in electronic storage (Title II)[9]? To be 
sure, the "intersection of the Wiretap Act . and the Stored Communications 
Act . is a complex, often convoluted, area of the law[10]."

The problem is not an intractable one; indeed, it appears that the inclusion 
of a proper definition for the key term "access" would go a great way to 
ameliorating much of the existing confusion. Access could be defined as "the 
acquisition of communications that are in electronic storage at the time of 
the incident in question" (as opposed to an acquisition that is 
contemporaneous with the particular transmission, which would properly fall 
under the ambit of an "interception").  A specific declaration within the 
ECPA that Titles I and II are to operate in such a way that neither renders 
the other superfluous would also be most helpful. That is, a given 
electronic communication must fall under either the Wiretap Act or the 
Stored Communications Act, but not both simultaneously.

Separately, concerns have also arisen over the breadth - and vagueness - of 
the liability exception for Internet Service Providers (ISPs) under Title 
II. In Bohach v. City of Reno[11], the court interpreted s. 2701(c)(1)[12] 
as allowing ISPs to do as they pleased in accessing their subscribers' 
stored communications. While legitimate business or security concerns may 
warrant ISP intrusion upon occasion, it is far from clear that Congress 
actually intended for them to have such complete free reign. The privacy of 
electronic communications should not have to be needlessly compromised.

Congress could accomplish the proper restriction of this overbroad ISP 
liability exception by adding the phrase, "when authorized for a legitimate 
business purpose" to s.2701(c)(1)[13]. Since an ISP rightly only should 
access its subscribers' communications pursuant to some overarching 
authorized purpose, the "business purpose" standard appears to be a 
reasonable middle-ground threshold to prevent ISPs from randomly rummaging 
through subscribers' private communications. The standard, while certainly 
far from perfect, would nonetheless preclude future similar conclusions by 
the courts that ISPs can essentially "do as they wish when it comes to 
accessing communications in electronic storage"[14]. In addition, this 
amendment would restore some clarity to the existing provision by 
enunciating a specific set standard for ISPs and courts alike to take as 
their respective points of departure.

The architects of the ECPA should be applauded for their efforts in drafting 
a comprehensive privacy statute for the digital age. The protections 
countenanced by the statute, however, based as they are on strained 
constructions of the "records cases", do not properly reflect community 
norms regarding privacy expectations. Additionally, certain provisions of 
the ECPA appear much too vague for practical application in "hard" cases, 
and at times are excessively broad in scope.

At bottom, however, it is important that we acknowledge that the information 
stored on servers is arguably the same as that stored in filing cabinets or 
private homes, and that similar treatment of both kinds of information would 
be in society's best interest - and in accordance with society's collective 
expectation. Just as to argue in the face of the Katz result would be "to 
ignore the vital role that the public telephone has come to play in private 
communications"[15], so to leave the ECPA in its current form would be to 
ignore the crucial place of the Internet amidst modern-day private 
exchanges. Individuals using the Internet as a mode of communication have 
reasonable expectations of privacy, just as anyone utilizing any other mode 
of communication is entitled to a presumption of confidentiality. To argue 
otherwise would surely be to court disharmony in the law, and to engender 
irrationally forked precedent.





[1] Robert S. Steere, Keeping "Private E-Mail" Private: A Proposal to Modify 
the Electronic Communications Privacy Act, 33 Val. U. L. Rev. 231 
(1998-1999), at 245.
[2] Smith v. Maryland, 442 U.S. 735 (1979), at 744  (finding no protection 
for records conveyed to phone company); United States v. Miller, 425 U.S. 
435 (1976), at 442 (finding no Fourth Amendment protection for business 
records conveyed to bank); Couch v. United States, 409 U.S. 322 (1972), at 
335-36 (finding no Fourth Amendment protection for tax records conveyed to 
accountant).
[3] The wiretap provisions of Title III of the Omnibus Crime Control and 
Safe Streets Act of 1968 authorized law enforcement wiretapping of 
telephones within a framework designed to protect privacy and compensate for 
the uniquely intrusive aspects of electronic surveillance. See 18 U.S.C. s. 
2510-2522.
[4] Hearing before the Subcomm. On Courts, Civil Liberties, and the 
Administration of Justice of the House Comm. On the Judiciary, 99th Cong. 
234 (1986) (statement of James Knapp, Deputy Assistant Attorney General, 
Criminal Div.), at 235.
[5] H.R. Rep. No. 99-647 (1986), at 68 ("to the extent that the record 
(including e-mail message) is kept beyond that point (180 days) it is closer 
to a regular business record maintained by a third party and, therefore, 
deserving of a lesser standard of protection").
[6] 18 U.S.C. s. 2703(b).
[7] 389 U.S. 347 (1967), at 361. Under the Katz test, invocation of the 
Fourth Amendment was permitted where the affected individual exhibited (1) 
an actual or subjective expectation of privacy, in a situation where (2) 
society recognized that expectation as an objectively reasonable one.
[8] See Olmstead v. United States, 277 U.S. 438 (1928), at 464 (finding that 
the government could conduct warrantless taps on a defendant's telephone to 
intercept and listen to telephone conversations if the government did not 
physically trespass into the defendant's home or office); and Hester v. 
United States, 265 U.S. 57 (1924), at 58-59 (finding that when police 
entered the defendant's open field to obtain evidence, they did not violate 
the Fourth Amendment, because the special protection accorded to people in 
their houses does not extend to open fields). The Katz test - by overruling 
courts' earlier use of restrictive trespass concepts in analyzing privacy - 
dealt away with illogical and inconsistent treatments of (otherwise) 
substantively identical Fourth Amendment infractions.
[9] See Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 
457 (5th Cir. 1994) at 460.
[10] United States v. Smith, 155 F.3d at 1055 (9th Cir. 1998).
[11] 932 F. Supp. 1232 (D. Nev. 1996).
[12] The relevant provision reads as follows: "Except as provided in 
subsection (c) of this section whoever . intentionally accesses without 
authorization a facility through which an electronic communication service 
is provided; or intentionally accesses without authorization to access that 
facility; and thereby obtains, alters, or prevents authorized access to a 
wire or electronic communication while it is in electronic storage in such 
system shall be punished as provided in subsection (b) of this section . 
[s]ubsection (a) of this section does not apply with respect to conduct 
authorized . by the person or entity providing a wire or electronic 
communications service; by a user of that service with respect to 
communication of or intended for that user ." (emphasis added).
[13] See Julie J. McMurry, Privacy in the Information Age: The Need for 
Clarity in the ECPA (2000), 78 Wash. U. L. Q. 597 at 621.
[14] Bohach v. City of Reno, 932 F. Supp. 1232 (D. Nev. 1996) at 1236.
[15] Katz v. United States, 389 U.S. 347 (1967), at 352. 


-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list



Index: [thread] [date] [subject] [author]