Electronic Communications Privacy Act (ECPA)

In the 1967 Katz vs. the U.S. case, the Supreme Court ruled that the use of electronic devices by the FBI to listen to and record telephone conversations without a warrant was a violation of the Fourth Amendment, which prohibits unreasonable search and seizures by government agencies.  This case instigated the Court to more clearly define criteria for acceptable government surveillance:  "government agencies were required to demonstrate probable cause, identify the specific suspect, crime, telephone to be used, and time of conversation, and secure a warrant to legally execute a wiretap."  (“Electronic Communications Privacy Act”, Jones Telecommunications & Multimedia Encyclopedia, http://www.digitalcentury.com/encyclo/update/ecpa.html)  

While ECPA of 1968 was originally a crime bill that made wiretapping legal under certain provisions, ECPA of 1986 expanded ECPA of 1968 to address the legal privacy issues that were surfacing with the increase use of electronic communications.  ECPA of 1986 also identified specific circumstances that would not be protected, including an employer's monitoring of employee email on the employer's system as the most controversial examples.  (“Electronic Communications Privacy Act”, Jones Telecommunications & Multimedia Encyclopedia, http://www.digitalcentury.com/encyclo/update/ecpa.html) 

Since Stanford students heavily utilize electronic communications on a daily basis, we felt the crime-bill-turned-privacy-act was very applicable to a university setting.  ECPA specifies that “ . . . a provider of electronic communication service or remote computing service may disclose a record or other information pertaining to a subscriber or customer of such service . . . to any person other than a governmental entity.”   (18 U.S.C. Sec. 2703(c)(1)(A))  Stanford University certainly provides such services to its students, but there exist laws such as FERPA (to be discussed in more detail later) that are intended to protect students from the University disclosing records or other information pertaining to students as “subscribers” to these services.  ECPA further specifies that when a governmental entity seeks “subscriber” information, the information may be disclosed only if the entity has obtained a warrant, court order, an authorized administrative or grand jury subpoena, or the consent of the subscriber.  (18 U.S.C. Sec. 2703(c)(1)(B))  Subpoenas, in particular, range from court orders to attorney boilerplate.  (Marc Rotenberg, Executive Director of EPIC, April 23, 2001)  For example, if some arbitrary law firm were to provide Stanford with a subpoena attempting to compel the disclosure of a student subscriber’s identity or electronic communications records, Stanford Security Officers could legally provide the requested information.   Or they could ask a court to settle the matter.  Therefore, ECPA does not serve to protect student privacy.  Since ECPA does not require judicial review, ECPA provides a convenient rationalization for questionable authorizing procedures (“Electronic Communications Privacy Act”, Jones Telecommunications & Multimedia Encyclopedia, http://www.digitalcentury.com/encyclo/update/ecpa.html) in matters of the University conducting email surveillance or turning over electronic communication records. 

Finally, while ECPA was intended to protect the content of electronic communications, it "revised the definition of content to specifically exclude the existence of the communication itself, as well as the identity of the parties involved."  (“Electronic Communications Privacy Act”, Jones Telecommunications & Multimedia Encyclopedia, http://www.digitalcentury.com/encyclo/update/ecpa.html)  This means Stanford can monitor networking patterns of its student network users and thereby gather a great deal of information without actually “hearing the conversation”.  In Stanford’s defense, inspection of private data or monitoring of messages is authorized only when there is reasonable cause to suspect improper use of computer or network resources (Stanford’s Computer and Network Usage Policy, Computer Security Officer Responsibilities, Inspection and Monitoring, p. 4).  It is not clear at which point the tradeoffs between security and student privacy are fairly balanced. There will be more discussion on Stanford Security Officers and/or system administrators being allowed to access a student’s emails, data files, programs, and Leland account without the student’s consent in the Computer and Network Usage Policy section as well as in the Legal/Policy Perspectives Conclusion.