The Volokh Conspiracy

It is common for e-mail from lawyers to have a statement at the end indicating that the e-mail is confidential and may be privileged, and that if you have received the e-mail in error you should delete it. Sometimes the statement also includes this line:

This email (including the attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2521.

If you’re a lawyer and the statement at the end of your e-mail has that line quoted above, please do yourself a favor and remove it. Including that line only shows that you have no idea what the Electronic Communications Privacy Act does, and that you are comfortable repeatedly invoking a law even though you have no idea what is in it. That’s a pretty lousy image to present for your legal practice.

For those curious about the details, 18 U.S.C. §§ 2510-2521 is the federal Wiretap Act. It prohibits the real-time interception of the contents of any communications sent over any communications network without the permission of one of the parties. In 1986, the law was amended by the Electronic Communications Privacy Act to apply to “electronic communications,” which basically means all computer communications. Under the 1986 Act, it is a crime to intercept any electronic message between its send and delivery points absent an exception to the statute. Importantly, the Wiretap Act only applies when the communications are in transit. That means the statute doesn’t stop anyone from reading any e-mail that lands in their inbox, even if it was misdelivered there. That’s true for two reasons. First, If the e-mail has been sent to you, you are a party to it, and you can read it. Plus, once an e-mail has been delivered and it is sitting in your inbox, reading it cannot be an “intercept” because the e-mail in your inbox has already been delivered.

Now that you understand what the statute actually does, you can see why the disclaimer that I quoted above is rather nonsensical. First, the lawyer’s e-mail is “protected” by the statute only to the extent that every phone call and every e-mail, Facebook message, text message, IM, and every other electronic communication is protected. Second, by the time the reader actually sees the e-mail, the message has been delivered and the cited statute no longer provides any protection at all. So if you include that line, you’re basically saying that you think it’s noteworthy that your e-mail has the same protection has all e-mails — which in this case is none at all.

Yesterday I posted the rough draft of my testimony on ECPA reform, and I benefited greatly from the comments I received here and via e-mail. My final version has been submitted, and it is available here. Thanks again to various readers for their help.

On Wednesday afternoon, I will be testifying before the House Judiciary Committee’s Subcommittee on the Constitution, Civil Rights, and Civil Liberties on Reforming the Electronic Communications Privacy Act. The hearing is a response to the four proposals of the Digital Due Process coalition, a group of tech companies, privacy groups, and individuals that have agreed on a set of principles to reform ECPA. (Plain English translation: Congress is thinking about fiddling with the e-mail privacy laws, and I’m going to help discuss some of the proposed changes with them.)

My written testimony is due Tuesday afternoon, and I thought I would post a draft and invite comment: You can read it here. Unfortunately, time constraints have made it quite short, and there are topics that I would have liked to cover in much more depth. But I figured that at the very least I could post the draft and see what you all thought. The final version is due Tueday afternoon, so if you have a response please leave it in the comments or e-mail them to me by around noon tomorrow. Thanks!

The Washington Post has a new story, “FBI Broke Law For Years in Phone Record Searches”, reporting that the FBI violated the Electronic Communications Privacy Act by unlawfully obtaining non-content records about telephone calls in terrorism investigations. According to the story, FBI anti-terrorism investigators had a backlog of requests for National Security Letters that they cured by relying on the exigent circumstances exception to persuade providers to disclose records voluntarily:

The FBI illegally collected more than 2,000 U.S. telephone call records between 2002 and 2006 by invoking terrorism emergencies that did not exist or simply persuading phone companies to provide records, according to internal bureau memos and interviews. FBI officials issued approvals after the fact to justify their actions.

E-mails obtained by The Washington Post detail how counterterrorism officials inside FBI headquarters did not follow their own procedures that were put in place to protect civil liberties. The stream of urgent requests for phone records also overwhelmed the FBI communications analysis unit with work that ultimately was not connected to imminent threats.

A Justice Department inspector general’s report due out this month is expected to conclude that the FBI frequently violated the law with its emergency requests, bureau officials confirmed.

Reading over the story, I’m not entirely sure what actually happened, or what the alleged violation is. But I thought I would explain the law here so readers can understand the context, and then offer a few possibilities as to what might have actually happened.

I. The Electronic Communications Privacy Act

Under the telephone privacy laws, there are two basic ways that the government can get stored non-content telephone records from telephone providers. First, the government can order the provider to disclose the records. In the setting of a criminal case, the government does that with a grand jury subpoena (or, depending on the records, a specific facts court order). In the setting of a national security investigation, the government does that with a National Security Letter. In both cases, the primary limitation on the government in obtaining these orders is red tape and procedure rather than a showing of cause.

Second, the government can also get records if the provider is willing to voluntarily disclose the records and some exception to the non-disclosure rule applies. The relevant exception here is exigent circumstances. Under 18 U.S.C. 2702(c)(4), a provider is permitted to disclose non-content records to the government if the provider “in good faith, believes that an emergency involving danger of death or serious bodily injury to any person requires disclosure without delay of information relation to the emergency.” (The precise legal standard for exigent circumstances disclosure has changed over time, as well. Fom October 2001 until 2006, disclosure was allowed only when “the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information.” The language changed from “reasonable” belief to “good faith” belief in March 2006.)

The concept of exigent circumstances is well known to Fourth Amendment fans, and it’s the basic concept animating the emergency exception. But exigent circumstances here is different from in the Fourth Amendment setting in two key ways. First, the government doesn’t actually conduct the search; instead, the government persuades the provider to disclose. Second, disclosure is optional, not mandatory. That is, the provider can disclose if it has that good faith belief but need not do so.

That means the Government has to play nice with providers; it can’t just claim an emergency and take the info. In response to that reality, the government has taken to sending so-called “exigent circumstances letters” with providers that provide some CYA paperwork for the provider in case it discloses after the government has made a representation of an emergency. If the provider is sued, it can then rely on the exigent circumstances letter to show its good faith letter. See, e.g., Jayne v. Sprint PCS, 2009 WL 426117 (E.D. Cal. 2009) (rejecting ECPA lawsuit against Sprint PCS based on exigent circumstances letter claiming that the plaintiff was a kidnapper and that the records were needed to identify and locate the suspect and rescue his victim).

II. The Legal Violations: Three Possibilities

Now, back to the Post story. According to the Post, the FBI found that when there was an emergency break in a terrorism case, or a new lead came in requiring a super-quick investigation, it took too long to issue an NSL. (One problem was than an NSL requires an already-open case; the FBI would need to first go through the paper work of opening the case, which took time.) The FBI approved a work-around in those emergencies: The FBI would file an exigent circumstances letter right away instead of waiting for the NSL. Then, later on, it would follow up with an NSL for the records ex post.

Now on to the key issue: How was the law violated? Here’s where I’m not so sure. I see three possibilities.

First, at various points the Post story seems to suggest that the legal violation was the failure to follow-up an exigent circumstances letter with an NSL. But if that’s the claim, then the story is rather misleading: There is no legal requirement that an exigent circumstances letter be followed up. The choice to follow up an exigent circumstances letter is apparently a policy choice by the FBI, but it’s not something the privacy statutes contemplate or require.

A second possibility is that the FBI was making false statements in the exigent circumstances letters themselves. It’s not entirely clear what the technical violation is in that case, but presumably the FBI becomes civilly liable for the disclosure violation that it induced. (That is, presumably the FBI can’t misrepresent the facts of what the emergency is to get the provider to have a good faith belief and then voluntarily disclose.) At the same time, I can’t quite tell in the story if that’s what was allegedly happening: The lead sentence suggests so, but there are other parts of the story that suggest that the authors may be thinking of the failure to follow up as the problem.

A third possibility is that the FBI was filing exigent circumstances letters properly, but was then getting NSLs after the fact improperly. That is, the technical violation was based on the FBI’s self-imposed policy: By following-up even when the law did not require it, the government ended up getting NSLs that did not satisfy the NSL standard. Again, parts of the story seem to suggest this, but it’s hard to know with certainty.

Anyway, this sort of story tends to have legs, so I assume we’ll be hearing more details shortly. Stay tuned.