searches

What Is The Electronic Communications Privacy Act (“ECPA”)?

The ECPA of 1986 protects a variety of electronic communications and records. Title I protects electronic, wire and oral communications in transit. Title II, the Stored Communications Act (18 U.S.C. §§ 2701-12) (“SCA”) protects stored electronic communications. Title III prohibits the use of trap and trace devices and pen registers, which essentially compile a record of dialed telephone numbers and routing.

Titles I and II both restrict the ability of law enforcement and governmental agencies to acquire communications protected by the ECPA. Title I requires a court authorized search warrant upon a showing of probable cause that the communications sought contain evidence that a crime was committed. Title II of the SCA only requires a similar judicial warrant for stored communications 180 days or less. In the case of stored communications older than 180 days, law enforcement or a governmental agency only need issue an administrative subpoena. That administrative subpoena is essentially a letter from the agency to the holder of the stored communications, such as an Internet Services Provider (“ISP”), that the communications are relevant to an investigation and forces the holder to divulge the stored communications.

This is significant because the standard required for law enforcement or regulatory agency to obtain e-mails or data files older than 180 days differs not only in the age of the communication, but also where the communication is stored. For example, if the communication is stored on a computer hard drive in one’s home or business, law enforcement is required to obtain a search warrant to obtain the data regardless of age. In the case of communications stored with a third party, the standard of proof (i.e., court approved warrant v. agency subpoena) depends upon the amount of time the communication has been stored, with the dividing line being 180 days.

Changes In The Use Of Data Storage

Congress originally passed the SCA and the ECPA in 1986 with a few amendments since then. In the intervening 26 years, data usage drastically changed. Previously, storage, both online and offline was at a premium. In the past, e-mail was predominately downloaded from ISPs to e-mail clients and stored locally on a user’s computer. Alternately, users deleted older e-mails stored on third party servers. Users predominately stored all data and communications locally on their hard drives. Businesses typically stored their communications on their own servers.

The landscape of communication and data storage today has turned to third party “cloud” services. For individuals, Web based e-mail providers such as Gmail, Yahoo and e-mail provided by ISPs with generous storage encourages individuals to keep e-mail and even voice mails in the case of Google Voice on third party servers indefinitely instead of deleting communications or downloading them to local client hard drives. Even businesses have migrated to “cloud services” including hosted e-mail servers and cloud-based backup.

Increases In The Use Of Administrative Subpoenas

At least anecdotally, the amount of agency subpoena requests has dramatically increased. For example, in Google’s Transparency Report (http://www.google.com/transparencyreport/removals/government/), notes in the first half of 2012 it had 1,791 subpoena requests. In the first half of 2011 Google reported 949 such requests.

Recent Efforts To Require Court Issued Warrants For Stored Communications

The good news is that there is movement in the U.S. Senate to amend the ECPA to protect communications older than 180 days older. Legislation introduced by Senator Patrick Leahy recently passed a Senate panel against objections by law enforcement that it would hinder investigations. If passed, the proposed law would require law enforcement and regulatory agencies to obtain a court issued search warrant for all stored communications, regardless of the age. Of course, it is early in the legislative process. Stay tuned.

IT Digital Device Border Searches Cover More Than Just Laptop Contents. Those who travel frequently are used to TSA security searches that have become more extensive, time consuming and invasive. International travelers have likewise faced increased scrutiny when returning to the United States by the U.S. Customs and Border Protection (CBP). While many realize that enforcement of the customs mission involves inspection for contraband and collection of duties, anecdotal evidence indicates that there is an increased scrutiny to inspect for information that may be related to cybercrimes and the war on terror. Information may also relate to violation of intellectual property laws, child pornography and other obscene materials, and for violations of national security and export control laws. Information that once took volumes of books, photographs, CDs/DVDs, etc. can be stored in digital form and can be stored on a small USB flash drive, smart phone, an iPod, or a laptop. Thus, these digital storage devices while light and portable have become targets of CBP inspecting officers.

Right to Search Digital Devices. Legally, CBP inspecting officers have the authority to search digital devices incidental to a search at the border. One exception to the U.S. Constitution’s Fourth Amendment prohibition against unreasonable searches and seizures relates to searches incident to border entries. United States v. Montoya de Hernandez, 473 U.S. 531 (1985). The Ninth Circuit Court of Appeals recently ruled that the CBP’s search of digital files does not require any level of suspicion or probable cause prior to the warrantless search. United States v. Arnold, 533 F.3d 1003 (9th Cir. 2008). While the inspecting officer may have the authority and the international traveler may have nothing to hide, an inspection of digital devices can be more invasive than a search through one’s underwear. The inspection may lead to delays and possible impounding of the digital devices for further forensic analysis.

Traveler Responses to Digital Device Search Possibility. If the traveler wishes to minimize the invasiveness of digital device inspection or if the traveler believes that they may be a likely target due to nature of business, foreign countries visited or the result of perceived profiling (of which the author provides no opinion as to whether CPB uses profiling), there are some steps that the traveler can take to minimize the chances or extent of searches. First, the traveler can carry no digital device that the traveler does not want inspected or potentially impounded, even if the digital device is later timely released. Alternately, the traveler can securely delete or “wipe” any data contained on the digital devices to minimize effects of an inspection.

A second alternative is to use the power of “cloud computing” and work with all data through the Internet. This method is easy given the widespread use of Web access for mail servers and online data storage solutions. This also assumes that appropriate security procedures are in place such as VPN connections or use of SSL encryption protocols.

A third alternative is use whole or partial hard drive encryption on laptops used while traveling internationally. This alternative is a no-brainer as any laptop containing proprietary business data, including personally identifiable information subject to data breach notification laws, should already be encrypted. This begs the question of what should the traveler do if asked by a CBP official for the password. Not having the data in the first place avoids this issue, but traveling without the data or applications may not be an option. While travelers are expected and should cooperate with the inspection process, one trial court recently held that an inspected traveler had no duty to provide CBP with a password consistent with the Fifth Amendment of the U.S. Constitition’s privilege against self-incrimination. In re Boucher, 2007 WL 4246473 (Nov. 29, 2009).

While this post only discussed the issue of returning to the United States after international travel, the CBP can inspect an international traveler prior to departing the U.S. to foreign countries. Likewise, this post did not discuss the issue of foreign customs searches where foreign laws may be less predictable and as protective. Indeed, the option presented regarding data encryption may be unavailable in certain jurisdictions which also restrict or prohibit importation of strong encryption technology. U.S. export control laws may also restrict the “exportation” of strong encryption technology. Know before you fly.