The Electronic Communications Privacy Act (ECPA) is a federal statute that was enacted in the United States in 1986 to extend government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer. The ECPA was an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (the Wiretap Statute), which was primarily designed to prevent unauthorised government access to private electronic communications.
The ECPA is divided into three parts. The first, often referred to as Title I, deals with wiretap orders; the second, often referred to as Title II, pertains to the Stored Communications Act; and the third, often referred to as Title III, addresses pen register and trap and trace devices. Each of these parts will be discussed in detail in the following sections.
Wiretap Orders (Title I)
Title I of the ECPA, also known as the Wiretap Act, prohibits the intentional actual or attempted interception, use, disclosure, or "procure[ment] [of] any other person to intercept or endeavour to intercept any wire, oral, or electronic communication" without a court order. It applies to government officials and private citizens alike.
However, there are exceptions to this rule. For instance, service providers may intercept and disclose communications in order to protect their rights or property. Also, employers may monitor communications on their systems with a legitimate business purpose.
Obtaining a Wiretap Order
In order to obtain a wiretap order, the government must demonstrate probable cause that a particular offence has been, is being, or will be committed and that communications concerning that offence will be obtained through the wiretap. This is a higher standard than required for other forms of surveillance.
Moreover, the government must also show that other investigative procedures have been tried and failed or would likely fail if attempted. This is known as the "necessity" requirement.
Exclusionary Rule
The Wiretap Act also includes an "exclusionary rule," which prohibits the use of intercepted communications as evidence in any trial, hearing, or other proceeding if the disclosure of that information would be in violation of the Act.
However, this rule is not absolute. There are exceptions, such as when the communication was intercepted in accordance with a court order or with the consent of one of the parties.
Stored Communications Act (Title II)
Title II of the ECPA, also known as the Stored Communications Act (SCA), protects the privacy of the contents of files stored by service providers and of records held about the subscriber by service providers, such as subscriber names, billing records, or IP addresses.
The SCA creates Fourth Amendment-like privacy protection for email and other digital communications stored on the internet. It protects communications held in electronic storage, most notably messages stored on computers.
Accessing Stored Communications
The SCA provides different levels of protection for communications, depending on their status. For instance, it affords greater protection to communications in "electronic storage" than to other stored communications.
Moreover, the government needs a warrant to access unopened email messages that are 180 days old or less, but it only needs a subpoena or a court order to access older messages or opened messages.
Exceptions to the SCA
Several exceptions to the protections provided by the SCA exist. For instance, service providers may disclose customer records or communications under certain circumstances, such as to protect their rights or property or in emergencies involving danger of death or serious physical injury.
Moreover, the SCA does not protect communications held by service providers if the communication is readily accessible to the general public.
Pen Register and Trap and Trace Devices (Title III)
Title III of the ECPA, also known as the Pen Register Act, regulates the collection of dialling, routing, addressing, and signalling information about telephone calls and electronic communications. It does not include the contents of those communications.
The Act requires government entities to obtain a court order before installing and using a pen register or trap and trace device. However, the standard for obtaining such an order is less than the probable cause standard used for search warrants and wiretap orders.
Obtaining a Pen Register Order
To obtain a pen register order, the government must certify to the court that the information likely to be obtained is relevant to an ongoing criminal investigation. The court must then direct the order to the provider of a wire or electronic communication service to install and use a pen register or trap-and-trace device.
However, the Act does not require the government to demonstrate probable cause or even reasonable suspicion. This lower standard reflects the fact that pen registers and trap and trace devices do not capture the contents of communications.
Use and Disclosure of Information
The Pen Register Act also regulates the use and disclosure of information collected through pen registers and trap and trace devices. It generally prohibits the use of such information as evidence in any trial, hearing, or other proceeding unless each party has been provided with at least ten days' advance notice.
However, there are exceptions to this rule. For instance, the Act allows the use of such information in emergency situations or with the consent of the user.
Conclusion
The Electronic Communications Privacy Act (ECPA) is a complex piece of legislation that seeks to balance the government's need to investigate and prevent crime with individuals' privacy rights. It has been amended several times to keep up with technological advances, but many argue that it is still outdated and fails to adequately protect digital privacy.
Understanding the ECPA is crucial for anyone involved in electronic communications, whether as a service provider, a user, or a government official. It provides important protections for private communications, but it also includes many exceptions and requires careful compliance.