3A-6-Electronic Communications Privacy Act (ECPA)
The Pen Register and Trap and Trace Statute
A "pen register" is a device that decodes dialing, routing, addressing, or signaling information that is transmitted from a device that also transmits wire or electronic communications. It records information such as phone numbers that are dialed or internet protocol (IP) addresses to which communications are sent. A "trap and trace" device, on the other hand, is a device that captures incoming electronic information that identifies the originating source of a wire or electronic communication. The ECPA made it unlawful to install or use either a pen register or trap and trace device without first obtaining a valid court order. A violation of this prohibition is a crime punishable by fine or imprisonment of not more than one year. Unlike the Wiretap Act, which contains numerous requirements above and beyond the minimum requirements to obtain a warrant under the Fourth Amendment, an application for a pen register or trap and trace device must include only: (1) the identity of the person making the application and the agency on whose behalf the application is made; and (2) a certification that information is likely to be obtained by the device that is "relevant to an ongoing investigation." This is a very lenient standard. A court order permitting a pen register or trap and trace device may authorize the installation and use of such a device for no longer than 60 days, unless a subsequent application is made for an extension. Additionally, a court may place a gag order on the person who owns or leases the facility on which the device will be installed to bar that person from disclosing the existence of the device or the investigation to the subscriber, or any other person, unless or until the court orders otherwise.Providers are required to cooperate with law enforcement in the installation of a pen register or trap and trace device, but they may be compensated for this cooperation, and they cannot be held civilly liable as a result of this cooperation. The requirement of a court order is relaxed in emergency situations that involve the immediate danger of death or serious bodily injury, conspiratorial activities characteristic of organized crime, a threat to national security, or if there is an ongoing attack on a protected computer. In these emergency situations, a court order must be obtained within 48 hours after installation or use of the device has started.
Enforcement
As noted above, certain violations of the SCA constitute a criminal offense. The SCA, however, is also enforced through civil litigation. The SCA provides a private cause of action for any person aggrieved by a violation of its provisions, including any subscriber or electronic communications service provider whose systems have been improperly accessed. The full litany of relief is available, including attorney's fees and costs, with minimum damages set at $1,000. The statute of limitations for such a claim is two years, and parties are entitled to use their "good faith" reliance on a court order or other good faith determinations to avoid liability. Like under the Wiretap Act, there is an express private cause of action against the United States government for willful violations of the SCA, which may result in the award of costs, along with the greater of actual damages or $10,000 in statutory damages.
The CLOUD Act
Congress amended the SCA in 2018 pursuant to the Clarifying Lawful Overseas Use of Data Act ("CLOUD Act"), which was intended to facilitate the international sharing of information for the purpose of fighting terrorism. In particular, the CLOUD Act added a new provision that requires electronic communication services and remote computing services to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer "regardless of whether such communication, record, or other information is located within or outside of the United States." This law had the effect of short-circuiting the landmark privacy case of Microsoft v. United States. In that case, the Second Circuit Court of Appeals had found a warrant for emails and other documents stored by Microsoft on a server in Ireland was not subject to disclosure under the SCA. The United States Supreme Court agreed to hear the case. In light of the passage of the CLOUD Act, however, the United States Supreme Court vacated the lower-court decision, finding that the issues were now moot.
The Electronic Communications Privacy Act ("ECPA")
The Electronic Communications Privacy Act ("ECPA") did more than simply amend the Wiretap Act so that it applied to "electronic communications." The ECPA also included new statutory provisions related to obtaining stored electronic records and using pen registers and "trap and trace" devices.
ii. Remote Computing Services and Government Access
The SCA also prohibits the disclosure of stored wire and electronic communications by an electronic communication service and those providing "remote computing services"—i.e., cloud computing services.11 Furthermore, "record[s] or other information pertaining to a subscriber" may not be disclosed to a government entity. There are a number of exceptions to each of these prohibitions that permit (but do not require) disclosure, including disclosure to law enforcement where the communication pertains to the commission of a crime. There are a number of instances, however, in which disclosure is mandated, and not merely permissive. In order to access the contents of communications stored for a period of less than 180 days, or to do so without providing notice to the subscriber or customer, a government entity generally needs a warrant to compel disclosure. For other stored communications, however, a government entity may compel disclosure of the contents of a communication by providing prior notice to the subscriber or customer and then using an administrative, grand jury, or trial subpoena, or by obtaining a court order. Notification may be delayed for a period of up to 90 days if there is reason to believe notification may result in adverse consequences, such as endangerment of life, destruction of evidence, witness intimidation, or flight from prosecution. The government may also force the production of customer records concerning a communication (other than the contents of the communication itself), such as the metadata related to a communication. To do so, the government entity must obtain a court order, warrant, customer consent. In order to obtain a court order for the production of stored communications or customer records, the government must offer "specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation." This is a much higher standard than that required by the Fourth Amendment. The SCA sets out specific procedures by which a service provider may seek to quash or modify a court order compelling production under these provisions. In addition to their production obligations, providers of electronic communication services or remote computing services must also abide by preservations orders issued by the government. These records must be preserved for a period of 90-days, subject to renewal upon additional request. As part of a court order or subpoena to produce wire or electronic communications, the government can also direct a service provider to create a backup copy of the contents of those communications. A customer whose communications are subject to such an order, however, has the right to challenge it within 14 days of being notified of the order's existence.
Prohibition on Obtaining, Altering, or Blocking
The SCA makes it illegal for any person to access a facility through which an "electronic communication service" is provided without authorization if the purpose of doing so is to obtain, alter, or block access "to a wire or electronic communication while it is in electronic storage in such system." More simply, it is illegal for a person to obtain stored communications, alter stored communications, or block authorized access to stored communications, unless that person has previously obtained permission to do so. There are two primary exceptions to this prohibition. First, conduct authorized "by a user of that service with respect to a communication of or intended for that user" is exempt. Put differently, somebody using an electronic communication service may permit others to access their stored communications on that service. Second, access to stored communications is permitted where authorized "by the person or entity providing a wire or electronic communications service." In the context of employer-employee monitoring, discussed further in Module IV.B.2, the employer is often the entity providing the electronic communication service, thereby permitting it to access stored communications on that service. There is no preemption of state law under the SCA, and some states—such as Delaware and Connecticut—have required employee notification prior to accessing stored employee communications. A violation of this prohibition is a felony. If the violation is committed for the purpose of commercial advantage, malicious destruction or damage, private commercial gain, or in furtherance of any other crime or tort, it is punishable by fine and a term of imprisonment of five years (for a first-time offense) or ten years (for subsequent offenses). In all other cases, a violation is punishable by a fine and one year of imprisonment (for a first-time offense) or five years of imprisonment (for subsequent offenses).
Key Points
The Stored Communications Act ("SCA") applies to the use of an "electronic communication service" Under the SCA, it is criminal violation to obtain, alter, or block access to stored communications, without permission A record is electronically stored when it is: (1) in temporary storage incidental to the transmission of the communication; or (2) stored for backup protection The government may access stored communications by a cloud computing service, including any records related to a subscriber, only if: (1) it obtains a warrant, if the communications are less than 180 days old; or (2) a court order or subpoena is obtained, with prior notice provided to the subscriber or customer To obtain a court order, the government must show "specific and articulable facts showing that there are reasonable grounds to believe" the information is relevant to an ongoing criminal investigation Government may issue a preservation order for electronic communications CLOUD Act amended the SCA in 2018 to clarify that SCA applied extraterritorially There is a private cause of action for violations of the SCA It is a criminal offense to use a pen register or trap and trace device without first obtaining a court order, except in emergency situations A court may place a gag order on anyone ordered to install such a device
The Stored Communications Act (SCA)
Title II of the ECPA is called the Stored Communications Act ("SCA").1 The SCA protects against the unauthorized access or disclosure of stored wire and electronic communications by, or through the use of, an "electronic communication service." The definitions used under the SCA—including the definitions of "wire communication" and "electronic communication"—are the same as those used in the Wiretap Act. An "electronic communication service" is "any service which provides to users thereof the ability to send or receive wire or electronic communications." A record is considered electronically stored—and therefore subject to the SCA—when it is: (1) in temporary, intermediate storage that is incidental to the transmission of the communication; or (2) when stored by an electronic communication service for the purpose of backup protection.