Skip to main content
Compliance

Electronic Communications Privacy Act

I. PURPOSE

The purpose of the Electronic Communications Privacy Act (ECPA) is to protect the privacy of wire, oral, and electronic communications while in transmission and when stored on computers.

II. HISTORY

The ECPA was passed in 1986, and included both amendments to the previous Wiretap Act and the creation of the Stored Communications Act and the Pen Register Act. The ECPA was created to expand federal restrictions on wiretapping and electronic eavesdropping.

The ECPA was heavily modified by the Communications Assistance to Law Enforcement Act (CALEA) in 1994 to allow law enforcement agencies the ability to conduct electronic surveillance. The ECPA was also significantly amended in 2001 and again in 2006 by the USA PATRIOT Act, which was created to increase protection against domestic terrorism in response to the 9/11 attacks. Significant changes were also made by the enactment of the Foreign Intelligence Surveillance Act of 1978 and Amendments (FISA) in 2008 to allows electronic surveillance for the collection of foreign intelligence information.

III. APPLICABILITY TO BYU–Hawaii

Because BYU–Hawaii provides electronic and wire communications services and stores records of such communications, it would be deemed a “communications provider,” and as such is subject to the provisions of the ECPA and responsible for protecting the privacy of covered communications. These services include email and telephone service, as well as electronic transfer of funds, all of which BYU–Hawaii provides. Additionally, to the extent that University Police engage on the interception of oral, wire, or electronic communication for law enforcement purposes, they also would be subject to the ECPA.

IV. REQUIREMENTS

The following are the requirements outlined in the ECPA for the Wiretap Act, the Stored Communications Act, and the Pen Register Act.

A. Wiretap Act

1. Interception and Disclosure of Communications

Under the Wiretap Act, it is unlawful for any person to intentionally intercept any wire, oral, or electronic communication, unless otherwise authorized by law, including the exceptions set forth below. This prohibition also applies when procuring another person to engage in such interception, and using any electronic, mechanical, or other device to intercept oral communication. It is also unlawful to intentionally disclose or attempt to disclose any wire, oral, or electronic communication while knowing that the information was obtained illegally.

Communications providers must not intentionally divulge the contents of any such communication to anyone other than the intended recipient. However, a person or entity may divulge the contents of such communication under the following conditions:

1. with lawful consent from any intended recipient or the originator;
2. to an employed or authorized person for the task of forwarding the communication to its destination; or
3. if the communication was inadvertently obtained by the service provider and appears to pertain to the commission of a crime.

It is not unlawful for switchboard operators or officers, employees, or agents of a communications provider to intercept, disclose, or use communication in the normal course of employment.

Communications providers may provide information, facilities, or technical assistance to persons legally authorized to intercept communications or conduct electronic surveillance. However, the communications provider must be provided with a court order directing such action or a certification in writing that no warrant or court order is required by law and all statutory requirements have been met.

It is not unlawful to intercept communications if the person is the sender or receiver, or one of them has given consent prior to interception, unless such interception is done with the intent to commit a crime.

It is not unlawful to intercept communications that are made available to the general public. It is also not unlawful to intercept an unencrypted satellite transmission if it is being transmitted to a broadcasting stations for retransmission to the general public. However, interception of satellites transmission is considered unlawful if it is for “direct commercial advantage or private financial gain.”

2. Communication Interception Devices

The Wiretap Act prohibits manufacturing, assembling, distributing, possessing, or advertising any device whose primary purpose is the clandestine interception of wire, oral, or electronic communications, unless otherwise authorized by law. For example, as an exception to this prohibition, communications providers or any persons under contract with a provider may mail or transport devices primarily used for the purpose of surreptitious interception of communications during the normal course of business.

3. Disclosure and Use of Intercepted Communications

Investigative or law enforcement officers that learns of the contents of any wire, oral, or electronic communication, or evidence derived from such, are permitted to disclose the contents to other officers as long as such disclosure is appropriate to the performance of official duties of all officers involved. Officers ma also use such contents to the extent of what is “appropriate in the proper performance of official duties.”

Any investigative or law enforcement officer that obtains knowledge of the contents of a communication that includes foreign intelligence or counterintelligence may disclose such contents to any other federal law enforcement, intelligence, protective, immigrations, national defense, or national security official. They may also disclose the contents of a communication that reveals a threat of “actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power” to any appropriate federal, state, local, or foreign government official.

Investigative or law enforcement officers may submit an application to an authorized judge to receive permission to intercept communication.

B. Stored Communications Act

Under the Stored Communications Act (SCA), it is unlawful to intentionally gain unauthorized access to a facility where electronic communication service is provided and obtain, alter, or prevent authorized access to stored wire or electronic communication, unless otherwise authorized by law, including the exceptions set forth below.

1. Disclosure of Customer Records

Communications providers must not knowingly divulge the contents of any communications stored by that service. Providers of “remote computer services” to the public must not knowingly divulge the contents of any communications that are carried or stored by that service on behalf of a subscriber or customer. Communications providers must not knowingly divulge records or other information concerning subscribers or customers of the service to any governmental entity.

2. Required Disclosure of Customer Communications or Records

Communications providers may be required to disclose the contents of a wire or electronic communication to a governmental entity only in accordance with a warrant or through the “procedures described in the Federal rules of Criminal Procedure.” A governmental entity may require a disclosure without required notice to the subscriber or customer if such action is

1. in accordance with a lawfully obtained warrant; or
2. performed with prior notice to the customer or subscriber if the governmental entity uses
a) “an administrative subpoena authorized by a Federal or State statute; or
b) “a Federal or State grand jury or trial subpoena” or a court order for such disclosure.

All communications providers (including those that provide remote computing services) may be required to disclose records or other customer or subscriber information only when the governmental entity

1. obtains a warrant;
2. obtains a court order;
3. has consent from the subscriber or customer; or
4. submits a formal written request in relation to a law enforcement investigation regarding telemarketing fraud.

Governmental entities may request the following user information from providers of electronic communication or remote computing services when using “an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena”:

1. name;
2. address;
3. “local and long distance telephone connection records, or records of session times and durations”;
4. start date of service, length of service, and types of service used;
5. “telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address”; and
6. method of payment for service (including any credit card or bank account numbers).

A governmental entity that receives records or information through these methods are not required to give notice to customers or subscribers.

Communications providers, upon request of a governmental entity, must “take all necessary steps to preserve records and other evidence in [their] possession pending the issuance of a court order.” In such a case, records must be retained for a ninety-day period, which may be extended to an additional ninety-day period by renewed request.

Service providers may be required to create a backup copy of the contents of electronic communications for preservation if requested by a governmental entity with a subpoena or court order.

3. Exceptions

Communications providers may divulge the contents of a communication

1. to the intended recipient or an agent of the intended recipient of such communication;
2. with lawful consent form the creator or intended recipient of such communication, or the subscriber;
3. to an employee or person otherwise authorized, or a person whose facilities are used to send such communications to their destinations;
4. as may be necessary to the normal operation of the service, or to protect the rights or property of the service provider;
5. to the National Center for Missing and Exploited Children in connection to a lawfully submitted report;
6. to a law enforcement agency if the contents were inadvertently obtained by the service provider, or if the contents contain information regarding the commission of a crime; or
7. to a government entity, if the provider believes the communication pertains to an emergency involving danger or death or serious physical injury to any person, and the event requires that the communications must be immediately disclosed.

Providers of electronic communication or remote computing services may divulge records or other information pertaining to subscribers or customers of such service

1. with lawful consent from the customer or subscriber;
2. as may be necessary to the normal operation of the service, or to protect the rights or property of the service provider;
3. to a government entity, if the provider believes the communication pertains to an emergency involving danger, death, serious physical injury to any person, and the event requires that the communication must be immediately disclosed;
4. to the National Center for Missing and Exploited Children in connection to a lawfully submitted report; or
5. “to any person other than a governmental entity.”

C. Pen Register Act

Under the Pen Register act, it is unlawful for any person to install or use a pen register or a trap and trace device without a court order, unless otherwise authorized by law, including the exceptions set forth below. Providers of wire or electronic communication services, landlords, custodians, or other
persons must submit to any request from an authorized government attorney or officer of a law enforcement agency to install and use a pen register or a trap and trace device.

It is not unlawful for a provider of electronic or wire communications services to install or use a pen register or a trap and trace device if:

1. the action is in relation to the “operation, maintenance, and testing of a wire or electronic communication service,” or the protection of the property or rights of the provider, or the protection of users from abuse of service or unlawful use of service; or

2. “to record the fact that a wire or electronic communication was initiated or completed” in order to protect the provider, “another provider furnishing service toward the completion of the wire communication,” or a user from fraudulent, unlawful, or abusive use of service; or

3. the provider has obtained consent from the user.

V. PENALTIES

Violations of the Wiretap Act may result in a fine, or up to five years of imprisonment, or both.

Violations of the Stored Communications Act committed for “commercial advantage, malicious destruction or damage, or private commercial gain, or in furtherance of any criminal or tortious act” will result in a fine and imprisonment for up to five years but not more than ten, or both. Violations in any other case will result in a fine or imprisonment for up to one year or both.

Anyone who knowingly violates the Pen Register Act will be fined and imprisoned for up to one year, or both.