From: kadie@eff.org (Carl M. Kadie)
Subject: ECPA and University Email
Message-ID: <1991Sep23.190848.24422@eff.org>
Date: Mon, 23 Sep 1991 19:08:48 GMT

Last week in email, I asked Mike Godwin if the Electronic
Communications Privacy Act (ECPA) could be reasonably construed to
protect university email. (Mike is the Staff Lawyer for the Electronic
Freedom Foundation.) With Mike's permission, I'm posting his reply.

- Carl

---------
Carl, I don't think it's been resolved whether ECPA reaches
university e-mail, but I think there is an argument that it
does. Consider two key terms in ECPA: 

a: "electronic communication service" [defined in 18 USC 2510]
means any service which provides to users thereof the ability to 
send or receive wire or electronic communications.

b: "remote computing service" [defined in 18 USC 2711] means the provision
*to the public* [emphasis mine] of computer storage or processing services
by means of an electronic communications services.

Now, one obvious difference between (a) and (b) is the phrase
"to the public"--a university email system might well qualify as (a),
but probably would not qualify as (b).

But some sections of ECPA add the language "to the public" to (a), which
suggests a narrower class of (a) that may exclude such things as 
university e-mail systems and internal corporate e-mail systems.

Does this mean that a university e-mail system is not covered
by ECPA because it doesn't provide services "to the public"?
I don't think so, if the system provides services to students.
Students are not employees--they are educational consumers. In other
words, they are more like "public" than like "employees." Presumably,
access to the university system is something that's paid for, at least
in part, by a student's tuition and fees--i.e., the student is paying
for the service.

Obviously there's a counterargument here--that "public" just means
"general public"--but the issue of interpretation hasn't yet been
resolved.


Hope this helps.



--Mike