Harvard Journal
of Law & Technology
Fall, 1994
SEARCHES AND
SEIZURES OF COMPUTERS AND COMPUTER DATA
Raphael Winick [FNa1]
Copyright © 1994 by the President and Fellows of Harvard
College; Raphael
Winick
INTRODUCTION
In
1928, Justice Brandeis predicted:
Ways may some day be developed by which the Government, without removing
papers from secret drawers, can reproduce them in court, and by which it will
be enabled to expose to a jury the most intimate occurrences of the home. Can
it be that the Constitution affords no protection against such invasions of
individual security? [FN1]
Technological developments have turned
Justice Brandeis' foresighted prediction into reality. One man has been
sentenced to death in a kidnapping and murder case
following the electronic recovery by police of ransom notes which had been
previously deleted from computer disks. [FN2] Government monitoring of a college
student's electronic bulletin board and Internet site resulted in a recent
felony indictment on fraud and software piracy charges. [FN3] Incriminating
electronic mail messages led to pending criminal charges for theft of trade
secrets against high-ranking executives at software giants Symantec and
Borland. [FN4] A 1990 FBI and
Secret Service seizure of computer hardware and software from a Texas
distributor of computer-related literature deprived the publisher of documents
necessary to complete several books and other projects, thereby threatening the
viability of that company. [FN5] The R.J. Reynolds Tobacco Company
has subpoenaed an anti- smoking computer bulletin board service to produce its
membership list. [FN6] Due to public
concern over civil liberties the federal government announced in the summer of
1994 that it will reevaluate controversial plans to create a federally-designed
and governmentally-controlled standard for encrypting electronic transmissions.
[FN7]
Americans' growing reliance on computers has vastly increased the
potential for the government to use electronic surveillance to intrude into its
citizens' private lives. Individuals are losing the ability to physically lock
away sensitive information from curious eyes. [FN8] Justice Douglas once noted:
"Electronic surveillance is the greatest leveler of human privacy ever
known. [[E]very person is the victim, for the
technology we exalt today is everyman's master." [FN9] Chief Justice
Warren shared this fear: "[T]he fantastic advances in the field of electronic
communication constitute a great danger to the privacy of the individual; [the]
indiscriminate use of such devices in law enforcement raises grave
constitutional questions under the Fourth and Fifth Amendments." [FN10]
Computers are fast becoming a primary method of storing personal
information and transmitting private communications. Criminal enterprises have
followed legitimate businesses in utilizing computers to store records, execute
transactions, and communicate with others. Law enforcement agencies have
reacted to these developments by directing their attention toward the use of
computers in criminal enterprises and the possibility that computers may
contain evidence of illegal activity. Local and federal agencies now frequently
utilize evidence garnered from computers to build their cases and use their own
computers as offensive weapons to detect criminal activity. The government's
reaction to the information age will likely raise the most important issues of
personal privacy this country will face in the next several decades.
Searches and seizures of computers and computer data present complex
legal questions that, if resolved incorrectly, present a very real threat of
massive intrusions into civil liberties. Several instances of abuse have
already been documented. [FN11] Constitutional scholars, industry professionals, and civil libertarians have all
expressed fears that existing law fails sufficiently to safeguard our privacy.
Harvard law professor Laurence Tribe has even called for the proposal and
passage of a constitutional amendment specifically protecting the privacy of
electronic communications. [FN12]
This article discusses the statutory and constitutional provisions
protecting the privacy of stored or transmitted computer data. Part I offers a
general review of the statutory and constitutional protections currently
applied to electronically stored data, concluding that a high expectation of
privacy will attach to such data under these provisions. Part II discusses the
extent to which these existing provisions protect stand-alone computer systems,
and advocates that courts and law enforcement personnel apply the Ninth Circuit's
"intermingled documents" rule to determine the permissible scope of
searches and seizures of computers. Part II also discusses issues related to
the encryption of computer files and the return of computer equipment after its
seizure. Part III analyzes the protection offered to on-line systems and
electronic bulletin board systems ("BBSs") by the Electronic
Communications Privacy Act and by the Privacy Protection Act. Part III also
analyzes the special situation presented by computer systems that contain
political or sexual subject matter. [FN13]
Examination of the relevant statutes and case law demonstrates that adequate protection of electronic data is
possible under existing constitutional and statutory authority. The Fourth
Amendment, the Electronic Communications Privacy Act, and the Privacy
Protection Act provide a solid framework within which the privacy of electronic
data can be protected. Although only a handful of published cases deal
specifically with computer data, the few relevant cases indicate that courts
recognize the important privacy interests implicated by searches and seizures
of computer data. However, these cases resolve few of the key issues. Adequate
protection will develop only if the courts extend existing constitutional and
statutory principles with an understanding of the intangible nature of computer
storage, and an appreciation that the massive storage capacity of modern
computers creates a high risk of overbroad, wide-ranging searches and seizures.
I. CONSTITUTIONAL
AND STATUTORY LIMITATIONS ON SEARCHES AND SEIZURES
The
Fourth Amendment and two little-known federal statutes ensure all Americans
some protection from unwanted searches and seizures. The Fourth Amendment
remains the most robust source of general protection. One federal statute, the
Electronic Communications Privacy Act, applies explicitly to searches of
computers, while a second statute, the Privacy Protection Act, by its plain
language appears to apply to electronic bulletin boards and other on- line
computer systems. Both statutes exceed the constitutional protections of the Fourth Amendment in several ways.
Additionally, some state constitutional and statutory provisions supplement the
federal protections.
A. The Fourth
Amendment and Surrounding Case Law
With the possible exception of the First Amendment, the Fourth Amendment
provides the most important constitutional protection against governmental
intrusion into personal matters. The amendment provides that: "The right
of the people to be secure in their persons, houses, papers, and effects,
against unreasonable searches and seizures, shall not be violated, and no
Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be searched, and the
persons or things to be seized." [FN14] Like other provisions of the Bill
of Rights, the Fourth Amendment "limit[s]
the power of the sovereign [state] to infringe on the liberty of the
citizen." [FN15]
The
Fourth Amendment protects individuals, corporations, [FN16] and other
entities from government-sponsored monitoring of their activities. The framers
"sought to protect Americans in their beliefs, their thoughts, their
emotions and their sensations. They conferred, as against the government, the
right to be let alone--the most comprehensive of rights and the right most
valued by civilized man." [FN17] The Supreme Court has explicitly
recognized that the Fourth Amendment, with its warrant requirement and
court-supplied exclusionary rule, exists
because the self-restraint of law enforcement authorities provides an
insufficient safeguard against invasions of privacy. [FN18]
The
Fourth Amendment prohibits only unreasonable government searches and seizures;
it does not apply to searches conducted by private parties unconnected with
government activities. Consequently, private searches implicate the Fourth
Amendment only when they are conducted with both the knowledge of law
enforcement authorities and with the intent to assist those authorities. [FN19] The Fourth Amendment
therefore provides no protection against the actions of private citizens who,
without the knowledge, encouragement or participation of government
authorities, monitor electronic communications or gain access to confidential
information stored on a computer. This restriction holds true even if the
private citizen later turns the information over to the government. [FN20]
The
Supreme Court employs two key procedural devices to realize the protections
guaranteed by the Fourth Amendment: the warrant requirement and the
exclusionary rule. Generally, law enforcement authorities must obtain a warrant
from a neutral magistrate before searching a place in which an individual has
an objectively reasonable expectation of privacy. [FN21] The warrant must
be supported by probable cause to believe that evidence of unlawful activity
will be discovered, and must particularly describe the place to be searched and
the things to be seized. [FN22] However, the warrant requirement
admits many exceptions, most of which serve
to protect the well-being of law enforcement officers or to preserve evidence
from destruction. [FN23]
The
Fourth Amendment derives much of its power from the exclusionary rule, which,
as first enunciated by the Court in 1914, [FN24] provides that if law enforcement
officials engage in an unlawful search or seizure, none of the fruits of that
search may be used in subsequent prosecutions. The tainted and inadmissible
"fruit of the poisonous tree" includes evidence seized in an unlawful
search, additional warrants obtained in reliance on such searches, and all resulting
evidence. [FN25]
Fourth Amendment inquiry ultimately centers upon whether a search or
seizure is "reasonable." This reasonableness inquiry has been further
refined into an initial two-prong test: first, does an individual have a
subjective expectation of privacy in the thing searched or seized; and second,
is society prepared to accept that expectation as objectively reasonable. [FN26] Case law reveals
general principles that help clarify the amorphous concept of a
"reasonable expectation of privacy." One line of cases holds that the
Fourth Amendment protects certain areas of individual activity more highly than
others, while another establishes that certain government activities are
considered less intrusive into personal privacy.
The
cases delineating protected areas of individual activity indicate that computer
data will be entitled to a very high level of protection. The plain language of the Fourth Amendment protects
"persons, houses, papers, and effects." [FN27] Given this
language, courts universally hold that repositories of personal effects and
information enjoy the highest level of Fourth Amendment protection. [FN28] The intangible
nature of computer data does not affect the analysis, since the Court has long
recognized that the Fourth Amendment protects "intangible as well as
tangible evidence." [FN29]
Since computers are repositories of personal information, they will
enjoy strong protection under the Fourth Amendment. The variety of information
commonly stored on a computer, and the enormous and ever-expanding storage
capacity of even simple home computers, justifies the highest expectation of
privacy. As courts are beginning to discover, modern computers contain massive
quantities of data relating to all aspects of an individual's or a
corporation's activities. A typical home computer with a modest 100-megabyte
storage capacity can contain the equivalent of more than 100,000 typewritten
pages of information. This information can include business and personal
documents, financial records, address and phone lists, and electronic mail
communications. [FN30] Corporate
computer systems have even more massive capacities, which corporations and
their employees use to store a wide variety of information.
Although only a handful of reported decisions directly discuss the
expectation of privacy in computer memory, these opinions agree that stored computer memory enjoys a very high level of
constitutional protection. In three cases involving information stored
electronically in the computer memory of display-type telephone pagers, federal
courts in California, Nevada and Wisconsin stated this proposition vigorously.
In United States v. Chan, the district court stated that "the expectation
of privacy in an electronic repository for personal data is therefore analogous
to that in a personal address book or other repository for such
information," [FN31] and that "an individual has
the same expectation of privacy in a pager, computer or other electronic data
storage and retrieval device as in a closed container." [FN32]
Closed containers likely to store personal information may be searched
only when the search is authorized by a valid warrant, or when some exigent
circumstance justifies a warrantless search. [FN33] However, analogizing stored
computer memory to a closed container presents several problems. The container
model may make conceptual sense when discussing small electronic storage
devices such as pagers or electronic address books, but the analogy becomes
strained when applied to computers with larger storage capacities. For such
systems, an analogy to a massive file cabinet, or even to an entire archive or
record center, may be more appropriate.
Recently, a federal district court in New York embraced the file cabinet
analogy instead of the container analogy. In In re Subpoena Duces Tecum, [FN34] the court
quashed on the grounds of overbreadth a grand jury subpoena for a company's
hard disk. The court noted that although the disk might contain incriminating
information, the hard disk also contained highly personal files, such as a
draft of a will and personal financial information. [FN35] As discussed in
part II.C, infra, the conceptual differences between a file cabinet and a
container create an important distinction in establishing the appropriate scope
of a search. Regardless of whether courts analogize computer storage to a file
cabinet or to a container, either analogy leads to the conclusion that the
information stored on a computer enjoys strong Fourth Amendment protection.
The
location of a particular computer outside of one's home does not eliminate the
high level of protection accorded to the contents of that computer. Although
repositories of personal information are most likely to be found in one's home,
cases involving the contents of office file cabinets, [FN36] luggage, [FN37] and briefcases [FN38] establish that
personal information and effects do not lose their protection merely because
they are not located within one's home.
Users of multi-user computer systems are also entitled to vigorous
Fourth Amendment protection. Although in such systems users do not own the
hardware, they nevertheless maintain an expectation of privacy in the
information stored on the system. In order to maintain a legally cognizable
expectation of privacy, an individual must
have some possessory interest in the items searched or seized. [FN39] However, a
possessory interest does not require ownership. [FN40] An individual
must generally only have some right to exclude others in order to establish the
requisite property or possessory interest. [FN41] Depending on the specific nature of
their use, renters, lessors and many types of authorized users can maintain an
expectation of privacy in the object of a search or seizure. [FN42] Based on these
existing Fourth Amendment principles, the authorized users of a computer system
should be able to maintain an expectation of privacy in data and other
information stored on the system, if they can show a property or possessory
interest in the data, and a right to exclude others from accessing that data.
The
Fourth Amendment protects computers from remote access as well as from physical
invasions. Initially, courts understood the Fourth Amendment to protect
individuals only from physical invasions of their persons, effects, or homes. [FN43] However, in a
1967 decision involving electronic eavesdropping, the Court held that the
Fourth Amendment applied even where there was no physical invasion of a
constitutionally protected area. [FN44]
A
computer owner or user may lose her expectation of privacy in the contents of
the computer's memory if she makes the computer generally accessible to others.
Case law establishes that if an individual disclaims an exclusory interest in
property, the individual forfeits any expectation of privacy in that property. [FN45] The property is
then subject to lawful search or seizure by government officials. [FN46] As applied to
computer networks and on-line systems, this doctrine implies that as one makes
resources of a system increasingly available to others, the expectation of
privacy one enjoys in those resources diminishes. This issue, and other issues
related to searches of networks, on-line systems, and user accounts, are
discussed in part III, infra.
In
addition to losing an expectation of privacy by allowing general access to a
computer system, an individual may lose an expectation of privacy in stored,
but unprotected, information under the plain view doctrine, which holds that
evidence placed in plain view no longer carries any expectation of privacy. [FN47] Extending this principle to
computer communications implies that once someone places data or other evidence
onto a computer in a publicly- accessible manner, they lose any expectation of
privacy in the information. [FN48]
Individuals can also lose the protection of the Fourth Amendment by
disclosing information to another party. When someone voluntarily discloses
information to another party, they do so at their own risk. [FN49] The receiving
party may relay that information to law enforcement authorities without
violating the Fourth Amendment. [FN50] Additionally, the Fourth Amendment
permits the receiving party to electronically monitor or record the information disclosed, and then transfer the
resulting electronic records to law enforcement authorities. [FN51] For example, in
United States v. Meriwether, the defendant voluntarily transmitted his
telephone number and a secret numerical code to an electronic pager, hoping to
arrange a cocaine deal. [FN52] Unknown to the defendant, the Drug
Enforcement Agency had confiscated the pager after arresting its owner. In
order to arrange a cocaine transaction, the DEA called the telephone number
which had been sent by the defendant and electronically recorded within the
pager. The Sixth Circuit rejected the defendant's claim that the DEA's seizure
of the defendant's phone message stored in the pager's memory violated the
Fourth Amendment, reasoning that the defendant had "no legitimate
expectation of privacy in information he voluntarily turns over to third
parties." [FN53]
Computer users therefore transmit electronic mail and other
communications at the risk that the recipient may divulge the contents to law
enforcement authorities. A more difficult problem is whether operators of networks,
on-line systems, and electronic mail systems may monitor transmissions, and
then relay any pertinent information to the government. In the only reported
case on point, the Fourth Circuit held that the operator of a corporate
computer system was a party to computer transmissions, and therefore had the
authority to trace unauthorized computer communications. [FN54] However, the
Electronic Communications Privacy Act of 1986 ("ECPA"), [FN55] enacted several years after the Fourth
Circuit's decision, has superseded Seidlitz as applied to computer
communications affecting interstate commerce. The ECPA regulates the ability of
owners or operators of computer networks to monitor the communications of the
systems' users, prohibiting the random monitoring by service providers of the
contents of computer communications. [FN56]
If
a computer is searched or seized under a valid warrant, a suspect can still
challenge the scope of the search or seizure. Two Fourth Amendment doctrines
require suppression of the fruits of a search or seizure if the scope is
impermissibly broad. First, the particularity requirement mandates that a
warrant must particularly describe the object to be searched and the things to
be seized. [FN57] Second, the
overbreadth doctrine limits the scope of a search to the specific areas and
things for which there is probable cause to search. [FN58]
The
particularity requirement ensures that a "search will be carefully
tailored to its justifications, and will not take on the character of the wide-
ranging exploratory searches the Framers intended to prohibit." [FN59] For example,
search warrants that permit searches of "all records" of a business
or an individual generally lack particularity. [FN60]
Seizures of computers and large hard disks have a high potential for
becoming intrusive and impermissible "all records" searches. Given
the massive storage capacities of disks and
other modern storage media, a single disk may well contain information on a
vast array of topics. For example, officers searching a computer for a
telephone number may use the opportunity to rummage through financial records,
written correspondence, electronic mail, or other obviously personal and
irrelevant records also contained on the computer.
One
recent decision recognized that a search of a large hard disk lacked
particularity. [FN61] However, other
cases indicate that individuals will have difficulty prevailing on
particularity challenges to warrants authorizing searches of computer memory.
In United States v. Hersch, a Massachusetts federal district court upheld a
seizure warrant for "all computer hardware, software, and related
equipment" since "the complex scheme under investigation required
seizure of the entire computer system in order to piece the scheme
together." [FN62] In United States
v. Reyes, the Tenth Circuit noted that business records are increasingly stored
on magnetic media, and "in the age of modern technology and commercial
availability of various forms of [[storage media], the warrant could not be
expected to describe with exactitude the precise form the records might
take." [FN63] The same logic
guided the Ninth Circuit in United States v. Gomez-Soto: "Failure of the
warrant to anticipate the precise container in which the material sought might
be found is not fatal." [FN64] Although neither Reyes nor
Gomez-Soto involved computer storage devices, their logic suggests that a warrant
providing merely for the search and seizure
of "records" or "files" may be specific enough to encompass
computer storage media, even if the warrant does not specify computer
equipment.
Overbreadth is closely related to the particularity requirement. Two
district court cases indicate that defendants will have difficulty sustaining
overbreadth challenges to computer searches conducted under a warrant. In
United States v. Musson, the court permitted the seizure of fifty-four computer
diskettes under a search warrant specifying "correspondence, memoranda,
ledgers, and any records and writings of whatsoever nature" detailing
transactions of certain companies and individuals. [FN65]
An
even more sweeping overbreadth decision is United States v. Sissler. [FN66] In Sissler,
officers seized nearly 500 computer disks and a personal computer while
executing a valid warrant permitting the search and seizure of "records of
drug transactions, and records identifying marijuana customers and
suppliers" [FN67] The court denied
the defendant's motion to suppress the disks as the product of an overbroad
search, reasoning that the police could search any container found on the
premises if they reasonably believed that the container held the evidence
sought pursuant to the warrant. [FN68] The Sissler court noted that
"the police were not obligated to give deference to the descriptive
labels" on the disks, and that the disks could therefore all be seized. [FN69] More
importantly, the court held that the police
were not obligated to inspect the disks or the computer at the site of the
search, since defeating passwords or other security devices on the computer
might take some time and effort, and would best be performed off- site. [FN70]
These cases indicate that defendants will encounter difficulty
succeeding on overbreadth and particularity challenges to searches of computer
memory. Taken together, Hersch, Sissler, and Musson stand for the proposition
that a warrant permitting a search of "records" permits officers to
seize and search all computers and computer storage media, regardless of what
"records" or "documents" are specified in the warrant.
These holdings allow officers to rummage through all the stored data,
regardless of what the labels or disk directories describe as the contents of
the disks. However, the recent New York federal district court opinion in In re
Subpoena Duces Tecum [FN71] takes a completely different
approach, apparently creating an important division among the courts on the
standards for evaluating potentially overbroad searches of computers.
In
In re Subpoena Duces Tecum, the court quashed as overbroad a grand jury
subpoena demanding the production of computer disks, where the prosecution
conceded that the disks contained irrelevant information. The court reasoned
that the subpoena should have specified certain categories of information,
rather than merely specifying the method of storage. [FN72] According to the
opinion, there was no need to subpoena the
entire contents of the disks since a key word search could effectively separate
relevant files from irrelevant files without surrendering the entire contents
to the grand jury. [FN73]
Hersch, Sissler, Musson, and the other opinions permitting extremely
broad searches of computer storage rely on a simplistic and inappropriate
analogy between computers and closed containers. This analogy fails to
recognize that Fourth Amendment closed container law developed in the context
of searches of simple physical items stored in paper bags and suitcases, and
that these simple items differ fundamentally from the massive quantities of
intangible, digitally stored information residing on typical modern computers. [FN74] These fundamental qualitative and
quantitative differences mandate a different analysis under the Fourth
Amendment. These cases also ignore Fourth Amendment precedent that offers a
special doctrine to cover the scope of searches for intermingled documents.
This doctrine has been adopted or endorsed by courts and commentators who have
directly addressed the question of intermingled documents, and is discussed in
detail in part II.B, infra.
Once law enforcement officers lawfully seize computer data, attempts to
defeat computer passwords, encryption, and other security techniques are
permissible. Existing case law permits officers to use a variety of scientific
and technological means to examine items seized under a warrant. [FN75] Given this
principle, officers appear to be authorized to take all steps necessary to defeat computer security devices
or encryption techniques. Encrypting data may make it more difficult for
authorities to discover, locate, or understand stored information; however,
encryption does not create any additional constitutional hurdles, and a
separate warrant is not required to decrypt the information.
B. Statutory
Protections
Two
federal statutes protect the privacy of electronic data and communications.
Since the protection offered by these statutes exceeds that afforded by the
Fourth Amendment, a government action may be constitutionally acceptable, but
still prohibited by these statutory requirements. Conversely, an action not
expressly prohibited by statute may still be prohibited if it violates the
constitution. Unlike the protections of the Fourth Amendment, these statutory
prohibitions also apply to individuals not acting on behalf of the government. [FN76]
1. The Electronic Communications Privacy Act
of 1986 ("ECPA") [FN77]
The
Electronic Communications Privacy Act of 1986 created the two most important
statutory safeguards against unwanted searches of computer communications and
data. Title I prohibits the unauthorized interception of electronic
communications. Title II prohibits unauthorized access to stored electronic communications and data.
Congress specifically targeted the ECPA at "overzealous law enforcement
agencies, industrial spies and private parties." [FN78] As a result, the
ECPA protects many types of computer systems from unauthorized searches
performed by private individuals, as well as protecting these systems from law
enforcement officers. However, case law has not yet resolved several important
interpretive questions.
a. Title I of the ECPA: Interception of
Electronic Communications
Title I of the ECPA extends the federal wiretap law to prohibit the
unauthorized interception of any wire or electronic communication. [FN79] Prior to
enactment of the ECPA, the wiretap law protected only communications sent by
common carrier that could be overheard and understood by the human ear. [FN80] The new law
protects communications transmitted in inaudible, digital, or other electronic
form, and does not require that communications be transmitted via common
carrier. [FN81]
The
ECPA protects transmissions of computer data under the new statutory category
of "electronic communications," [FN82] defined as those transmitted
through copper wire, coaxial cable, fiber optic cable, microwave, or radio
transmissions. [FN83] Protected
digital transmissions include the computerized transfers of video, text, audio,
[FN84] data, or "intelligence of any nature." [FN85] There is no
requirement that the communication make use of a common carrier, public
telephone line, or any other public facility. [FN86] However, the ECPA protects only
electronic communications "transmitted in whole or in part by a wire,
radio, electromagnetic, photoelectronic or photooptical system that affects
interstate or foreign commerce." [FN87]
Courts have not explored the limits of the interstate commerce
requirement under the ECPA. The communications themselves need not relate
directly to interstate commerce. [FN88] The communications must merely be
made on a system that affects interstate or foreign commerce. [FN89] Internet
communications obviously fall within this definition, even if the recipient and
sender are located in the same state. Nationwide networks, BBSs, and corporate
computer systems that are linked over state lines also unambiguously fall
within the scope of the statute. However, the definition becomes more ambiguous
when considering computer networks that do not physically cross state lines.
The
legislative history of the ECPA states explicitly that "private networks
and intra-company communications systems are common today and brings them
within the protection of the statute." [FN90] The legislative history also states
that the ECPA protects the internal communications system of a corporation if
the activities of the company affect interstate commerce. [FN91] If courts accept this expression of
congressional intent, then the ECPA will
protect the computer networks of corporations, universities, and other
organizations, even if the computer system or the organization has no actual
physical presence in more than one state, provided the activities of the
organization affect interstate commerce.
If
an electronic communication falls within the scope of the ECPA, law enforcement
officials or private parties can generally intercept it only with prior
judicial approval. [FN92] In order to obtain judicial
approval, the applicant must demonstrate probable cause to believe that
particular communications relating to a felony offense will be recovered
through the interception. [FN93] In addition, the applicant must
demonstrate why alternative methods of obtaining the information are
inadequate. [FN94] The ECPA imposes
strict minimization requirements on the scope and duration of the taps, which
must "be conducted in such a way as to minimize the interception of
communications not otherwise subject to interception." [FN95] Authorization is
limited to the shortest duration necessary to achieve the objective of the
interception, with a maximum duration of thirty days. [FN96] The statute
contains an emergency exception to the requirement for prior judicial approval.
[FN97] Emergency
situations must involve a danger of immediate physical harm to a person,
conspiratorial activities threatening national security, or activities
characteristic of organized crime. [FN98] It appears that a threat of
immediate danger to property cannot qualify for the emergency exception, unless it threatens national
security. [FN99]
The
ECPA does not provide for the automatic suppression of electronic
communications intercepted in violation of the Act. [FN100] Although the
wiretap statute provides that unlawfully intercepted wire or oral
communications are automatically excluded from any future judicial proceedings,
the statute does not similarly automatically exclude electronic communications.
The lack of an automatic exclusionary rule under the ECPA for electronic communications
is certainly troubling; it is difficult to discern any rational justification
for the distinction between electronic communications on the one hand and oral
or wire communications on the other. However, evidence derived from electronic
communications intercepted in violation of the ECPA may still be excluded by
criminal defendants through two methods. First, many interceptions of
electronic communications which violate the ECPA will also violate the Fourth
Amendment, subjecting them to the Fourth Amendment's exclusionary rule. Second,
the ECPA does permit "such preliminary and other equitable or declaratory
relief as may be appropriate," which could include a suppression order. [FN101] The statute also
provides for civil damages, including actual or statutory damages, punitive
damages, and attorneys' fees. [FN102] However, money
damages are clearly an inadequate remedy for a criminal defendant. In cases
where the government has violated the ECPA but not the Fourth Amendment, courts
should not hesitate to suppress the illegally obtained
evidence. A failure to suppress this evidence would effectively condone the
government's illegal search or seizure of electronic communications, eviscerating
the effectiveness of the ECPA and threatening the privacy of all computer
communications.
The
ECPA also makes it illegal to manufacture, assemble, possess, or sell any
device that is primarily useful for the surreptitious interception of electronic
communications; however, government agents are exempt from this provision. [FN103] Software appears
to fall within the conception of a "device" used to intercept
computer communications. [FN104] The United States may demand
forfeiture of interception devices. [FN105]
The
statute protects only the contents of a communication, not the existence of a
communication. [FN106] Under this
provision, law enforcement agents can lawfully determine the identities of the
computer systems that one accesses, and can monitor the recipients and sources
of one's electronic mail, so long as the contents of the communications are not
intercepted.
The
ECPA contains several limitations on its broad protections. The most important
limitations are that: (1) The operator of an electronic communications system
may monitor system communications if it suspects that the system is being
misused, or if users explicitly or implicitly consent to monitoring; (2)
Electronic communications are not protected if they are readily accessible to
the public; (3) A system operator may divulge the contents of a communication if it inadvertently discovers
incriminating information; (4) The system operator may divulge the contents of
communications intercepted in the ordinary course of business.
Providers of electronic communication services may monitor the service
when misuse is suspected. [FN107] However, service providers may not
randomly monitor transmissions unless the monitoring is performed for
mechanical or quality control purposes. [FN108] General monitoring by the system
operator of the contents of electronic mail or other private communications
therefore appears to be prohibited.
Only private communications are protected. The ECPA does not protect
electronic communications readily accessible to the general public. [FN109] Unfortunately,
the statute does not specifically define which electronic communications are
readily accessible to the general public. [FN110] As discussed in part III.A of this
article, many communications over BBSs are readily accessible to the general
public and therefore unprotected. In addition, the ECPA does not protect
electronic communications if one of the parties consents to the interception by
law enforcement officials. [FN111]
The
ECPA tolerates the inadvertent discovery of incriminating information by the
operator of a computer system. When an electronic communications provider
inadvertently obtains the contents of a transmission, and the communication
appears to relate to the commission of an ongoing criminal activity, the provider may divulge the contents of the
transmission to law enforcement agencies. [FN112]
The
ECPA also permits disclosure of the contents of a communication if it is
intercepted in the ordinary course of business. Communications that are
monitored by equipment provided by the service provider and used in the
ordinary course of business are not considered to have been "intercepted"
within the meaning of the ECPA. [FN113] The ordinary course of business
exception has generated substantial controversy and confusion in wiretap cases.
Application of this exception to the novel context of monitoring computers will
continue to generate controversy as disputes arise over whether a service
provider, employer, or user monitored the computer communications of others in
the ordinary course of business. [FN114]
Title
I of the ECPA applies only to interceptions of transmissions. Courts have held
that when the government obtains stored transmissions and then plays them back,
no interception within the meaning of the ECPA has occurred. [FN115] Although not protected by Title I
of the ECPA, stored communications are still protected under Title II.
b. Title II of the ECPA: Stored Electronic
Communications
Title II of the ECPA [FN116] protects stored electronic
communications from unauthorized access. An individual or entity violates this
portion of the ECPA by intentionally
accessing or exceeding his authorization to use an electronic communication
facility, and then obtaining, altering or preventing authorized access to a
stored electronic communication. [FN117] Thus, a violation occurs merely by
accessing an electronic communication system; the downloading of information or
alteration of files is not required. Criminal penalties include up to two years
in prison and a fine of up to $250,000. Civil penalties include injunctive
relief, actual but not punitive damages, profits made by the violator as a
result of the unauthorized access, and attorneys' fees. [FN118] In addition, an
aggrieved party might seek a suppression order as part of the "preliminary
and other equitable or declaratory relief as may be appropriate." [FN119] In establishing
a violation of the act, a plaintiff need only show an intentional mens rea on
the element of unauthorized access. The plaintiff need not demonstrate that
there was any intent to obtain or alter records. [FN120]
As
with Title I of the ECPA, the plain language of Title II does not completely
resolve the question of which computer systems fall within its scope. The ECPA
does not protect stand-alone systems. Computers must qualify as an
"electronic communications system," "electronic communications
service," or "remote computing service" [FN121] to fall within
Title II. Title II defines remote computing services as those providing
computer storage or processing services to the public by means of an electronic
communications system. The definition of
"electronic communications system" includes computer facilities used
to store electronic communications. [FN122] As discussed previously,
intra-company networks, BBSs, and other on-line systems unambiguously fall
within these definitions, provided they satisfy the very broadly defined
interstate commerce requirement. [FN123]
The
most important provisions of Title II prohibit private citizens from gaining
unauthorized access to stored electronic communications and enumerate specific
procedural requirements for a government entity to gain access to stored
electronic communications. Law enforcement authorities can access an electronic
communication that has been stored less than 180 days only when authorized by a
valid warrant. [FN124] If an electronic
communication is stored longer than 180 days, authorities may obtain access to
it through an administrative, grand jury, or trial subpoena, or through a court
order supported by a reasonable belief that the contents of the communication
are relevant to a law enforcement inquiry. Subpoenas and other court orders can
only be executed after giving notice to the user, although a valid warrant can
be executed without providing notice. [FN125]
Another vital provision of Title II allows a computer system's owner to
challenge the scope of the search. If a court order or warrant authorizes a
search or seizure of stored electronic communications, the provider of the
computing services may request that the court modify or quash the order. [FN126] To have the
order modified or quashed, the provider of the computing service must show that
the information or records requested are "unusually voluminous in
nature" or that compliance with the order "would cause an undue
burden" on the service provider. [FN127]
Title II also prohibits the nonconsensual disclosure to government
entities of information other than the contents of communications to the
government, [FN128] unless compelled
by subpoena, warrant, or court order. [FN129] This provision protects information
such as the identities of the recipient and sender of a stored electronic mail
message, the length of a message, the types of services that a user utilizes,
and where a user is physically located. However, an electronic communication
service may disclose this type of information about a system user to a private
party. [FN130]
In
this respect, electronic communications enjoy more protection after they are
stored than during their transmission. [FN131] While Title II prohibits electronic
communication services from disclosing information other than the contents of
stored communications to law enforcement officers, Title I permits government
authorities to determine the identity of the parties to an electronic
communication and other information aside from the contents of the
communication, if the communication is intercepted en route. [FN132]
The
ECPA permits routine monitoring and maintenance by system operators. If system
operators inadvertently discover incriminating information that affects users of the system, the system
operator may take appropriate disciplinary action. [FN133] However, the
system operator may not divulge the contents of the communications to anyone. [FN134] Thus, an
employer may fire an individual based on the contents of the employee's
electronic mail messages stored on the company system, but the employer could
not then divulge the contents of those communications to law enforcement
personnel or other outsiders.
If
inadvertent interception results in discovery of communications pertaining to
the commission of a crime, disclosure is permitted. [FN135] However, the
legislative history states that such evidence must relate to an
"ongoing" criminal activity. [FN136] If courts accept this legislative
history, an employer who inadvertently discovers evidence of a completed
criminal activity will not be authorized to turn the evidence over to law
enforcement officers.
A
system user who is harmed by the system operator's disclosure of stored
information can maintain a cause of action against the system operator.
However, a system operator is only liable if he knowingly divulges the contents
of communications to others. [FN137] If an operator operates the system
recklessly or negligently, enabling outsiders to access the system, the
aggrieved party would only have a cause of action against the outsiders.
If
a system user believes that another user is snooping into her private stored
communications, Title II permits the aggrieved user to raise a civil claim against the violator, even if the
violator is another authorized user. The statute recognizes that a
"public" system may have "private" zones, and that users of
public systems may still have private files. [FN138] Authorized users of a system
violate the ECPA by exceeding their authority and entering the private zones of
a computer system. [FN139]
2. Privacy Protection Act of 1980
("PPA")
The
Privacy Protection Act provides that:
Notwithstanding any other law, it shall be unlawful for a government
officer or employee, in connection with the investigation of a criminal offense, to search for or
seize any work product materials possessed by a person reasonably believed to
have a purpose to disseminate to the public a newspaper, book, broadcast or
other similar form of public communication. [FN140]
Congress enacted the Privacy Protection Act ("PPA") in order to lessen the chilling effect of intrusive searches on those engaged in First Amendment activities. [FN141] The PPA prevents government officials from using search warrants and other unannounced searches to probe the work product and other documentary mat