Electronic Communications
Privacy:  Good Sysops
Should Build Good Fences


By David R. Johnson
Wilmer, Cutler & Pickering
Washington, D.C.


          The Electronic Communication Privacy Act of 1986 
("ECPA") has extended basic privacy protections to electronic 
communications of all types.  But, much as your privacy at home 
depends in part on the type of fence you build, the privacy 
protection offered by ECPA depends importantly on the context in 
which the communication occurs.  Congress was right to make the 
extent of electronic privacy protection depend substantially on 
context-any other approach would have interfered with open access 
to communications intended to be publicly disseminated. But the 
result of this approach is that every system operator ("Sysop") 
of an electronic communications system or remote computing 
service bears an added burden-a duty to make clear to all 
concerned which types of messages may be disclosed to others and 
which may not.

["Sysop" is a term commonly used to refer to the system operator 
of an electronic communication system.]


Basic Protections Provided by the Act

          ECPA potentially extends various privacy protections, 
of the sort previously applicable only to human voice  
communications transmitted over wire, to (1) all types of 
communications, and (2) all types of transmission media.  Section 
2510(4) of the wiretap statute was amended to cover "aural or 
other" acquisitions of communications.  A new category of 
"Electronic Communications" was defined broadly to include "any 
transfer of signs, signals, writing, images, sounds, data, or 
intelligence of any nature transmitted in whole or in part by a 
wire, radio, electromagnetic, photoelectronic or photooptical 
system that affects interstate or foreign commerce."  Aside from 
open-air voice, voice over wire, and certain cordless telephone 
transmissions and paging and tracking transmissions, which are 
expressly excluded, it is hard to imagine any form of 
communication this definition leaves out.  All electronic 
communications-with exceptions noted below-are given protection 
analogous to that previously provided to voice-over-wire 
communications.  Recognizing the increasing private use of large 
switching devices, the Act covers communications whether or not 
they are transmitted by a "common carrier."  With some 
exceptions, the Act's protections against interception generally 
apply regardless of whether the communication is transmitted over 
a wire or a radio frequency.  

Protection for Stored Communications

          Since ECPA was designed in part to protect the new 
medium of electronic mail, Congress had to take account of the 
fact that electronic mail communications are often stored pending 
receipt.  The Act prohibits unauthorized access to or disclosure 
of communications while in "electronic storage."  This is defined 
to mean "any temporary, intermediate storage of a wire or 
electronic communication incidental to the electronic 
transmission thereof; and any storage . . . for purposes of 
backup protection of such communication."  The extent of the 
Act's protections differs somewhat depending on the length of 
time the communication has been stored pending receipt by the 
addressee.  Storage after receipt is covered by distinct sections 
dealing with "remote computing services."  Protection for 
materials stored by remote computing services depends on the 
nature of the relationship between the service provider and the 
person for whom the data is stored.  

Contents vs. Records

          ECPA clarifies a basic distinction between the contents 
of communications and records regarding the subscriber's use of a 
communications service.  The definitions of the term "contents" 
was amended to cover only "information concerning the substance, 
purport or meaning" of a communication.  Sysops are prohibited 
from making unauthorized disclosures of the contents of 
communications.  They may use or disclose records relating to a 
subscriber much more freely.  (But special restrictions still 
apply to disclosures of records to governmental entities.)

In What Context Must Communications Be Treated as Private?

          ECPA permits any person "to intercept or access an 
electronic communication made through an electronic communication 
system that is configured so that such electronic communication 
is readily accessible to the general public."  In particular, 
various types of radio communications are excluded from 
protection against interception by being defined as "readily 
accessible to the public."  In the area of radio 
transmissions-which include satellite transmissions, cellular 
radio, and other types of transmissions for which receiving 
equipment has been or could be readily devised-Congress had no 
choice but to declare that certain frequencies and types of 
transmission either are "off limits" to intruders or may be 
accessed with impunity. If Congress had let privacy be determined 
by the size of the technological barriers to interception, or 
expectations of privacy based on the ease of interception, it 
would in effect have declared that anything sent over any radio 
frequency may be intercepted with impunity once the technical 
means to do so have been developed.  Expectations of privacy 
would have declined to zero, and sensitive communications and 
those with a value to a third party would have been 
correspondingly chilled. Thus, of necessity, with regard to 
radio-based communications, the law had determined where the 
fences are to be and how high they are to stand.

          In contrast, ECPA does not define the "readily 
accessible" concept with regard to data communications of the 
type that now take place over wire connections to electronic mail 
and bulletin board systems.   Congress realized that the access 
controls that electronic mail and electronic bulletin board 
systems make possible would allow different levels of security 
and privacy restrictions to be placed on different messages.  It 
knew that stored messages might be meant either(1) only for the 
eyes of a particular intended recipient or (2) as a "broadcast" 
to a large (perhaps ill-defined) group.  It knew that software 
security systems could be enhanced and tailored to fit particular 
circumstances-and that the ground rules for access to and use of 
different portions of an electronic messaging system could be 
modified by contract and operating policy.  Accordingly, Congress 
in effect left it to the courts-and to the system operators who 
have to work out system design, contractual relationships and 
operating policies-to figure out what types of communications may 
and may not lawfully be intercepted or disclosed.

          The privacy of a particular message is importantly 
affected by the concept of "authorization."  For example, Section 
2701(a) makes it an offense for an electronic "Peeping Tom" 
intentionally to access an electronic communication "without 
authorization" (or in excess of an authorization).  Section 
2701(c) makes it clear that the person or entity providing the 
electronic communication service may grant the authorization.  
Thus, insofar as ECPA protects the privacy of electronic 
messages, the Sysop (e.g., by means of an agreement with the 
user) sets the rules that govern protection against unauthorized 
access.

          The Sysop is not free to establish rules that allow 
disclosure of the contents of communications under circumstances 
that are neither agreed upon in advance nor readily foreseeable. 
Another part of ECPA states that a "provider of electronic 
communication service to the public" shall not "knowingly divulge 
to any person or entity the contents of a communication while in 
electronic storage by that service"-unless certain specified 
exceptions apply.  Similar rules apply to a provider of remote 
computing service to the public.  

          But system operators may disclose the contents of 
stored communications: (1) to an addressee or intended recipient; 
(2) as otherwise authorized in the sections of the act dealing 
with governmental access; (3) with the lawful consent of the 
originator or an addressee or intended recipient; (4) to a person 
employed or authorized to forward the communication to its 
destination; (5) as may be necessarily incident to the rendition 
of the service or to the protection of the rights or property of 
the provider of that service;  or (6) to a law enforcement 
agency, if the contents were inadvertently obtained and appear to 
pertain to the commission of a crime.  Accordingly, as explained 
below, the Sysop has substantial discretion to determine the 
context in which communications will be private.  The structure 
of an electronic mail system determines who is in fact, and who 
might reasonably be thought to be, an "intended recipient" of any 
given message.  Similarly, the design of an electronic mail 
system determines who will be retained to forward the 
communication toward its destination and whose access to the 
message will be "necessarily incident" to the rendition of the 
service.

Implications for System Operators

          As a practical matter, the system operator must 
determine both the extent of privacy offered by the electronic 
messaging service and the extent to which the privacy ground 
rules are made clear to users.  There is an important 
relationship between these two issues.  If the system design 
leads users to expect privacy, then they must get it-or the Sysop 
will be liable for unauthorized disclosure.  If the contract or 
system policy is unclear about the extent of authorization given 
to a user to access various communications, then it may be more 
difficult to proceed against someone who has obtained 
"unauthorized" access.  If the system does not present a 
reasonable set of requirements for the entry of "passwords" or 
other security devices, then even messages intended by their 
senders as private electronic mail might be unprotected-because 
the system as a whole could be characterized as "readily 
accessible to the public."

          ECPA was designed not to protect the privacy of 
messages left on open electronic "bulletin boards."  Typically, 
these bulletin boards, like their "hard copy" counterparts in the 
supermarket, contain messages intended to be received by anyone 
with access to the electronic communication service.  Indeed, the 
term "intended recipient" was added to the more traditional 
"addressee"-in the sections authorizing disclosure and access-in 
order to allow the full context of an electronic communication to 
be taken into account in determining the legitimacy of disclosure 
or access.  No user has the right to demand or expect privacy 
with respect to communications made in electronic contexts 
normally open to the public view.

          Obviously, however, some potential for confusion will 
remain unless communication system operators establish clear 
rules.  some electronic mail system may not clearly state that 
the Sysops will regularly review messages, even though this is 
the operational practice.  Some bulletin boards may allow a 
"reply" to messages posted by identified users-without making it 
clear enough that the "reply" will also be open for all to read.  
Some may suggest that a particular collection of stored messages 
is open only to "members"-in which case a subscriber might 
complain that the Sysop's disclosure to a non-member (or, 
perhaps, admission of a new member, in some unforeseeable way) 
constituted an unauthorized disclosure.  The equally obvious cure 
for all these potential problems is for the Sysop to spell out as 
clearly as possible, in contracts and system rules, all 
applicable disclosure policies.

          The need for clear disclosure rules does not affect 
only a small number of specialized service providers.  To the 
contrary, many employers are becoming electronic communications 
system operators, whether they know it or not.  Portions of ECPA 
apply to intra-company telephone and electronic mail systems, not 
just to common carriers (as was the case under the old wiretap 
statute).  If "internal" electronic mail messaging is carefully 
limited to business communications among employees then ECPA 
protects such messages against unauthorized access by outsiders 
but otherwise should not limit the employer's discretion to 
disclose those messages to others-either because they are the 
employer's own messages or because the employer is an intended 
recipient of the messages.   But what if employees begin to send 
personal messages over the system, perhaps with the employer's 
indulgence or authorization?  What if customers are given access 
to the network?  What if a large number of non-employees have 
access?  At some point, the electronic communication service will 
be found to be "offered to the public"-and the provider of that 
service will risk liability if it intercepts, uses or discloses 
the contents of apparently private messages without the required 
authority or exemption.  Clear policies, understood and agreed to 
by all employees and users, are a must.



Other Issues Involving Relations With Subscribers

          Any Sysop of an electronic communications service may 
one day receive a request from the government for access to the 
contents of communications sent over that service by a particular 
individual.  ECPA spells out the procedures the government must 
follow in order to require such access.  Sysops should insist 
that the government turn square corners in this regard-since 
public-spirited "cooperation with the police" may be an 
actionable unauthorized disclosure and an aid to violation of the 
civil rights of the subscriber.  ECPA provides an exemption from 
liability for those who rely in "good faith" on the warrant, 
subpoena, or other authorization required for governmental access 
to electronic communications under the Act.

          If a Sysop receives a governmental request for access 
to stored electronic communications, should the Sysop tell a 
subscriber that such a request has been made?  Unlike the 
provisions applicable to phone taps, there is no automatic ban on 
disclosure.  But the government may request a court order banning 
disclosure, if it can make particular showings.  Sysops can 
influence the privacy of messages on their systems by deciding to 
disclose the existence of a governmental request for 
access-unless the government gets the required order.  This 
disclosure policy would be analogous to that envisioned in the 
Financial Right of Privacy Act with regard to banking records.  
It is also good policy, however, to tell the governmental agency 
about the planned disclosure to the subscriber-before either 
responding to the request for access or telling the subscriber 
that the governmental request has been made.  This will allow the 
government to modify its request or obtain a court order banning 
disclosure, if it so desires.

          A special section of ECPA recognizes the danger that 
electronic files might be altered prior to production, if prior 
notice is given to the subscriber.  Section 2704 allows the 
government to delay notice to a subscriber during a period 
required for the provider of electronic communications services 
to make a "snap-shot" of stored files.  The snapshot must be 
made, but the subscriber is then given notice-unless certain 
exemptions apply-and is allowed to contest disclosure to the 
government.  The government must pay reasonable expenses incurred 
to create the snapshot.  System operators would do well to 
configure their backup procedures with at least one eye on this 
snapshot requirement.

          The extent of the privacy protection granted by ECPA to 
stored electronic communications depends on a number of 
additional factors over which the Sysop retains control.  If 
messages are stored for more than 180 days, then the government 
may get access to them with the use of a more readily obtained 
administrative subpoena-as contrasted with a warrant, which is 
needed before that time and requires a showing of probable cause. 
Sysops may decide to destroy all unreceived messages older than 
180 days or, at a minimum, inform their subscribers regarding 
their message retention policy.  Similarly, when a system stores 
an electronic message after receipt, for the convenience of the 
subscriber, the system may become a "remote computing service."  
The communications so stored are protected against access by the 
government only if the Sysop does not have authority to access 
the records for any purpose other than the provision of storage 
and computing services.  Accordingly, the relationship between 
the subscriber and the provider of the service should be clearly 
defined-to make sure that all concerned understand the extent of 
the applicable privacy protection.

          It may not be widely understood that ECPA's prohibition 
on disclosure could preempt discovery in civil litigation.  A 
document subpoena served on a third party service provider does 
not "authorize" the provider to disclose the contents of 
communications-so a motion to quash should prevail.  A party 
seeking discovery should be required to obtain the authorization 
of the sender or an addressee or intended recipient-or serve them 
with the process.  This limitation places the provider of 
electronic communications services or remote computing services 
in the appropriate position of a stakeholder-whose physical 
control over the electronic files does not carry with it the 
right to make a decision regarding disclosure to a third party.  
But this possibility of protection puts greater pressure on the 
issue of whether the Sysop should be characterized in contracts 
and operating policies as an "intended recipient" of messages on 
a system where access to messages by the Sysop can be expected as 
a regular matter.

ECPA and the "Appropriation" and "False Light" Theories of 
Privacy

          ECPA was primarily designed to deal with the threat of 
unwanted intrusion into private electronic communications and the 
threat of embarrassment or other harm due to unauthorized 
disclosure.  There are other, different sorts of privacy 
interests, however, involving the misappropriation or misuse of 
one's name, likeness, or acts.  Whether out of a sense of decorum 
or a desire for monetary gain, many people object strongly if 
their own (not otherwise particularly "newsworthy") actions are 
widely publicized without their consent.  With regard to these 
types of privacy interests, again, the Sysop's establishment of 
clear policies will determine whether electronic communications 
receive appropriate protection. 
  
          Because it is so easy to copy electronic materials, it 
is possible widely to republish and disseminate comments an 
individual might first have made in a semi-private setting.  For 
example, a lighthearted comment made in the context of a small 
electronic "special interest group" could appear in a very 
different light when republished in a glossy computer magazine.  
ECPA treats all the members of an electronic special interest 
group (and, often, the Sysop) as "intended recipients"-who 
presumably have the right to authorize such a disclosure.  But a 
decision to republish certain messages might embarrass the 
message sender and, at a minimum, chill further discussion.

          The important point, for purposes of analyzing the 
privacy of electronic communications, is that all transmissions 
by electronic means can have a degree of permanence and a 
surprising "loudness" not normally associated with oral 
conversations.  This can have a chilling effect on interoffice 
chit-chat over a local area network.  Because a user's sense of 
privacy depends on the context in which statements are made, that 
context must be capable of being clearly understood by the 
speaker.  Yet electronic messages may readily be stored, 
searched, copied, and republished in various contexts-without the 
permission of the speaker.  Thus, relatively intimate discussion 
(in electronic form) is threatened if the speaker cannot decide 
in advance whether his or her armchair might turn into a soapbox.

          Short of barring all republication of materials gleaned 
from an electronic bulletin board, Sysops can take action to 
establish a greater sense of security on the part of message 
senders that they will retain some control over the context in 
which their remarks are republished.  The Sysop can refrain from 
publishing his own compendium of all users' messages without 
clear prior notice that this will occur.  (The Sysop will 
normally assert a compilation copyright interest that prevents 
others from reprinting large selections of materials without 
consent.)  Further, a system operator could adopt a rule 
prohibiting the republication by any recipient of messages 
attributing remarks to particular senders without the sender's 
consent.  Not all rules against "unauthorized republication" will 
be enforceable, as a practical matter.  But efforts to address 
this problem should be undertaken and should for now take the 
form of enlightened contract provisions and operating policies 
adopted by Sysops, rather than legislative attempts to establish 
rigid rules.

Conclusion

          ECPA creates a legal framework that substantially 
constrains access by government agents to all forms of electronic 
communications clearly and reasonably intended to be kept 
private.  But the Act does not complete the work required to be 
done to provide adequate assurances of electronic privacy.  Those 
who provide electronic communications services-a category that 
will increasingly include most large companies-must establish 
fences and locks to keep out unwanted intruders, must make clear 
which types of messages are to be kept strictly private and which 
are meant to be freely shared, and must begin to explore means of 
assuring that these boundaries will be understood and observed by 
all concerned.