Kroll agents accused of spying, illegally, on business men in Brazil

FT.com / WorldHow far can you go in corporate investigations and surveillance? Walking th fine line between agrressive business intelligence and illegal activities.

Kids agree to stop sending pop-ups

PalmBeachPost.com: News from The Associated PressFTC settles case against two college students who developed pop-up technologies.

Many of us hope that this will be only the beginning of the FTC's actions in the area of spyware, adware and pop-ups.

Parry

Judge in Kobe Bryant Case Apologizes for Mistakes- how can we build in security protections against mistakes?

FindLaw Legal News - Judge in Kobe Bryant Case Apologizes for MistakesSo many privacy breaches are the result of mistakes. It's easy to push a button, or attach the wrong document to an e-mail. (In sending an invitation to one Senator for our new marvel comic online safety initiative, I mistakenly attached one addressed to a different senator. :-()

But when courts are involved, the costs can be even higher.

what kind of security protections do we need to implement to make sure that the wrong document isn't broadcast? Shouldn't we at least have two people check it over? or the approved documents kept in a different location?
Perhaps encrypt everything and unlock those that can be released with a special key?

we need to address these issues, sooner rather than later.
Parry

Right of goverment employers ot search workplace of employee

News-Leader.com | News | Illegal seizure claim refused in porn caseThe issue about whether a governmental employer is restricited by the 4th amendment search and seiizure rules and must obtain a warrant before searching their own workplace was resolved in favor of the employer. Different rules apply to employers than to investigative agencies.

This is a good decision that distinguishes the different roles of a public entity, as employer (to its employees) and as governmental agency (to all others).

It should help guide many employment-related surveillance issues when a public employer is involved.

Parry

Controversy Swirls Around Use of Cameras to Monitor Nursing Home Care

Controversy Swirls Around Use of Cameras to Monitor Nursing Home CareWhile videotaping is covered by wiretapping laws in most jurisdictions, many states are carving out expcetions for residents and families of residents of nursing homes. Designed to stop abuse and neglect by letting families know what happens when they aren't around, these are called "granny cams."

This is an interesting area to watch over the next few years.

Parry

Protect Your Privacy: Identity Theft Insurance

Protect Your Privacy: Identity Theft InsuranceInteresting. I'll look into this further for my column at Information Week.

Daily Yomiuri On-Line - new regulations may require websites to remove personal information at government's request in Japan

Daily Yomiuri On-Line

Becoming good information consumers...knowing what to believe online. (From The Parent's Guide to Protecting Your Children in Cyberspace, McGraw-Hill

(While this is very helpful to parents and teachers for children, it is just as helpful in assisting adults in knowing who and what to believe online.)

Resource Credibility: Teaching Our Children Critical Thinking and Media Literacy Skills

It costs thousands of dollars to publish a book. Cable and television programming costs even more. Magazines carefully check facts and universities use peer-review methods to make sure that what is published is accurate and credible. But anyone can publish a website, in a few hours, and say anything they want—often without a credible basis for it. (I often claim online to be tall, thin, blonde, and gorgeous. But no one ever said wishful thinking wasn’t allowed online.)

My dress size aside, how can anyone know when they have a real and credible site or just someone’s puffery? It’s not easy. Online there is no stamp of approval for quality control. A site published by an anti-Semitic group that claims the Holocaust never occurred may look as real and sound as reliable as a scholarly university dissertation. And when our children come across it, it might become the research source for their term paper on World War II.

Schools are facing this issue frequently these days. So teaching children how to evaluate the credibility of a site is an important part of using the Internet in connection with schoolwork. Essentially, it’s teaching them to be good information consumers. And, while it is exciting to find the one resource that says something none other say, perhaps there is a reason for that. Perhaps the one website that tells you something very different from the others isn't new and exciting, it may just be wrong, misleading and designed that way.

Whenever we find a website, we should think about the purpose of the site. Is it designed to sell something? If it’s designed by anyone who sells anything, you have to assume that it’s designed to at least indirectly promote its products or services. Any site that is designed to sell something should be approached as critically as any offline promotion or advertisement.

Once we understand the site’s point of view, we can evaluate what they are saying more effectively. Our children already know, at a young age, the candy bars or hamburgers that are smaller than they appear on television, or the toys that are constructed poorly, or the computer game systems that need optional equipment at additional cost in order to do what is promised. One of the first legal rules our children learn is caveat emptor—buyer beware. Teaching them to use critical judgment when reviewing a website is easy. The information gathered from a website should be accurate and current. And if there is a bias, the website’s bias should be obvious, and the authority of its writers should be set forth.

Here are a few things children should be checking when they visit a site to conduct research:

• 
  Who’s the author or website creator, and what’s their authority? Is it written by Nobel Peace Prize Award winners, or by Joe Crackpot? While many won’t tell you that they are unqualified to make the statements they make at the site, they leave clues. Our children should look first to the credentials offered at the site for the site authors. If the person states that he is a professor at Outer Siberia University, you should check for links to the university. Has the person listed awards? If so, are there links to the entities that gave the awards so you can check? Is this person a published author? If so, does Amazon.com, Barnes & Noble, or Borders have his book listed online? Search for other sites that reference this person. Not every one is an award-winning professor and published author, but most good sources are cited elsewhere online.
  
  What’s the bias of the site? Whose points of view aren’t covered? Bias isn’t necessarily bad, as long as it is clear to the site viewer. Remember that everyone has their bias, but some are more significant than others. Is this a site that performs “unbiased” reviews of advertisers? If so, have they disclosed that fact to the readers? Are they a nonprofit entity with a particular mission or purpose? Where was the site created? Is it from an international group that might have a country or culture bias? Is it a U.S. site which might have a U.S. bias? Often, you can detect bias by reading closely. The good sites will identify their mission. Think about who is creating the content, whose points of view are included, and whose are excluded. Students should try to achieve balance by including different biases and points of view when they do their research.
  
  How current is this information? Does the page have a “last updated” date notation? Many of the sites I researched for this book, including many on finding credible resources, were last updated in 1996. When I reviewed their content, I took that into consideration. Certain things don’t change, such as how to judge credentials, but other things, like branded and approved site lists and what schools are doing, have changed radically. The site I looked to for current information was updated a few months earlier, and gave that date on the front page. If the site doesn’t contain a “last updated” date, look to see if there’s a “recent additions” or “what’s new” section of the site, and see how often it is changed. You want to make sure the content is updated often, since it tells you two things: that the site gets regular attention, and that it contains recent information. A good site is updated regularly, preferably at least once monthly, and, with news and hot topical sites, more often than that. If you can’t tell when a site was last updated, send an e-mail to the webmaster at “webmaster@[the name of the site].” Ask how often the site is updated and the date it was last updated.
  
  Is the information stable and consistent? Is the information consistent within the site? Does everything match the theme of the site and this information? Are they proposing censorship on one page and free speech on another? (I’m not talking about CNN’s site, where they seek to present alternate and opposing views.) Is this the only site that espouses this viewpoint, or is there other support for this position? Have you compared it with related resources? Often, a site that appears too good to be true is too good to be true. Most good sites, with well-supported positions, will have support from other sites.
  
  What have they linked to? Do the links work? Do they link to credible sites, and do credible sites link to them? Are the links correctly described? Are they current? Who else links to them? Again, is the link information updated and accurate, or do the links not work anymore?

The school and public librarians are the real experts in judging credibility of resources. That’s what they do when they select resource and reference books. Talk to them about how they are teaching your children to exercise informed information judgment. They are helping build your children’s information literacy skills.

Don't Believe Everything Your Read Online...Using The Filter Between Your Ears

The “Filter” Between Your Ears

I often use this phrase to explain how important it is to teach children how to make good decisions about who and what to believe in cyberspace. I saw this as a filter to misinformation and hype our children are exposed to online. Recently, though, I realized that it is just as (and perhaps more) applicable to adults online. Too many people act out online in ways they would never dream of doing offline. Never having to look someone in the eye makes it easier to act-out with hostile, rude and outrageous behavior. In this case, it is also an outgoing filter.

Truth, in too many cases, has no value to many people online. They sell counterfeit goods on eBay, or steal your identity, or stalk or harass you, posting lies and misrepresenting the truth. They lead their lives by press releases or posts on their websites. And it often works very effectively to meet their hidden (and sometimes not so hidden) agendas.

Unfortunately, in cyberspace what appears in writing, if broadly circulated, becomes reality. If a statement appears on a well-designed website, it takes on a life of its own, and people believe it blindly. So, perhaps we also need to help adults use the same incoming “filter between their ears” to determine credibility of online communications and information that we as children to use. And perhaps this filter is even more important to adults who don’t have Net Nanny installed by their parents to help weed-out the crap. It’s up to us to weed out this stuff, and that requires that we think, and listen and be realistic. Something as simple as “not believing everything they read online” seems to escape many people. And they fall prey to cybercriminals, cyberabuse and manipulation.

We need something to help people think about what they do and say online, about their online behavior and netiquette. Something that causes them to pause before spilling more hate and hype onto our cyber-roadways. Like the monstrous oil spills that kill fragile wildlife in the Alaskan sounds, hate, misinformation and hype kills fragile and positive life in cyberspace. And is at least as hard to clean-up and defend against.

What is it about the Internet and cyber-communications that makes it so easy to misbehave? Is it the false sense of anonymity? (Few communications online are really anonymous. In most cases, either through sophisticated technology or legal process you can find the person behind the post.) Is it the ease of lashing out with whatever you are thinking at that moment? Is the id in online communication that much stronger than our cyber-superego? I frequently liken our online behavior to what we would do if truly invisible. Would we steal from others? Walk into a bank and help ourselves to crisp $100 bills? Or hideout in a dressing room at a fashion show with gorgeous models changing under our invisible nose? Would we spy on our enemies? On our friends? Take the last piece of chocolate cake? Make a crude gesture to our least favorite politician?

Does truth matter anymore? Does a statement made on a website become fact because it is posted prominently. Don’t people realize that they are accountable for what they do in life, whether it is online or offline? Nick Jesandun, the Internet writer for AP did an article last year proposing that people should be licensed somehow before they were permitted Internet access. While I disagreed with that premise, perhaps we should rethink that. But maybe instead of licensing them for all Internet use we should require anti-rudeness training before people are allowed online. Perhaps we should install a filter between their brains and their fingers, to make them think before they type.

Perhaps we should certify that someone is mature enough to use powerful technology. One of the best things about the Internet is that it gives everyone a huge soapbox where they can share their ideas, opinions and perspectives. Even if they are ridiculous. Even if they are far-fetched. Even if they have no basis whatsoever in reality. That means all the kooks, crackpots and malicious people online can use this powerful engine to spread hate, misinformation, hidden agendas and hype.

First Amendment advocates often use the example that it protects Nazis marching in Skokie (a town with a large number of holocaust survivors) as much as it protects the rest of us from governmental censorship. I guess that same example applies here as well. Having a free Internet means that hate mongers, slimebags and crackpots can share their opinions as freely as leading experts, kind and caring people and honest and respectful netizens can. But in the same way the citizens of Skokie turned their backs to the cruel messages and swastikas of the marching bands of Nazis, thoughtful Internet users should turn their backs to those who use the medium to spread hate, misinformation and hype.

Take the first step to reclaiming credibility in cyberspace…”Don’t believe everything you see online, use your head and think before you click “send.” We’d all be much better off.

Katie Tarbox and Katie.com (the book, not the site)

To learn about the project called katiesPlace.org, check out Parry's personal blog: Parry's Blog: Katie Tarbox and Katie.com (the book, not the site)

Katie Tarbox is an extraordinary young woman with a huge heart who will help change the world.

I am honored, as the executive director of WiredSafety, to announce that we will be working with Katie to help create a place where children who have been victimized by Internet sexual predators can go for help and support. Her special vision is needed with so many of these young people who don't know where to turn.

The program will be called Katie's Place, and be part of the WiredSafety family of sites and programs. (WiredSafety is a 501c-3 corporation).

Want to help?
drop by WiredSafety.org and we'll show you how.
Parry

Security Pipeline | Trends | Other People's Wi-Fi

Security Pipeline | Trends | Other People's Wi-FiAn interesting article...if you need Internet access and the only way to get it is by using a neighbor's unprotected access, it that okay? Hmmm...good question!
Parry

KatiesPlace.org - the new joint project of Katie Tarbox, Parry and WiredSafety

KatiesPlace.org
A place where children and teens who have been sexually exploited by Internet predators can find help and understanding. If you want to help, drop by wiredsafety.org and volunteer.

InformationWeek > Cyberdating and Safety> Looking For Love In All The Cyber Places > July 26, 2004

InformationWeek > Cyberdating > Looking For Love In All The Cyber Places > July 26, 2004Parry's column this week on cyberdating and safety.

Parry's Cyberdating article: InformationWeek> Dating Online: The Basics > July 26, 2004

InformationWeek > Cyberdating > Dating Online: The Basics > July 26, 2004 How to's for cyberdating novices.

None of Your Bees Wax!

How much of our concept of privacy was formed by the time we left grammar school? I remember that when I was younger, I would share anything with anyone who asked. And even with those who didn't ask :-) What we paid for something, arguments my parents had, how much money my parents earned, when someone was sick, getting divorced, anything. There was no concept of secrets. Telling was the best part of a secret.

Then when hormones started flowing, I started to learn that somethings should remain a secret. And as the hormones started flowing in others, I learned that today's best friend can be your dire enemy tomorrow. That was when I started to add "none of your bess wax" to my vocabulary. I used it with everyone. (I even tried it once with my mother...ONCE is the operative word here :-))

But when we look at privacy issues now, the younger kids don't see that line. They seem ot think that as long as they have nothing to hide, that they shouldn't have to worry about who knows what.

Has the concept of "none of your bess wax" disappeared these days? Isn't it enough that the information is yours? Does something have to be very secret to be protected as "private?"

Isn't there a value to private sphere anymore?

just musing...

Parry

Creating your feed: Feedster :: RSS Search Engine

Feedster :: RSS Search EngineI just tried this for the first time, it's easy and works with blogger. The support people are also very friendly and patient. :-) You can now subscribe to my feed.

Blogs - RSS Feeds...what are they?

Blogs - RSS Feeds...what are they? Blogging hasn't been an easy experience for me. While I am thrilled that I can comment quickly on breaking stories and important issues, there's too much techy info for my liking. I have had to learn the hard way. So, to make it easier for the rest of you out there, who like me don't carry a pocket protector ;-) I have done a quick piece on RSS feeds and why we need to understand them.

For all of you out there with pocket protectors...let me know if I got it wrong. :-)

thanks
Parry

Identity Theft > President Signs Identify-Theft Law > July 16, 2004

InformationWeek > Identity Theft > President Signs Identify-Theft Law > July 16, 2004

Phishing: identity theft: Customer Data > Breach Of Trust > May 3, 2004

InformationWeek > Customer Data > Breach Of Trust > May 3, 2004

Perspective...

I was interviewed today by someone writing a guide about privacy annoyances. During the interview I was asked about drug-testing in the workplace and whether an employer could require an employee to undergo drug testing. I explained that in many cases an employer will require drug-testing prior to employing someone. I heard an audible gasp at the other end of the phone.
 
I stopped for a moment to explain the "other" side. (When privacy is concerned most people are polarized, employers vs. employees, data collectors vs. consumers, citizens vs. government, civil rights vs. security...the list goes on and on.) in this case he was obviously appalled that any employer could compel drug-testing.
 
I asked him to consider whether an employer who deals with children, heavy machinery, medical or high technology would, among other employers, be particularly concerned about drug use by employees? What about school bus drivers, I asked?
 
He conceded that there are special instances where drug-testing may be warranted. But does it have to be a special instance? Shouldn't an employer be entitled to know that their employees are drug-free? Can't a potential employee simply decide not to work for someone who requires a drug-free workforce. Aren't all customers entitled to interface with drug-free salespersons?
 
When it comes to security and Internet safety, I am generally considered pretty conservative. When it comes to privacy, I am usually considered pretty liberal. When security vs. privacy issues arise, I weigh them case by case.
 
Privacy is often seen as a shield and a sword. You're on one side of the issue or another. Never in-between. Yet, as this writer pointed out after a half-hour interview, it's mostly a case-by-case basis. What makes sense under the circumstances? What's the balance? Are we really worried about the United States becoming a nazi-like government? How much are we willing to give up for convenience or efficiency? Bob Evans of Information Week wrote about the over-reaction to the airlines sharing passenger name records...who cares if the airlines share information about your meal preferences, he posed. But in Europe this is considered especially problematic, since a meal preference may divulge your religious orientation or health conditions.
 
While I agree with Bob here, and think that privacy issues are often overblown in the press and by certain advocacy groups to get mentioned in the press, there is always the other side. And the issue of whether or not the passengers were given the choice of sharing this information with third parties, government or otherwise. Airlines and others may be surprised at how many passengers or customers would allow their personal information to be shared, responsibly, with government agencies to help improve security. Heck, it's worth the try...
 
Choice is the real issue. We should be able to give up some privacy in exchange for convenience.
 
Several years ago when EZPass was first introduced, I was holding out. I worried that "big brother" would know where I was and when. They could record how long it took me to get from one exit to another and maybe inform the state troopers to give me a speeding ticket after the fact. Then, I gave in to my daughter's pleading to get EZ-Pass and now I can't imagine ever having to dig through my purse for change or waiting in long lines at the George Washington Bridge tolls in the morning. I exchanged some personal information for convenience.
 
When special security programs are launched allowing frequent travlers to undergo special security clearance in exchange for quicker security checks at airports, I will once again exchange my privacy for convenience.
 
Yet I refuse to use my supermarket frequent shopper card when I shop. Instead I explain to the checkout person that I have forgotten my card and s/he helpfully scans theirs. It's no one's business what I buy or how I pay for what I buy. I don't get any special benefit out of giving this information away.
 
it's always balancing...what's it worth? what are the risks of my information being misused? how much do I trust those asking for it? what I am getting in exchange for the risks? and does the convenience factor outweight the risks?
 
I am still on the sidelines with RFID. But I'll be covering that for an upcoming column at Information Week, so I won't rant about it here.
 
You can read the piece I wrote for Information Week "from the months of Babes" explaining what kids have told me about how they view privacy and security. Interestingly enough they trust Microsoft best. When we dug a bit further into this, we realized that it was the operating system and the daily interface that they trusted. (Apple was the only other fully-trusted brand suggested by one of the teens, and by the only Mac user in the bunch. :-))
 
Yet, AOL wasn't in the top three, even among AOL users.
 
what can we learn from this? It's all a matter of perspective. :-)
 
Parry
 
 
 
 

Bill aims to keep adult spam from kids - 07/04/04

Bill aims to keep adult spam from kids - 07/04/04
I need to check into this...if the list is made public (otherwise how would marketers and spammers know where not to send e-mails?) children will be victimized right away.

Sometimes well-meaning laws create more problems than they solve.

Looking for more information on this.

Parry

Cyberporn case in Canada: InformationWeek Weblog

InformationWeek | InformationWeek WeblogI referenced this blog previously, but a comment was posted that helps understand the results of the arbitration ordering the reinstatement of the terminated employees.

"These workers are members of a union, which has a collective agreement - and with a unionized environment, there is arbitrarial case law. The issue wasn't whether these people should have been disciplined - that fact was conceded - but whether dismissal for a first offence (and no prior warnings or disciplinary action) was appropriate.

Unionized environments are different than at-will employees. There is a collective agreement to follow, mandatory union representation, and a grievance procedure. This judgement comes from an arbitrator empowered by the Labour Relations Act and the Collective Agreement, and was most likely chosen either from a list agreed to by the two parties. There was no lawsuit.

Dismissal is viewed as a last resort, and can only rarely be used for a first offence - offences that completely break down the trust between an employee and the employer, such as fraud, serious physical assault, theft, etc. Otherwise, you must engage in progressive discipline - beginning with a disciplinary letter and eventually reaching dismissal if the actions continue.

Since viewing or storing porn doesn't completely break down the trust, and it was a first offence, dismissal was not warranted. There is extensive labour case law (mainly arbitrator decisions) that back this up (not necessarily relating to porn, but other offences"

a terrific site with lots of great links! Marcus P. Zillman, M.S., A.M.H.A. Author/Speaker/Consultant

Marcus P. Zillman, M.S., A.M.H.A. Author/Speaker/ConsultantA blog everyone should check out, with tons of information from a knowedlgeable expert...how refreshing! :-)

The Canadian workplace porn scandal: John Foley's great comments at the InformationWeek Weblog

InformationWeek WeblogAnd my thoughts on this too.
Bottomline, employees of a Canadian government ministry were found to have downloaded some pretty vile porn and violent content. When this was discovered, the most aggregious violators were terminated. In an arbitration, the ministry was ordered to reinstate them and the arbitrators and many experts claimed that the ministry had made a big ado about nothing.

It is significant, legally, that the ministry had no Internet use agreement in place at the time. one was put in place during the arbitraion. Had one been in place when the porn and violent content was downloaded, there might have been a different result.

way to go John!!!
Parry

Spiderman and Parry Aftab: St. Petersburg Times

Archives: St. Petersburg TimesAnnouncement of the InternetSuperheroes.org programs.

Spiderman, Parry Aftab and Internet Safety announcement

Tonight at an event held at Capitol Hill, together with Senator Stevens and other key members of the U.S. Senate and House of Representatives, as well as Commissioners Thompson and Harbour of the FTC, Parry and Marvel announced an exciting collaboration.

Marvel has agreed to allow WiredSafety.org and Parry to use their super hero characters, including Spiderman, to help deliver their online safety, privacy and responsible surfing messages, worldwide. The program will include special comics with themes such as cyberbulling, privacy, predators and piracy. They will also include live character appearances using the super hero characters.

to learn more, visit InternetSuperHeroes.org.

Parry's PC Magazine article August 3, 2004: Online Safety at School

Online Safety at SchoolParry praises library-media specialists...the unsung heroesof education.

Ex-Spouse charged with cyberspying on ex-husband and his girlfriend

a woman in Florida was charged with violating the ECPA (Federal wiretap statute) for installing a remote cyber-monitoring product on her ex-husband's laptop and his girlfriend's laptop computer to create problems between them.

Many Internet users involved in a divorce proceeding, custody dispute or worried that their significant others are involved in an affair are turning to self-help. Monitoring software designed to monitor employees' surfing and online communications or to monitor children's online activities is being misused to spy on others.

Any interception of an online communication or phone conversation violates the wiretapping laws. While there may be a slight difference between the kids of communications and whether the interception is an actual wiretap or an illegal accessing of stored communications (different sections of the law and different penalties) both are illegal. Certain types of communications are excempted from the federal wiretapping and most state wiretapping laws. These typically involve employers and law enforcement (providing a court-order or other applicable legal process is fulfilled).

Some courts have said that a special unwritten exemption also exists for spouses. But most courts have rejected that position.

Want to know if you can legally access e-mail communications of someone else, check with a lawyer knowledgeable about privacy laws. As tempting as it may be to know what they are saying and to whom they are saying it, be very careful!

FTC's Hooked on Phonics case...announced July 7, 2004

Hooked On Phonics and the FTC Enforcement Action
Parry's analysis of the FTC enforcement action and what this case means. Note that as in all cases, the facts are key. But we all need ot learn from Hooked on Phonics' mistakes...if you make a promise- keep it. If change your privacy policy, it only works going forward, not retroactively. And all privacy policies should have effective and last changed dates and an archive of changes.
The size of the fine, IMHO, means that the FTC didn't think that HOP acted in bad faith.

This is the first of the "material changes" cases for the FTC on website privacy policies. I expect more as we seek more guidance about what a site cna and can't do.

The best advice I can give you is to tag all data with the privacy limitations and any conditions of use under which that information was collected.

I think the FTC is one of the best governmental agencies in the world. They've done a great job here.
thanks!

Parry

Parry's Government Enterprise article about cyberstalking in the workplace

Government Enterprise > Opinions > Visible, Vulnerable Target

The Privacy Lawyer: Cyberloafing Drains Productivity

Security Pipeline | Trends | The Privacy Lawyer: Cyberloafing Drains Productivity

Parry Aftab and Nancy L. Savitt

Parry Aftab and Nancy L. SavittParry's support of the COPPA amendment to extend the e-mail notification and consent rule. Note that Parry's address has changed, as has her telephone numbers. Also the group for which she acts as executive director has changed it's name to wiredsafety.org.

Parry is a proud member of Truste's board of directors

about_aftab

Parry Aftab says the real world provides five good reasons why you should keep a tight rein on employees

Parry Aftab says the real world provides five good reasons why you should keep a tight rein on employeesParry discusses the risks of workplace Internet communications to employers

InformationWeek > Parry Atfab > How COPPA Came About > January 19, 2004

InformationWeek > Parry Atfab > How COPPA Came About > January 19, 2004

InformationWeek > Parry Aftab > COPPA Checklist > January 19, 2004

InformationWeek > Parry Aftab > COPPA Checklist > January 19, 2004

InformationWeek > Parry Aftab > The Privacy Lawyer: Kids' Online Privacy > January 19, 2004

InformationWeek > Parry Aftab > The Privacy Lawyer: Kids' Online Privacy > January 19, 2004

About Parry Aftab, cyberlawyer and privacy and security expert

About Parry Aftab, cyberlawyer and privacy and security expertfrom Parry's own main site.

Parry Aftab's Privacy and Cyberlaw Site

Parry Aftab's Privacy and Cyberlaw SiteParry's main site. Look to it for articles on privacy and cyberlaw.

MSNBC - Hooked on Phonics fined by FTC

MSNBC - Hooked on Phonics fined by FTCBob Sullivan's report on Hooked on Phonics FTC action settlement, quoting Parry.

The Practical Nomad blog: Privacy and Travel Archives

The Practical Nomad blog: Privacy and Travel Archives
Edward has a clear focus on what he thinks is right and wrong about the lack of privacy in travel. He is pretty well informed, and has lots ot say.
Parry

Hooked On Phonics and the FTC Enforcement Action

Hooked On Phonics and the FTC Enforcement Action
Parry's analysis of the FTC enforcement action and what this case means. Note that as in all cases, the facts are key. But we all need ot learn from Hooked on Phonics' mistakes...if you make a promise- keep it. If change your privacy policy, it only works going forward, not retroactively. And all privacy policies should have effective and last changed dates and an archive of changes.
The size of the fine, IMHO, means that the FTC didn't think that HOP acted in bad faith.

This is the first of the "material changes" cases for the FTC on website privacy policies. I expect more as we seek more guidance about what a site cna and can't do.

The best advice I can give you is to tag all data with the privacy limitations and any conditions of use under which that information was collected.

I think the FTC is one of the best governmental agencies in the world. They've done a great job here.
thanks!

Parry

Gateway Learning Settles FTC Privacy Charges

Gateway Learning Settles FTC Privacy Charges
The new enforcement action against :"Hooked on Phonics" company for sharing information in violation of its privacy policy and for trying to change its privacy policy retroactively to permit such sharing. No consent was given for the change.

InformationWeek > Privacy Versus Security > Business Technology: Privacy Isn't The Only Thing That's Important > June 28, 2004

InformationWeek > Privacy Versus Security > Business Technology: Privacy Isn't The Only Thing That's Important > June 28, 2004
A great opinion piece by Bob Evans about keeping our privacy priorities straight.

InformationWeek > Blogs > SmartAdvice: Are Blogs The Next Internet Marketing Phenomenon? > July 5, 2004

InformationWeek > Blogs > SmartAdvice: Are Blogs The Next Internet Marketing Phenomenon? > July 5, 2004
A great primer on blogging for business.

The Councilman Case ...what it says and what it doesn't say

Whenever e-mail and privacy are concerned many people and advocacy groups panic. They read things into the decisions and see the end result of a "slippery slope" often when it is no more than what it is, a decision on this one case.

I have received many e-mails and communications regarding this recent decision by the First Circuit Court of Appeals in the United States. This is the highest appellate court for the region, other than the U.S. Supreme Court. Other decisions rendered by other Circuit Courts of Appeal have no bearing on this court, other than by being clear articulations of the law and worthy of being followed.

This case involved a rare book dealer that also provided e-mail accounts for its customers. The e-mails were handled directly on servers owned and operated by the rare book dealer. When the dealer was acquired by another company, that company decided to try and gather information about Amazon purchases and inquiries made by these customers. A program was written to allow the dealer to collect e-mails sent ot their customers by Amazon and to gather information regarding their transactions. The customers were not aware of this collection or privacy breach.

The e-mails were actually acquired after they had arrived and were accessible to the customers, although in most cases before they were accessed by the customers.

An indictment was obtained by the US. Attorney (the federal prosecutor in this case) for violation of the federal wiretap statute, the ECPA (Electronic Commnications Privacy Act).

Essentially, the court held that becasue the e-mails were stored on the dealer's server and the transmission to the server from the e-mail sender was complete, that the ECPA section in question was not violated. That involved the interception of communications in transit. The e-mails had already arrived, ruled the court, and were therefore not in transit. While the case may have involved a violation of another section of the ECPA, regarding "stored communications" the court did not reach any legally binding conclusion reagrding whether any isp can access and read e-mails of its e-mail customers.

The company argued that it had not violated the stored communications prohibition, but the court said that since the indictment didn't involve a charge that it had, they didn't have to deal with the issue.

Period.

It doesn't say that e-mail providers can access and use e-mail communications of their customers.

don't panic.

to read the entire case, look at the prior blog post...the entire case is pasted within it.

The earlier case dealt with related issues. If anyone has questions about that case, let me know.

but for now lax. And read your isp's privacy policy. it is a legally enforceable document. That, not fears about this case, should govern your concerns.

Parry

Privacy and ISP right to access e-mails: the First Circuit Councilman decision

United States Court of Appeals,
First Circuit.
UNITED STATES of America, Appellant,
v.
Bradford C. COUNCILMAN, Defendant, Appellee.
No. 03-1383.
Heard Dec. 3, 2003.
Decided June 29, 2004.

Appeal from the United States District Court for the District of Massachusetts, Michael A. Ponsor, U.S. District Judge.
Gary S. Katzmann, Assistant United States Attorney, with whom Michael J. Sullivan, United States Attorney, and Richard P. Salgado, Senior Counsel, Computer Crime and Intellectual Property Section, were on brief, for appellant.
Andrew Good, with whom Good & Cormier, was on brief, for appellee.

Before TORRUELLA, Circuit Judge, CYR, Senior Circuit Judge, and LIPEZ, Circuit Judge.


TORRUELLA, Circuit Judge.
*1 The United States appeals from the district court's dismissal of Count One of the Indictment against defendant Bradford C. Councilman ("defendant"). Count One charged defendant with conspiring to engage in conduct prohibited by various provisions of the Wiretap Act, 18 U.S.C. §§ 2510-2522, in violation of 18 U.S.C. § 371. We affirm.

I. Facts
Defendant was Vice-president of Interloc, Inc. ("Interloc"). Interloc's primary business was as an online rare and out-of-print book listing service. As part of its services, Interloc provided certain book dealer customers with an electronic mail ("e-mail") address and acted as the service provider. The dealer was provided with an e-mail account ending in "@Interloc.com". [FN1]
In May 1998, Alibris, a California corporation, acquired Interloc. Defendant was Vice-president, shareholder and employee of Interloc and Alibris. Among defendant's responsibilities was the management of the Internet Service Provider ("ISP") and the book dealer subscription list managed by Interloc.
The parties stipulated to the following facts relevant to the transfer of electronic messages by the Interloc systems. An e-mail message, which is composed using an e-mail program, is transferred from one computer to another on its way to its final destination, the addressee. Building on the principle of store and forward, the message is handed to a Message Transfer Agent ("MTA") which stores the message locally. The message is routed through the network from one MTA to another until it reaches the recipient's mail server, which accepts it and stores it in a location accessible to the recipient. Once the e-mail is accessible to the recipient, final delivery has been completed. The final delivery process places the message into storage in a message store area. Often, a separate Mail Delivery Agent ("MDA") will be required to retrieve the e-mail from the MTA in order to make final delivery.
Interloc's computer facility used a program known as procmail (short for process mail) as its MDA. Procmail operates by scanning and sorting e-mail together with an MTA computer program known as "sendmail."
According to the Indictment, on or about January 1998, defendant directed Interloc employees to write computer code to intercept and copy all incoming communications from Amazon.com to subscriber dealers. The Interloc systems administrator wrote a revision to the mail processing code called procmail.rc ("the procmail"), designed to intercept, copy, and store, all incoming messages from Amazon.com before they were delivered to the members' e-mail, and therefore, before the e-mail was read by the intended recipient. Defendant was charged with using the procmail to intercept thousands of messages. Defendant and other Interloc employees routinely read the e-mails sent to its members seeking to gain a commercial advantage.
The procmail was designed to work only within the confines of Interloc's computer. At all times that MTA sendmail and MDA procmail performed operations affecting the e-mail system, the messages existed in the random access memory (RAM) or in hard disks, or both, within Interloc's computer systems. Each of the e-mails at issue constituted an "electronic communication" within the meaning of 18 U.S.C. § 2510(12).
*2 Count One of the Indictment charged defendant with a violation of 18 U.S.C. § 371 for conspiracy to violate 18 U.S.C. § 2511. Defendant allegedly conspired to intercept the electronic communications, to intentionally disclose the contents of the intercepted communications, in violation of 18 U.S.C. § 2511(1)(a), and to use the contents of the unlawfully obtained electronic communication, in violation of 18 U.S.C. § 2511(1)(c). Finally, the government alleged that defendant had conspired to cause a person to divulge the content of the communications while in transmission to persons other than the addressees of the communications, in violation of 18 U.S.C. § 2511(3)(a). [FN2] The object of the conspiracy, according to the government, was to exploit the content of e-mail from Amazon.com, the Internet retailer, to dealers in order to develop a list of books, learn about competitors and attain a commercial advantage for Alibris and Interloc. [FN3]
Defendant moved to dismiss the Indictment for failure to state an offense under the Wiretap Act, as the e-mail interceptions at issue were in "electronic storage," as defined in 18 U.S.C. § 2510(17), and could not be intercepted as a matter of law. The district court did not initially grant the motion to dismiss but, upon further briefing by the parties, granted the motion and dismissed Count One. The district court found that the e-mails were in electronic storage and that, therefore, the Wiretap Act could not be violated because the requisite "interception" was lacking. United States v. Councilman, 245 F.Supp.2d 319 (D.Mass.2003).

II. Analysis
A. The Wiretap Act
We review questions of statutory interpretation de novo. See United States v. Jones, 10 F.3d 901, 904 (1st Cir.1993). The issue in this case is whether there was an "intercept" of a communication within the meaning of the Wiretap Act. In cases of statutory construction we begin with the language of the statute. See Hughes Aircraft Co. v. Jacobson, 525 U.S. 432, 438, 119 S.Ct. 755, 142 L.Ed.2d 881 (1999). We determine the meaning of a word from the context in which it is used. See Holloway v. United States, 526 U.S. 1, 6-7, 119 S.Ct. 966, 143 L.Ed.2d 1 (1999).
The Electronic Communications Privacy Act ("ECPA") amended Title III of the Omnibus Crime Control and Safe Streets Act of 1968, commonly known as the federal wiretap law. See Electronic Communications Privacy Act, Pub.L. No. 99-508, 100 Stat. 1848 (1999). The ECPA was divided into Title I, commonly known as the Wiretap Act, 18 U.S.C. §§ 2510-2522, and Title II, commonly known as the Stored Communications Act, 18 U.S.C. §§ 2701-2711. [FN4] The amendments provided for the protection of electronic communications along with oral and wire communications. See S.Rep. No. 99-541, at 11 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3565.
We begin our analysis by highlighting the difference between the definitions of "wire communications" and "electronic communications" in the Wiretap Act, mindful that the communications at issue in this appeal are electronic in nature. Under 18 U.S.C. § 2510(1), a
*3 "wire communication" means any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable or other like connection between the point of origin and the point of reception furnished or operated by any person engaged in providing or operating such facilities ... and such term includes any electronic storage of such communication....
18 U.S.C. § 2510(1). By comparison, " 'electronic communication' means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system ." Id. at § 2510(12). No mention is made of electronic storage of electronic communications. See generally In re Hart, 328 F.3d 45, 49 (1st Cir.2003)("[W]hen Congress includes a particular language in one section of a statute but omits it in another section of the same Act, it is generally presumed that Congress acts intentionally and purposely in the disparate inclusion or exclusion.").
"Intercept" is defined as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." 18 U.S.C. § 2510(4).
The statute that defendant is charged with conspiring to violate, 18 U.S.C. § 2511, provides criminal penalties to be imposed on "any person who--(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication." 18 U.S.C. § 2511(1)(a).
Relying on the language of the statute and the decisions of our sister circuits, the district court held that Congress did not intend for the Wiretap Act's interception provisions to apply to communication in electronic storage. Councilman, 245 F.Supp.2d at 321. The district court rejected "[t]he Government's position ... that the Wiretap Act applies to interceptions that take place when the message ... is 'in transit' or 'in process of delivery.' " Id. Relying on the definition of electronic storage, the district court held that no interception can occur while the e-mails are in electronic storage and therefore, without the requisite interception, the Wiretap Act could not be violated.
The scope of electronic communications that can theoretically be intercepted is obviously reduced when the definition does not include electronic storage of such communications, as is the case with wire communications. In addition, electronic storage includes a vast range of possible situations including "(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof...." 18 U.S.C. § 2510(17)(A). The government argues that this section does not necessarily place the e-mails in question in this case outside the interception requirement of 18 U.S.C. § 2511(a).
*4 The particular problem confronted in this case is what has been called the "contemporaneous" problem in the intercept requirement of the Wiretap Act. See In re Pharmatrak, 329 F.3d 9, 21-22 (1st Cir.2003)(because the statute was written before the widespread use of the Internet and other media prior opinions may not be helpful in addressing current problems). The government argues that given the particular nature of electronic communications and the mechanisms used to retrieve them, 18 U.S.C. § 2511(a) is a proper foundation for Count One of the Indictment. In addition, the government argues, cases from other circuits are distinguishable on their facts because none used the procmail at issue in this case. [FN5] We have commented on the issue presented in this case, see Pharmatrak, 329 F.3d at 21-22, but have not resolved it. [FN6]
The first case to address the issue of unlawful intercept in the context of electronic communications is Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir.1994). There, the plaintiff company sued the Secret Service because the agency had seized a computer used to operate a bulletin board system, but which also contained private, unretrieved electronic mail. Id. at 459. The plaintiff provided its customers with the ability to send and retrieve e-mail, which was stored on the company's hard disk drive temporarily, until the recipient retrieved the e-mail. Id. at 458. After seizing the computer, the Secret Service allegedly opened the private e-mails, read them and deleted them. The company sued, alleging, inter alia, a violation of the Wiretap Act. Id. at 459-60.
The Fifth Circuit held that the seizure of sent but unretrieved e-mail did not constitute an intercept for purposes of 18 U.S.C. § 2511(1)(a). See Steve Jackson Games, 36 F.3d at 461-62. In reaching that conclusion, it relied on the difference in the definitions of electronic and wire communication and the definition of electronic storage. "Congress' use of the word 'transfer' in the definition of 'electronic communication,' and its omission in that definition of the phrase 'any electronic storage of such communication' (part of the definition of 'wire communication') reflects that Congress did not intend for 'intercept' to apply to 'electronic communications' when those communications are in 'electronic storage.' " Id. (footnote omitted); see also Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 114 (3d Cir.2003) (adopting the reasoning in Steve Jackson Games as to the meaning of intercept under the relevant version of the Wiretap Act).
In contrast, Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir.2002), cert. denied, 537 U.S. 1193, 123 S.Ct. 1292, 154 L.Ed.2d 1028 (2003), concerned a plaintiff, an employee of Hawaiian Airlines, who operated a secure website which posted criticism of his employer. A vice-president of the airline obtained permission from authorized users to view the website. Plaintiff sued, alleging, inter alia, that defendant had violated the Wiretap Act by violating the terms of use of the website and entering a secure website under false pretenses.
*5 The Ninth Circuit, after granting panel rehearing, reversed its earlier position that the electronic communications were covered under the Wiretap Act. It did so because, in its view, the conduct of the defendant did not constitute an intercept as that term is defined. Konop, 302 F.3d at 876. Relying on Steve Jackson Games, it held that "for a website such as Konop's to be 'intercepted' in violation of the Wiretap Act, it must be acquired during transmission, not while in electronic storage." Id. at 878. In doing so, it rejected the position the government takes in this case, that, given the nature of e-mail, the Wiretap Act must apply to en route storage. Id. at 879 n. 6. "While this argument is not without appeal, the language and structure of the [Act] demonstrate that Congress considered and rejected this argument." Id. The court relied, as did the district court in this case, on the expansive definition of the term "electronic storage" in 18 U.S.C. § 2510(17)(A). The dismissal of the Wiretap Act claim was affirmed.
The government is correct that the electronic communications at issue here were acquired in a different manner than in Steve Jackson Games and Konop. Defendant's procmail operated to obtain the e-mails before they were received by its intended recipients. While the e-mail in Steve Jackson Games was retrieved from storage in a computer and the website in Konop was accessed under false pretenses, the e-mails in this case were accessed by the procmail as they were being transmitted and in real time. However, the presence of the words "any temporary, intermediate storage" in 18 U.S.C. § 2510(17) controls. On the facts of this case, it is clear that the electronic communications in this case were in a form of electronic storage. It may well be that the protections of the Wiretap Act have been eviscerated as technology advances. See United States v. Steiger, 318 F.3d 1039, 1047-51 (11th Cir.2003) (holding intercept did not occur because there was no contemporaneous acquisition but commenting that under the narrow reading of the statute few seizures will constitute interceptions under Wiretap Act). As the stipulation reached by the parties states, "[a]t all times that sendmail and procmail performed operations affecting the email messages at issue, the messages existed in the random access memory (RAM) or in hard disks, or both, within Interloc's computer system." When defendant obtained the e-mails, they were in temporary storage in Interloc's computer systems. There was also a stipulation that "[n]either sendmail nor procmail performed functions that affected the emails in issue while the emails were in transmission through wires or cables between computers." This fact places the messages outside the scope of 18 U.S.C. § 2511(a), and into temporary electronic storage under 18 U.S.C. § 2510(17)(A). Accord Steiger, 318 F.3d at 1049; Konop, 302 F.3d at 878; Steve Jackson Games, 36 F.3d at 462; see also United States v. Moriarty, 962 F.Supp. 217 (D.Mass.1997) (holding that for Wiretap Act provisions to be violated as to electronic communications contemporaneous acquisition is necessary); United States v. Reyes, 922 F.Supp. 818, 836 (S.D.N.Y.1996) (same).
*6 The government argues, and the dissent is persuaded by this argument, that the legislative history of the statute demonstrates that if an electronic communication is obtained while it is simultaneously in transmission and in storage, then an intercept occurs. Notwithstanding the fact that we find the language of the statute unambiguous, exploring this contention merely confirms our position as to the meaning of the statute. The government points to dicta in Pharmatrak as supporting the conclusion that electronic communications are protected when they are in storage, because by their nature, they exist in storage and transit at the same time.
[T]he storage-transit dichotomy adopted by earlier courts may be less than apt to address current problems. As one court recently observed, "[t]echnology has, to some extent, overtaken language. Traveling the internet, electronic communications are often--perhaps constantly--both 'in transit' and 'in storage' simultaneously, a linguistic but not a technological paradox."
329 F.3d at 21-22 (quoting Councilman, 245 F.Supp.2d at 321). However, the legislative history of the Act clearly states that the definition of intercept was not altered by the amendments. See S.Rep. No. 99-541, at 12, reprinted in 1986 U.S.C.C.A.N. at 3566 (stating that "[t]he definition of 'intercept' under current law is retained with respect to wire and oral communications except that the term 'or other' is inserted after 'aural' "). Even assuming arguendo that we should look outside the text, the government's arguments based on the legislative history are unavailing.
The Wiretap Act's purpose was, and continues to be, to protect the privacy of communications. We believe that the language of the statute makes clear that Congress meant to give lesser protection to electronic communications than wire and oral communications. Moreover, at this juncture, much of the protection may have been eviscerated by the realities of modern technology. We observe, as most courts have, that the language may be out of step with the technological realities of computer crimes. However, it is not the province of this court to graft meaning onto the statute where Congress has spoken plainly. [FN7] We therefore affirm the district court's dismissal of Count One of the Indictment on the premise that no intercept occurred in this case, and therefore, the Wiretap Act could not be violated.
B. The Stored Communications Act
Defendant also argues that his conduct was lawful under Title II of the ECPA, or the Stored Communications Act, 18 U.S.C. § 2701 et seq., and therefore outside the criminal provisions of the Wiretap Act. Specifically he relies on the provider exceptions, 18 U.S.C. § 2701(c)(1). Given our reading of the Wiretap Act, we need not comment on this argument. We note, however, that the intersection of the Wiretap Act and the Stored Communications Act "is a complex, often convoluted, area of the law." United States v. Smith, 155 F.3d 1051, 1055 (9th Cir.1998). Defendant's argument takes us beyond the charges in the Indictment. Therefore, we need not stray beyond the text of the Wiretap Act into the Stored Communications Act because the government sought to indict defendant only for conspiracy to violate Title I, 18 U.S.C. § 2511(a).

III. Conclusion
*7 For the reasons stated above, the district court's order dismissing Count One is affirmed.


LIPEZ, Circuit Judge (Dissenting).
Unlike my colleagues, I believe that the district court erred in dismissing the indictment against Defendant-Appellee Bradford Councilman for violating Title I of the Electronic Communications Privacy Act (ECPA), Pub.L. No. 99- 508, 100 Stat. 1848 (1986). To explain my disagreement, I will present some background information on the technology at issue and Congress's passage of the ECPA. That background is critical to an understanding of the issue before us. I will then set forth Councilman's arguments as I understand them and explain why I find them unpersuasive. I will then address the government's persuasive arguments. In discussing this material, I will also respond to the reasoning of the district court and my colleagues.

I. The Technology
The Internet consists of a network of inter-connected computers in which data are broken down into small, individual packets and forwarded from one computer to another until they reach their destinations. See Orin S. Kerr, Internet Surveillance Law After the USA Patriot Act: The Big Brother that Isn't, 97 Nw.U. L.Rev. 607, 613-14 (2003). Each service on the Internet--e.g. e-mail, web hosting, and instant messaging--has its own protocol for using those packets of data to transmit information from one place to another. I will focus solely on the e-mail protocol. After a user composes a message in an e-mail program, a mail transfer agent ("MTA") formats that message and sends it to another program that "packetizes it" and sends those packets out to the Internet. Computers on the network then pass the packets from one to another; each computer along the route stores the packets in memory, retrieves the address of their destination, and then determines where to send it next based on the packet's destination. At various points the packets are reassembled to form the original e-mail message, copied, and then repacketized for the next leg of the journey. See J. Klensin, RFC 2821--Simple Mail Transfer Protocol, available at http://www.faqs.org/rfcs/rfc2821.html (last accessed May 19, 2004) (containing the standard for the Simple Mail Transport Protocol). These intermediate computers occasionally retain backup copies of the e-mails that they forward and then delete those backups a short time later. The method of transmission is commonly called "store and forward" delivery.
Once all the packets reach the recipient's mail server, they are reassembled to form the e-mail message. A mail user agent ("MUA"), which in Councilman's case was a program called "Procmail," then determines which user should receive the e-mail and places the message in that user's mailbox. The MUA is controlled by programs called "recipe files." These recipe files can be used in a variety of ways and can, for example, instruct the MUA to deposit mail addressed to one address into another user's mailbox (i.e., to send mail addressed to "help" to the tech support department), to reject mail from certain addresses, or to make copies of certain messages. Once the messages are deposited in a mailbox, the end user simply needs to use an e-mail program to retrieve and read that message. Councilman wrote a recipe file for his MUA that caused all of the messages from Amazon.com to be copied while the MUA was in the process of placing that message into the recipient's mailbox, and to place these copies into his own personal box.

II. The Legislative Context
*8 Congress passed the 1968 Wiretap Act to "protect[ ] the privacy of wire and oral communications, and [to] delineat[e] on a uniform basis the circumstances and conditions under which the interception of wire and oral communications may be authorized." Gelbard v. United States, 408 U.S. 41, 48, 92 S.Ct. 2357, 33 L.Ed.2d 179 (1972) (quoting S.Rep. No. 90-1097, at 66 (1968), reprinted in 1968 U.S.C.C.A.N. 2153, 2153). By the mid-1980s, however, technology had outpaced the privacy protections in the Act, creating uncertainty and gaps in its coverage. As one member of the House Judiciary Committee lamented: [I]n the almost 20 years since Congress last addressed the issue of privacy of communications in a comprehensive fashion, the technologies of communication and interception have changed dramatically. Today we have large-scale electronic mail operations ... and a dazzling array of digitized information networks which were little more than concepts two decades ago. These new modes of communication have outstripped the legal protection provided under statutory definitions bound by old technologies.
Electronic Communications Privacy Act: Hearings on H.R. 3378 Before the Subcomm. on Courts, Civil Liberties, and the Adminstration of Justice of the House Comm. on the Judiciary, 99th Cong. 1 (1985-1986) (statement of Chairman Kastenmeier); See also id. at 3 ("[T]he American people and American businesses are no longer assured that the law protects their right to communicate privately.") (Statement of Sen. Leahy). Congress passed the ECPA to remedy these perceived weaknesses and to update and expand the privacy protections in the 1968 Act. See Sen. Rep. No. 99-541, at 1 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3555 ("The bill amends the 1968 law to update and clarify Federal privacy protections and standards in light of dramatic changes in new computer and telecommunications technologies.").
Title I of the new act amended the 1968 Wiretap Act and added new protections for electronic and digital technologies. Section 101(c)(1)(A) added "electronic communications" to the existing prohibitions against intercepting wire--which are essentially telephone calls--and oral communications. As the House report made clear, Congress intended to give the term "electronic communication" a broad definition: "As a rule, a communication is an electronic communication if it is neither carried by sound waves nor can fairly be characterized as one containing the human voice (carried in part by wire)." H.R.Rep. No. 99-647, at 35. Section 101(a)(3) added "or other" to the definition of "intercept," which had previously only referred to the "aural acquisition of the contents of any ... communication." [FN8] Also relevant to this case, albeit not at issue here, Section 101(c)(7) removed a phrase in the Wiretap Act that limited the scope of the Act to communications transmitted on common carriers. This amendment expanded the reach of the Act's protections to private telephone and computer networks, including internal office networks, and cellular phones. The amended Wiretap Act now reads, in pertinent part: "[A]ny person who intentionally intercepts, endeavors to intercept, or procures any person to intercept or endeavor to intercept, any wire, oral or electronic communication ... shall be punished...." 18 U.S.C. § 2511(1).
*9 Congress also recognized that, with the rise of remote computing operations and large databanks of stored electronic communications, the threats to individual privacy extended well beyond the bounds of the Wiretap Act's prohibition against the "interception" of communications. These stored communications--including stored e-mail messages, stored financial transactions, stored medical records, and stored pager messages--were not protected by the Wiretap Act, presumably because the Act had been interpreted to only prohibit "the contemporaneous acquisition of [a] communication." See United States v. Turk, 526 F.2d 654, 658 (5th Cir.1976). Therefore, Congress concluded that "the information [in these communications] may be open to possible wrongful use and public disclosure by law enforcement authorities as well as unauthorized private parties." Sen. Rep. 99-541, at 3 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3557; see also United States Congress, Office of Technology Assessment, Electronic Surveillance and Civil Liberties 48-50 (1985) (theorizing that communications service providers and banks could disclose private information about their customers without federal liability and law enforcement agents could seize these private communications with only a modicum of procedural protections).
Congress added Title II to the ECPA to halt these potential intrusions on individual privacy. This title, which is commonly referred to as the Stored Communications Act, established new punishments for any person who "1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or 2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage...." 18 U.S.C. § 2701(a).
The privacy protections established by the Stored Communications Act were intended to apply to two categories of communications: "those associated with transmission and incident thereto" and those of "a back-up variety." H.R.Rep. No. 99-647, at 68. The first category refers to temporary storage such as when a message sits in an e-mail user's mailbox after transmission but prior to the user retrieving the message from the mail server. Importantly, however, this category does not include messages that are still in transmission, which remain covered by the Wiretap Act. Id. at 65 (stating that the Wiretap Act "prohibits ... a provider from divulging the contents of a communication while it is in transmission."). The second category includes communications that are retained on a server for administrative and billing purposes. Communications service providers could use stored messages in this category to restore a user's data in the event of a system crash or to recover accidentally-deleted messages.
Defendant-Appellee Bradford Councilman was indicted on July 11, 2