by Steven Robinson
This is the second part of a four-part series looking at U.S. information security laws and the way those laws affect security professionals. In the first part of this series, we looked at the legal framework for protection of information systems and the role of information security professionals in the creation of trade secret interests. In this installment, we will look at the legal framework for security of an enterprise's working environment from the perspective of information security professionals, with particular emphasis on the protection of communications.
Of course, protecting communications necessarily depends on the security of the systems used to transmit and store them. Drawing a rigid line between protecting systems and protecting communications might not always be useful or possible. That said, for our discussion, treating the protection of communications separately from the protection of systems illustrates how the Computer Fraud and Abuse Act, 18 U.S.C.§ 1030 (the "CFAA"), and the Electronic Communications Protection Act, 18 U.S.C. §§ 2510-22 and §§ 2701-12 (the "ECPA"), two critically important federal information security statutes, work together.
As discussed in the first article in this series, the primary thrust of the CFAA, with respect to private sector systems, is to prohibit access to protected computers without authorization or exceeding authorization, whether to obtain something of value or to damage systems or data. The primary concern of the ECPA is related, but distinct. The ECPA prohibits the unauthorized and unjustified interception, disclosure, or use of communications, including electronic communications. In a situation in which a bad actor hacks into a corporate network and obtains access to sensitive email, the CFAA and the ECPA are both violated. But having discussed the CFAA in Article 1, our discussion of the legal framework for protecting communications will focus on the ECPA.
Understanding the organization of the ECPA is a real help in understanding how the act works. The ECPA has two major parts: Title I - The Wiretap Act, 18 U.S.C. §§ 2510-22 (the "Wiretap Act"); and Title II, the Stored Communications Act, 18 U.S.C. §§ 2701-12. (the "Stored Communications Act"). The Wiretap Act was a pre-existing statute that, prior to the passage of the ECPA, protected communications mediated by a "wire, cable or other like connection" from unauthorized and unjustified interception and disclosure. In theory, the ECPA amended the Wiretap Act to extend those protections to electronic communications. As we will see below, there is reason to question how fully the ECPA accomplished that goal. The second part of the ECPA, the Stored Communications Act, 18 U.S.C. §§ 2701-12, was a new enactment that protects communications stored in electronic communications facilities from unauthorized and unjustified access or disclosure. We will look at the Wiretap Act and the Stored Communications Act in turn.
The Wiretap Act.
Of course, certain interceptions of wire, oral or electronic communications serve legitimate, beneficial purposes. To ensure that such interceptions could occur without causing exposure to liability, the Wiretap Act makes a number of exceptions to the prohibitions listed above. The Wiretap Act imposes no liability for: (a) interceptions by service providers acting within ordinary scope of their business, as a necessary incident to either: (i) rendering its services; or (ii) protecting the service provider's rights or property; (b) interceptions authorized by court order or other lawful authority; (c) interceptions made by a party to the communication; (d) interceptions made with the consent of one party to the communication; and (e) interceptions of a computer trespasser's communications made to, through, or from a protected computer if the owner authorized interception, interception is part of an investigation, and the contents of communications are reasonably believed to be relevant to the investigation.
The Wiretap Act imposes civil and criminal liability for unauthorized and unjustified interceptions. Civil litigants may obtain injunctive or declaratory relief, and may be awarded damages, including punitive damages, as well as reasonable attorney's fees and litigation costs. Statutory damages of at least $10,000 may be awarded.
At first inspection, the Wiretap Act appears to provide reasonably comprehensive protection against the unauthorized and unjustified interception of electronic communications of all kinds, while allowing for beneficial and useful interceptions conducted under appropriate circumstances. That said, there is an important aspect of the application of the Wiretap Act to electronic communications that deserves particular attention from security professionals.
The Wiretap Act's definition of "electronic communication" does not refer to electronic communications in storage. But the definition of wire communications in the ECPA as it was originally passed, expressly included "any electronic storage of such [wire] communication." By including storage of wire communications while remaining silent about storage of electronic communications, Congress created a question of statutory interpretation as to whether "interception" meant the same thing with regard to wire communications and electronic communications. The language of the Wiretap Act clearly imposed liability for the interception of a wire communication in storage, after transmission was complete. It was not clear, from the statutory language, whether the Wiretap Act applied to electronic communications in storage.
Konop v. Hawaiian Airlines, Inc., 302 F. 3d 868 (9th Cir., 2002), addresses this issue. Konop involved a secure Web site created and maintained by Robert Konop as a forum for content critical of his employer, Hawaiian Airlines, and his union. Access to the Web site was by password, which Konop's fellow union members received when they registered for access to Konop's site. Registration involved entering into Konop's user agreement, which prohibited users from either allowing the airline's management to view the Web site or disclosing the Web site's content. An airline vice president, concerned that some of the content of Konop's site was inaccurate and possible defamatory, obtained access to the Web site and accessed its content approximately twenty times over a five month period, using the names of two other pilots, both of whom permitted management to sign on to Konop's site in their names. Konop sued, alleging among other things that the Airline's actions constituted a violation of the Wiretap Act.
The parties agreed that the Web site was an "electronic communication" as defined by the ECPA. The question of the airline's liability under the Wiretap Act turned on whether its actions constituted "intercept[ion]" of that electronic communication, and so the pivotal issue came down to how "intercept" was to be defined with respect to electronic communications. The question came down, in the court's language, to whether a "broad" or "narrow" definition was correct. The narrow definition of "intercept" is "acquisition contemporaneous with transmission," basically the definition straight out of the dictionary. The broad definition is acquisition contemporaneous with or after transmission. In deciding that the narrow definition of "intercept" was the appropriate one to use with respect to electronic communications, the Court analyzed the differences in the treatment of wire and electronic communications under the Wiretap Act as follows:
Using the narrow definition of 'intercept' with electronic communications means that the Wiretap Act only protects electronic communications from interception during transmission, not in storage. Because the airline's vice president viewed Konop's Web site from a stored copy on the host server, not contemporaneously with Konop transmission of the site's content, the unauthorized viewing of Konop's Web site did not constitute 'intercept[ion]' in violation of the Wiretap Act.
As an exercise in statutory interpretation, this result has considerable support. From a practical standpoint, however, this result was unexpected, because the underlying technology of electronic communications depends on storage. Transmission of email or Web site contents involves intermediate servers between the source of the communication and its recipient. Each server along the route between the initiator of the communication and its recipient receives the communication from the previous server, and stores it, pending transmission to the next server in the chain. The final server delivers the communication to the recipient. Transmission takes places essentially instantaneously. Consequently, electronic communications are in storage at essentially all times other than during the instant required for transmission. In the case of email, storage continues indefinitely, until the recipient retrieves the message. If 'intercept[ion]' can only occur during transmission, the Wiretap Act's application to electronic communications is significantly restricted. It is hard to understand why Congress would decide to amend the Wiretap Act so that it would apply to electronic communications on the one hand, but do so adopting a definition for electronic communications that resulted in no protection for them when they are in storage, as they exist nearly all of the time. The Konop court commented on this issue as follows:
The lesson from Konop, which may well come as a surprise to information security professionals, is that in the Ninth Circuit and other jurisdictions that have decided the issue the same way, the application of the Wiretap Act to electronic communications will be limited to interceptions that take place contemporaneously with transmission.
State law that governs the interception of electronic communications where your enterprise operates may supplement the Wiretap Act's protections. The variations between the laws of various states' in this area include variations in the standard for consent. Some states permit only one party to authorize interception of a communication, others require that both parties consent. The only way to be sure what law applies to your enterprise is to consult your counsel.
The Stored Communications Act
The Stored Communications Act, 18 U.S.C. §§ 2701-12, protects stored communications from being accessed and disclosed without authorization. More specifically, the Stored Communications Act imposes civil and criminal for the intentional, unauthorized access to an electronic communication service facility to obtain, alter, or prevent authorized access to, a stored wire or electronic communication. Access to communications authorized by: (a) wire or electronic communications service providers; (b) users of communication services, with respect to communications intended for them; or (c) the provisions of the ECPA that permit lawful access by government entities are expressly exempted.
With regard to disclosure of communications, the Stored Communications Act prohibits providers of electronic communication or remote computing services from knowingly divulging the contents of a communication in electronic storage by such a service. Exceptions to this prohibitions are provided for divulging contents of stored communications: (a) to intended recipients and their agents; (b) with the consent of the originator or the recipient of the communication, and in the case of remote computing services, the subscriber to the service; (c) to authorized parties or to facilities that forward the communication to its destination; (d) as necessarily incident to providing a service or to protecting the rights or property of the service provider; and (e) to a law enforcement agency, if the communication was inadvertently obtained and appear to be pertain to criminal activity; and (f) as otherwise authorized by law.
Violations of the Stored Communications Act are subject to civil and criminal liability. In general, penalties under the Stored Communications Act are less severe than under the Wiretap Act.
Consent under the ECPA
It may seem obvious that a party to a communication ought to be able to authorize the interception of that communication or access to it in storage, and the ECPA so provides. However, information security professionals should be aware of how this language has been interpreted in one context that is of particular concern.
In re DoubleClick Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y. 2001), involved the question of whether the Web advertising service run by DoubleClick, Inc. ("DoubleClick") violated both the Wiretap Act and the Stored Communications Act, and involved, among many other points, the interpretation of the ECPA's consent provisions.
DoubleClick's service places banner ads for advertisers' Web sites in front of users who meet each advertiser's demographic requirements. To provide this service, DoubleClick gathered information on user behavior using a cookie, a file stored on users' hard drives. The cookie was installed when a user first visited sites operated by a DoubleClick customer, any of more than 1,500 sites that collectively made up the 'DoubleClick Network,' or two sites run by DoubleClick through which it collected user data. These cookies were updated thereafter to reflect users' subsequent visits to any of those sites. The information acquired using these cookies was used by DoubleClick to create a user profile associated with each cookie. The profile was then used to select banner ads that each profiled user would see whenever they viewed a DoubleClick customer's Web site. All the communications in question were between individual users and DoubleClick customers' sites or sites that were part of the DoubleClick Network (collectively, the "DoubleClick Affiliated Sites").
The plaintiffs, a group of users who had been profiled by DoubleClick, sued, claiming that by placing cookies on their hard drives and gathering information about them, DoubleClick had violated: (a) the Stored Communications Act, on the theory that it had accessed each plaintiff's hard drive without authorization, and obtained unauthorized access to stored electronic communications on each plaintiff's personal computer; and (b) the Wiretap Act, on the theory that DoubleClick had intercepted the plaintiffs' communications without authorization.
DoubleClick took the position that its access to the communications between the plaintiffs and Web sites had been authorized, not by the individual plaintiffs, whose hard drives stored the cookies in question, but by the DoubleClick Affiliated Sites with which the plaintiffs had communicated. The court agreed, reasoning that the individual submissions of information by the plaintiffs were intended for DoubleClick Affiliated Sites, and that the language of 18 U.S.C. § 2701(c)(2) permitted those sites, as the parties for whom the plaintiffs' communications were intended, to consent to DoubleClick's access to the communications between those sites and the individual plaintiffs. Given that the same Web sites' had given prior consent to DoubleClick to intercept communications between these sites and individual plaintiffs, the court rejected the plaintiffs' Wiretap Act claim, relying on 18 U.S.C. § 2511(2)(d). Since DoubleClick was decided, the same rationale has been utilized to defeat Wiretap Act and Stored Communications Act claims arising from the use of Web monitoring service that used cookies and Web bugs to track individual's browser activity.
These cases are a warning that the ECPA provides enterprises with less protection for their electronic communications than one might otherwise expect on a first reading of the statutory language. As interpreted in DoubleClick and Pharmatrak, the ECPA permits strangers to an enterprise to monitor its electronic communications as long as the other party to those communications consents. The same result seems quite possible under state laws that permit communications to be monitored with the consent of only one party to that communication.
Understanding the protections and limitations of the ECPA is an important aspect of securing the enterprise's working environment, but that task also encompasses topics related to, but generally considered distinct from information security, such as confidentiality and non-disclosure agreements, monitoring of employee communications, a function contemplated by the ECPA and when appropriately conducted, excepted from liability , and laws and regulations related to the protection of personal data. Balancing these factors to achieve the appropriate level of security for each enterprise in a manner that is respectful of its legal, technological and business requirements is far easier when decision makers have the benefit of the input from information security professionals, business people and legal counsel.
This second article of SecurityFocus's four-part series on U.S. Information Security Law concludes the discussion of basic provisions of information security law that relate to the protection of private sectors systems and communications. Part three will begin the discussion of information security in the public sector, with a look at the criminal law aspects of information security.
 Under the Wiretap Act, 'electronic communication' [means] any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include - (A) any wire or oral communication [defined as aural communications in the statute];(B) any communication made through a tone-only paging device; (C) any communication from a tracking device [as defined]; or (D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds. 18 U.S.C. § 2510 (12).
18 U.S.C. § 2511(1)(a)("[A]ny person who- (a) "intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication" ...shall be punished ... or shall be subject to suit.").
18 U.S.C. § 2511(1)(b)("[A]ny person who- (b) "intentionally uses, endeavors to use, or procures any other person to use or endeavor to use any electronic, mechanical, or other device to intercept any oral communication when - (i) such device is affixed to, or otherwise transmits a signal through, a wire, cable, or other like connection used in wire communication; or (ii) such device transmits communications by radio, or interferes with the transmission of such communication; or (iii) such person knows, or has reason to know, that such device or any component thereof has been sent through the mail or transported in interstate or foreign commerce; or (iv) such use or endeavor to use (A) takes place on the premises of any business or other commercial establishment the operations of which affect interstate or foreign commerce; or (B) obtains or is for the purpose of obtaining information relating to the operations of any business or other commercial establishment the operations of which affect interstate or foreign commerce; or (v) such person acts in the District of Columbia, the Commonwealth of Puerto Rico, or any territory or possession of the United States" ...shall be punished ... or shall be subject to suit.").
18 U.S.C. § 2511(1)(c)("[A]ny person who- (c) intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection shall be punished ... or shall be subject to suit.").
 18 U.S.C. § 2511(1)(d)("[A]ny person who- (d) intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection shall be punished ... or shall be subject to suit.").
18 U.S.C. § 2511(1)(e) ("[A]ny person who- ("(e)(i) intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, intercepted by means authorized ...[in] this chapter, (ii) knowing or having reason to know that the information was obtained through the interception of such a communication in connection with a criminal investigation, (iii) having obtained or received the information in connection with a criminal investigation, and (iv) with intent to improperly obstruct, impede, or interfere with a duly authorized criminal investigation, shall be punished ... or shall be subject to suit.").
 18 U.S.C. § 2511(2).
 18 U.S.C. § 2520.
 See Note 1, supra.
 Under the Wiretap Act as amended by the ECPA, ''wire communication'' means any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception (including the use of such connection in a switching station) furnished or operated by any person engaged in providing or operating such facilities for the transmission of interstate or foreign communications or communications affecting interstate or foreign commerce and such term includes any electronic storage of such communication. 18 U.S.C. § 2510 (1)(emphasis supplied). Section 209 of the USA Patriot Act deleted communications in electronic storage from the ECPA's definition of wire communications.
 Konop, 302 F.3d 877-78 (citations omitted).
 Id. at 878, n.6.
 18 U.S.C. §§ 2701 (a) & (c).
18 U.S.C.§ 2701 (b).
 18 U.S.C.§ 2511(2)(d)("It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication "where one of the parties to the communication has given prior consent to such interception.")(the "Wiretap Act"); 18 U.S.C.§ 2701 (c)(2)("This section [imposing liability for unauthorized access to stored communications] does not apply with respect to conduct authorized by a user of that [wire or electronic communications] service with respect to a communication of or intended for that user.")(the "Stored Communications Act").
 DoubleClick, 154 F.Supp.2d at 510-11; See footnote 15, supra.
 Id. at 515; See footnote 15, supra.
 In re Pharmatrak, Inc. Privacy Litigation, 220 F. Supp.2d 4, 6, 11-13 (D. Ma. 2002).
 18 U.S.C. §§ 2511 (a), (c), and (d).
 The Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 (1999); The Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 103 (1996); The Children's Online Privacy Protection Act, 15 U.S.C. § 6501 (1998); and regulations promulgated thereunder. In addition state laws, and regulations promulgated thereunder, may provide protection for personal data where your enterprise operates.
U.S. Information Security Law, Part One
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.