Privacy: Statutory Protections

From Internet Law Treatise

With the passage of the USA PATRIOT Act, the Homeland Security Act and other laws focused on national security, Congress has been active in changing the legal landscape for access to real-time and stored communications. Despite these amendments, detailed below, the legal regime for obtaining wiretaps and stored communications remains ambiguous.

Table of contents

1 Federal Constitution 2 Federal Statutes 2.1 Electronic Communications Privacy Act of 1986 2.1.1 Wiretap Act 2.1.2 Stored Communications Act 2.1.3 Pen/Trap Statute 2.2 Computer Fraud and Abuse Act 2.2.1 CFAA Cases 2.3 USA PATRIOT Act 2.4 Homeland Security Act 2.5 Other Federal Statutes 2.5.1 The Cyber Security Enhancement Act 2.5.2 The 21st Century Department of Justice Appropriation Authorization Act 2.5.3 The Cable Act 2.5.4 Computer Matching & Privacy Protection Act 3 State Statutes 3.1 Anti-Spyware 3.2 Communincations Privacy 3.3 General Privacy 3.4 Privacy Policies

Federal Constitution

The contents of telephone communications are fully protected by the Fourth Amendment. Katz v. United States, 389 U.S. 347, 353-354 (1967). The Government must satisfy stringent procedural requirements, discussed below, before it can acquire the contents of communications. Berger v. New York, 388 U.S. 41, 63-64 (1967) (“[I]t is not asking too much that officers be required to comply with the basic command of the Fourth Amendment before the innermost secrets of one's home or office are invaded. Few threats to liberty exist which are greater than that posed by the use of eavesdropping devices.”).

However, the Supreme Court has found no reasonable expectation of privacy in telephone numbers dialed or transmitted to initiate telephone calls. Smith v. Maryland, 442 U.S. 735, 745 (1979); id. at 742-744 (pen register does not “acquire the contents of communication,” but only “numerical information” that is “voluntarily conveyed…to the telephone company” so that calls may be completed). Smith v. Maryland has been repeatedly criticized by legal scholars. See, e.g., Daniel J. Solove, Digital Dossiers and the Dissipation of Fourth Amendment Privacy, 75 S. CAL. L. REV. 1083, 1137-1138 (2002); Stephen E. Henderson, Nothing New Under the Sun? A Technologically Rational Doctrine of Fourth Amendment Search, 56 MERCER L. REV. 507, 524-528 (2005); Anita Ramasastry, Lost In Translation? Data Mining, National Security and the “Adverse Inference” Problem, 22 SANTA CLARA COMPUTER & HIGH TECH. L.J. 757, 764-766 (2006); Susan Freiwald, Uncertain Privacy: Communication Attributes After the Digital Telephony Act, 69 S. CAL. L. REV. 949, 982-989 (1996) (discussing the limited capacity of the pen/trap devices analyzed in Smith and explaining how modern pen/trap devices collect far more information).

Federal Statutes

Electronic Communications Privacy Act of 1986

The Electronic Communications Privacy Act of 1986 (“ECPA”), Pub. L. No. 99-508, 100 Stat. 1848 (1986), comprised three titles. Title I amended the 1968 federal wiretap statute to cover electronic communications. Title II of ECPA created a new chapter of the criminal code dealing with access to stored communications and transaction records, commonly known as the “Stored Communications Act” or “SCA.” Title III of the ECPA covers pen registers and trap/trace devices.

Wiretap Act

ECPA, Title I, 18 U.S.C. §§ 2510 et seq. (“Wiretap Act”) makes it unlawful to listen to or observe the contents of a private communication without the permission of at least one party to the communication and regulates real-time electronic surveillance in federal criminal investigations. See main article on Wiretap Act. 18 U.S.C. §§ 2510-2522 was first passed as Title III of the Omnibus Crime Control and Safe Streets Act of 1968 and is generally known as "Title III".

Stored Communications Act

ECPA Title II, 18 U.S.C. §§ 2701 et seq. (“Stored Communications Act”) generally prohibits the disclosure of the content of electronically stored communications. The Act does not prohibit disclosure of user information to non-government entities. See main article on Stored Communciations Act.

The Stored Communications Act also strictly limits the information that an electronic communication service may provide to the government. A government entity generally must provide a subpoena, warrant or court order to obtain information about a user that is stored by the communication service provider. The USA Patriot Act, see below, amended these provisions to permit disclosure of such information to the government if the service provider has a good faith belief that there is an imminent danger of death or serious physical injury.

Pen/Trap Statute

The Pen Registers and Trap and Trace Devices chapter of Title 18 ("the Pen/Trap statute"), 18 U.S.C. §§ 3121-3127 governs pen registers and trap and trace devices, empowering a court to issue an order “authorizing the installation and use of a pen register or trap and trace device” upon application and proper certification by the government. A “pen register” is a device that records the numbers dialed for outgoing calls made from the target phone. A trap and trace device captures the numbers of calls made to the target phone.

The Pen/Trap statute expressly prohibits pen/trap devices from collecting communications content. The legislative history clarifies that "[t]he term 'pen register' means a device which records or decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted for the purpose of routing telephone calls, with respect to wire communications, on the phone line to which such device is attached. The term does not include the contents of a communications, rather it records the numbers dialed." H.R. Rep. No. 99-647, at 78 (1986); see also People v. Bialostok, 610 N.E.2d 374, 378 (N.Y. Ct. App. 1993) (devices that can acquire communications contents cannot be authorized under Pen/Trap Statute).

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030 (http://www.law.cornell.edu/uscode/18/1030.html), which provides a cause of action against one who, inter alia, “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication.” 18 U.S.C. § 1030(a)(2)(C), (g).

The civil remedy extends to “[a]ny person who suffers damage or loss by reason of a violation of this section.” 18 U.S.C. § 1030(g). However, the conduct must involve one of five factors listed in 18 U.S.C. § 1030(a)(5)(B), which include a loss in excess of $5,000. § 1030(a)(5)(B)(i), (g). Loss is defined as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." § 1030(e)(11).

In Creative Computing v. Getloaded.com LLC, 386 F.3d 930 (http://caselaw.lp.findlaw.com/data2/circs/9th/0235856p.pdf) (9th Cir. 2004), the Ninth Circuit held that damages could be aggregated, since "the $5,000 floor applies to how much damage or loss there is to the victim over a one-year period, not from a particular intrusion." See also S. Rep. 99-432, at 5 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2483 ("[T]he Committee intends to make clear that losses caused by the same act may be aggregated for purposes of meeting the . . . threshold.")

The Homeland Security Act, see below, increased the penalties and prison terms for violations of the CFAA.

CFAA Cases

1. U.S. v. Morris, 928 F.2d 504 (2d Cir. 1991) (Internet worm violated CFAA)
2. U.S. v. Czubinski, 106 F.3d 1069 (1st Cir. 1997) (unauthorized browsing of computer files did not violate CFAA)
3. Ingenix, Inc. v. Lagalante, 2002 U.S. Dist. LEXIS 5795 (E.D. La. 2002). The court held that plaintiff had properly alleged damages in excess of the statutory minimum due to the cost of hiring forensic experts to recover the deleted files and carry out an investigation on the laptops and email servers.
4. U.S. v. Middleton, 231 F.3d 1207 (9th Cir. 2000). CFAA protects corporate entities.
5. Thurmond v. Compaq Computer Corp., 171 F.Supp.2d 667 (E.D. Tex. 2001) Holding that losses suffered by unnamed members of proposed class made up of buyers of allegedly defective computers could not be used to CFAA damage threshold. Noted in dicta that if the defective program corrupted $5,000 worth of data, then Plaintiffs would have met the statutory minimum.
6. I.M.S. Inquiry Management Systems, Ltd. v. Berkshire, 307 F.Supp.2d 521 (SDNY 2004). Section 1030(a)(2)(c) forbids obtaining information from a protected computer involved in interstate or foreign communication through intentional and unauthorized access. Court allowed a civil cause of action under thi section, in conjunction with a § 1030(g) claim. See also Theofel v. Farey-Jones, 341 F.3d 978, 986 (9th Cir.2003) (same).
7. Southwest Airlines Co. v. Farechase, Inc., 318 F. Supp.2d 435 (ND Tex. 2004). CFAA does not require damage as defined in 18 U.S.C. § 1030 (http://www.law.cornell.edu/uscode/18/1030.html)(e)(8) over $5,000, only "loss" as defined in (e)(11).

USA PATRIOT Act

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act), PL 107-56. Passed in the wake of the 9/11 terrorist attacks, the controversial Act expands the type of information to which law enforcement officials may obtain access and permits service providers to divulge the contents of communications in emergencies.

1. Section 210 increases the types of information to which law enforcement officials may obtain access by requiring them to meet only the lowest ECPA standard; types of information covered include records of session times and durations, temporary network addresses, and means and source of payments, including credit card and bank account numbers.
2. Section 212 of the Act permits service providers to voluntarily release the contents of communications if they reasonably believe that “an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay.” This provision was further modified by the Homeland Security Act to increase the number of governmental agencies to which service providers may disclose communications and to soften the standard by which communications can be disclosed to a “good faith” belief from a “reasonable belief.”
3. Section 214 of the Act significantly expands the FBI's electronic surveillance powers under the Foreign Intelligence Surveillance Act (FISA), as well as lowering the standards under which the secret FISA court can authorize the FBI to spy on your phone and Internet communications. In particular, Section 214 makes it easier for the FBI to install "pen registers" and "trap-and-trace devices" (collectively, "pen-traps") in order to monitor the communications of citizens who are not suspected of any terrorism or espionage activities.
4. Section 215 allows the FBI secretly to order anyone to turn over business records or any other "tangible things," so long as the FBI tells the secret Foreign Intelligence Surveillance Act (FISA) court that the information sought is "for an authorized investigation...to protect against international terrorism or clandestine intelligence activities." These demands for records come with a "gag order" prohibiting the recipient from telling anyone, ever, that they received a Section 215 order.
5. Section 217 permits service providers to “invite” law enforcement to assist in tracking and intercepting a computer trespasser’s communications.

EFF analysis (http://www.eff.org/Privacy/Surveillance/Terrorism/20011031_eff_usa_patriot_analysis.php) of the provisions of the USA PATRIOT Act.

Homeland Security Act

The Homeland Security Act of 2002, PL 107-296. Provisions of Section 896 and Section 225 (“The Cyber Security Enhancement Act“) of the Homeland Security Act increase prison time and penalties for violations of the CFAA, prohibit Internet advertising of illegal surveillance devices, and allow law enforcement agencies to make pen register/trap and trace installations without a court order in the case of “national security interests” or an attack on a protected computer as defined by the CFAA.

The Homeland Security Act Section 225 expanded the power of PATRIOT Section 212 by 1) lowering the relevant standard from "reasonable belief" of a life-threatening emergency to a "good faith belief," 2) allowing communications providers to use the emergency exception to disclose your data to any government entity, not just law enforcement, and 3) dropping the requirement that the threat to life or limb be immediate.

Other Federal Statutes

The Cyber Security Enhancement Act

This act allows service providers to disclose the contents of communications to “Federal, State, or local government entities” in the event that the provider has a “good faith” belief that “an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay.” These changes effectively expanded the scope of disclosures possible under the law and lowered the standard by which such disclosures could take place.

The 21st Century Department of Justice Appropriation Authorization Act

Under this Act, law enforcement agents are not required to be present during the execution of a warrant made pursuant to the ECPA’s requirements. Congress’s action effectively reversed United States v. Bach, 2001 U.S. Dist. LEXIS 22109 (D. Minn. 2001), a case which required the presence of a government law enforcement agent to exercise a warrant. The district court opinion has also been reversed and remanded upon review by the Eighth Circuit in United States v. Bach, 310 F.3d 1063 (8th Cir. 2002).

The Cable Act

Many cable companies are now providing Internet services. The Cable Communications Policy Act ("the Cable Act"), 47 U.S.C. § 551 restricts when the government can obtain "personally identifiable information concerning a cable subscriber," generally requiring them to overcome a heavy burden of proof at an in-court adversary proceeding, as specified in 47 U.S.C. § 551(h). After the USA PATRIOT Act, cable operators may disclose subscriber information to the government pursuant to ECPA, Title III, and the Pen/Trap statute, except for "records revealing cable subscriber selection of video programming." 47 U.S.C. § 551(c)(2)(D).

The Cable Act, 47 U.S.C. § 551(c)(2)(B), also requires cable companies to provide notice to subscribers before disclosure of "personally identifiable" customer information in response to a civil subpoena. Cable providers are also required to " destroy personally identifiable information if the information is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to such information under subsection (d) of this section or pursuant to a court order.

Computer Matching & Privacy Protection Act

The Computer Matching & Privacy Protection Act of 1988 (and its amendments in 1990), 5 U.S. Code 552a (a)(8)-(13), (3)(12), (o), (p), (q), (r), & (u), sets requirements that federal agencies must follow when matching information on individuals with information held by other federal, state or local agencies.

State Statutes

Title III does not preempt state statutes that are more protective of privacy. “Congress intended that the states be allowed to enact more restrictive laws designed to protect the right of privacy.” People v. Conklin. 12 Cal.3d 259, 271 (1974); see also Roberts v. Americable Intern. Inc., 883 F.Supp. 499, 503, fn. 6 (E.D.Cal. 1995); United States v. Curreri, 388 F.Supp. 607, 613 (D.Md. 1974); Bishop v. State, 526 S.E.2d 917, 920 (Ga.Ct.App. 1999) ; People v. Pascarella, 415 N.E.2d 1285, 1287 (Ill.App.Ct. 1981).

Anti-Spyware

1. The Consumer Protection Against Computer Spyware Act, Cal. Bus. & Prof. Code § 22947 et seq., prohibits an unauthorized person from knowingly installing or providing software that performs certain functions, such as taking control of the computer or collecting personally identifiable information, on or to another user's computer located in California.
2. Georgia Computer Security Act of 2005 [1] (http://www.legis.state.ga.us/legis/2005_06/versions/sb127_LC_28_2483S_hss_9.htm) prohibits an unauthorized person from knowingly installing or providing software that performs certain functions, such as taking control of the computer or collecting personally identifiable information, on or to another user's computer located in Georgia.
3. Washington, http://www.leg.wa.gov/pub/billinfo/2005-06/Htm/Bills/House%20Passed%20Legislature/1012-S.PL.htm

Communincations Privacy

Cal. Penal Code § 630-637.9 prohibits electronic eavesdropping on or recording of private communications. See generally Flanagan v. Flanagan, 27 Cal.4th 766, 772-777 (2002); Bast, What’s Bugging You? Inconsistencies and Irrationalities of the Law of Eavesdropping, 47 DePaul L.Rev. 837, 870 (1998). Other states [2] (http://www.ncsl.org/programs/lis/cip/surveillance.htm)/

Some states requires employers to give notice to employees prior to monitoring their email. See Delaware Code § 19-7-705, General Statutes of Connecticut § 31-48d.

State hacking laws [3] (http://www.ncsl.org/programs/lis/cip/hacklaw.htm)

[edit]

General Privacy

1. The Information Practices Act of 1977, Cal. Civil Code § 1798 et seq., limits the collection, management and dissemination of personal information by state agencies.
2. Cal. Civil Code § 1798.81.5 - Regulates the security of personal information (defined as name plus SSN, driver’s license/state ID, financial account number) collected by certain businesses.
3. Cal. Civil Code §§ 1798.80 and 1798.84 - Regulates the destruction of records with personal information.

[edit]

Privacy Policies

1. The California Online Privacy Protection Act of 2003, Cal. Bus. & Prof. Code § 22575 - 22579, requires websites or other online services that collect personally identifiable information from California consumers to post a conspicuous privacy policy. The text of this law, as well as the legislative counsel's digest and the Legislature's findings and declarations, can be found at http://www.leginfo.ca.gov/pub/bill/asm/ab_0051-0100/ab_68_bill_20031012_chaptered.pdf.
2. Pennsylvania 2003-04 S.B. 705, Act. 202 [4] (http://www.legis.state.pa.us/WU01/LI/BI/BT/2003/0/SB0705P2001.HTM) and Nebraska Statutes § 87-302 [5] (http://statutes.unicam.state.ne.us/Corpus/statutes/chap87/R8703002.html) prohibit knowingly making a false or misleading statement in a privacy policy.

---

Chapter 7 - Privacy And Data Collection
Data Terminology · Statutory Protections · The Wiretap Act (Title III) · The Stored Communications Act · Government Agency Regulation · Searching and Seizing Computers · Key Privacy Cases · Industry Self-Regulation · International Issues

Retrieved from "http://ilt.eff.org/index.php/Privacy:_Statutory_Protections"

Categories: ECPA