P1: c-146Everett-Church
Everett-Chruch-1 WL040/Bidgoli-Vol III-Ch-08 July 11, 2003 11:46 Char Count= 0
100 PRIVACYLAWObstruct Terrorism Act of 2001, or USA PATRIOT Act for
short.ECPA
ECPA generally prohibits providers of communications
services (e.g., Internet service providers) from disclosing
the contents of an electronic communication, whether it
is in transmission or in storage, to any person other than
the intended recipient. ECPA also contains a number of
exceptions, however, some of which include the following:
Service providers may make disclosures to law enforce-
ment if proper warrants are presented. ECPA explains
those procedures in some detail.
ECPA’s limitations only apply to services offered to the
public, not to operators of, for example, an internal cor-
porate system.
ECPA does not restrict the collection, use, or disclosure
to nongovernmental entities, of transactional information
such as email addressing and billing information.
Disclosures to private parties pursuant to subpoenas
issued by civil courts may also be permitted.
In addition, ECPA permits the government to request
“dialing and signaling” information from telephone com-
panies. Under these so-called “trap and trace” orders, law
enforcement can use devices known as “pen registers” to
capture the numbers being called and other information
about the communications, short of the actual contents of
the calls themselves. The contents of the calls can also be
gathered, but only under a separate warrant that requires
much more rigorous procedures and additional judicial
review.FISA
In cases in which information is sought about the activ-
ities of agents of foreign powers, such as terrorists or
spies, law enforcement may seek disclosure of informa-
tion relevant to an investigation through a special warrant
procedure. There are two noteworthy differences between
standard warrants and FISA warrants: First, FISA creates
a system of special “FISA courts” in which judges meet,
hear evidence, and issue warrants in total secrecy. Second,
FISA warrants are much more sweeping than normal war-
rants and are not required to meet the same evidentiary
standards as normal warrants. These differences raise sig-
nificant Constitutional questions that have been raised in
recent challenges to the activities of the FISA courts. Iron-
ically, the FISA courts themselves have not been oblivi-
ous to the questions their seemingly unchecked powers
have raised: A recently released decision of the FISA ap-
peals court—the first document ever released publicly by
the body—cited dozens of cases in which law enforce-
ment provided deceptive or outright false information to
the court in support of wiretap applications. Appealing
to the U.S. Supreme Court, the Bush administration suc-
cessfully overrode the FISA appeals court’s objections to
expanded wiretap procedures (EPIC FISA Archive, 2003).
Concerns about state-sponsored collection of data
about individuals are nothing new. Privacy watchdogs
and investigative journalists have widely publicized pro-
grams such as the FBI’s “Carnivore” (a device for inter-
cepting and recording Internet-based communications;EPIC Carnivore Archive, 2001), “Magic Lantern” (a piece
of software that can be surreptitiously installed on a
targeted computer, allowing law enforcement to capture
every keystroke; Sullivan, 2001), and the rumored inter-
national wiretapping consortium called “Echelon” (EU
Parliament, 2001).
Most recently, the U.S. Department of Defense sought
funding of an antiterrorism program called “Total In-
formation Awareness” which would have compiled elec-
tronic records on nearly every business, commercial, and
financial transaction of every U.S. citizen. The massive
database would then be analyzed in an effort to un-
cover transactions and patterns of behavior that could
be deemed suspicious. Although the Total Information
Awareness program was stripped of most of its funding
by Congress in early 2003, the Department of Defense has
vowed to keep researching the issues and technologies
needed to undertake such a program (EPIC Total Infor-
mation Awareness Archive, 2003).Business Issues Under Wiretap Laws
The wiretap activities under ECPA and FISA have until
recently been relatively limited in their effects on busi-
nesses. Aside from telephone companies and some In-
ternet service providers, few businesses were affected by
these procedures. Under recent changes to FISA made by
the USA PATRIOT Act, however, law enforcement is now
permitted to request business records from nearly any
business to assist it in foreign intelligence and interna-
tional terrorism investigations.
Previously, FISA only allowed law enforcement to re-
quest business records from certain categories of busi-
nesses, such as common carriers, hotels, and car rental
facilities. Under the new rules, subpoenas can be is-
sued without limit to particular categories, including
banks, retailers, and any other entity within the govern-
ment’s reach. The USA PATRIOT Act also expanded the
search and seizure from merely “records” to “any tangi-
ble things,” such as computer servers.
The pen register and trap–trace provisions of ECPA
have been expanded under the USA PATRIOT Act to add
“routing” and “addressing” to the phrase “dialing and sig-
naling,” making it clear that these activities now include
Internet traffic, not just telephone calls. The act does spec-
ify that the information retrieved through this process
“shall not include the contents of any communication.”
There will undoubtedly be significant litigation in coming
years to define where the dividing line falls between “con-
tent” and “addressing.” For example, entering a search
term or phrase into a search engine may cause the con-
tent of that search to be embedded in the address of the
Web page on which the results are displayed.PRIVACY ISSUES FOR BUSINESSES
In a widely published 2000 survey of more than 2,000 U.S.
corporations, the American Management Association
(AMA) discovered that 54% of companies monitor their
employees’ use of the Internet, and 38% monitor their
employees’ e-mail. In a follow-up survey in 2001, the
percentage of companies doing Internet monitoring