Internet privacy: ISP snooping and U.S. surveillance laws

It’s hard to imagine a world in which the U.S. Postal Service is permitted to peer inside our personal mail.By Peter Guffin, Visiting Professor of Practice

It’s hard to imagine a world in which the U.S. Postal Service is permitted to peer inside our personal mail, or gather and track the address and other data we place on our mail, and then use and sell what it learns about us.

Yet, when it comes to our web browsing activities and electronic communications, isn’t that what Internet Service Providers (ISPs) are now lawfully able to do as a result of the U.S. government’s recent action overturning the FCC’s privacy rules?

The Electronic Communications Privacy Act (ECPA) puts some privacy limits on what ISPs can do. But the question is, are they sufficient based on what we know today? Let’s look at some of those privacy limits, and you be the judge.

The ECPA, enacted in 1986, long before anyone knew about the Internet, email, and the vast array of other new technologies that we use today, is the primary federal surveillance law applicable to “electronic communications,” which include emails and text messages. The ECPA contains three parts: the Wiretap Act, the Stored Communications Act (SCA), and the Pen Register Act, each of which protects electronic communications differently.

The Wiretap Act protects the privacy of an electronic communication when in transit, while the SCA protects such communication “while it is in electronic storage.” The Pen Register Act protects the privacy of non-content information in transit. Consequently, as a communication travels across the Internet, different laws may apply to it at different times.

How do we know when the SCA applies to a particular communication versus when the Wiretap Act applies? This issue is important because computer technologies keep the line from being altogether clear: a digital communication that is primarily in transit may be stored by a computer for just a few milliseconds along the way and may be stored at intermediate points for longer periods.

The First Circuit Court of Appeals addressed this question in United States v. Councilman, which involved a software program designed and covertly installed at an ISP to intercept and copy all user email from a competitor company. In that case, the First Circuit rejected the defendant’s proposed distinction between “in transit” and “in storage” and held that the access to the emails was regulated by the Wiretap Act, finding that the term “electronic communication” includes “transient electronic storage that is intrinsic to the communication process for such communications.”

Under the Wiretap Act, ISPs are prohibited from intercepting an electronic communication without subscriber consent, except in certain limited circumstances, one of which is the service provider exception. Pursuant to the latter exception, an employee of an ISP is permitted “to intercept, disclose, or use . . . [a] communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the [ISP].” (Emphasis added.)

It’s a case of the fox watching the hen house...In contrast, under the SCA, ISPs effectively are authorized to access and use electronic communications while in electronic storage without subscriber consent. It’s a case of the fox watching the hen house, as the SCA’s general prohibition on unauthorized access to and use of electronic communications does not apply to conduct authorized “by the person or entity providing a wire or electronic communications service” (such as an ISP). So, unlike the service provider exception for the Wiretap Act, which allows interceptions on a limited basis (namely, those necessary to provide the communications service), the SCA’s exception is broader and contains no such limitation.

What’s more, under the SCA, different rules apply to the “contents” of communications and non-content information. The latter, often referred to as “envelope” information, is defined as “a record or other information pertaining to a subscriber to or customer of . . . an [ISP] (not including the contents of communications.)

Contents,” on the other hand, is defined under the Wiretap Act as follows: “[C]ontents”, when used with respect to any . . . electronic communication, includes any information concerning the substance, purport, or meaning of that communication.

Under the SCA, ISPs are prohibited from divulging the contents of a communication without subscriber consent except in certain circumstances. They are free, however, without restriction of any kind, to divulge “to any person other than a governmental entity” any and all non-content information that they wish.

In most cases the line between “contents” and non‑content information is pretty clear, although it occasionally blurs. In the case of an email, “contents” clearly covers the actual text of the message. It also likely covers the subject line of the email. In contrast, logs of account usage, mail header information minus the subject line, lists of outgoing email addresses sent from the account, and basic customer information all likely would count as non‑content information.

Not surprisingly, the SCA gives greater privacy protection to content information, even though, as we have come to realize today, non-content information relating to electronic communications can reveal a lot about a person’s private activities, sometimes as much (and even more) than can content information.

Although it is widely acknowledged that the ECPA, largely unchanged since 1986, has failed to keep pace with new technologies and has significant gaps in need of legislative attention, Congress has failed to take action.  It remains to be seen whether the U.S. government’s recent action overturning the FCC’s privacy rules will provide renewed impetus for Congress to amend the ECPA.