Data Terminology
Specifically Requested User Information
Most Internet service providers, websites and other online services ask users for some personally identifying information, either for purposes of registration, participating in contests or surveys, or making purchases. Such information may include name, address, email address, and credit card information.
"Transactional” Data
In addition to direct requests for information, most online services also use some form of tracking technology to collect information while a user “surfs” a particular site or the Internet generally. This data can be used to create a record of a user’s system information, online communications, transactions and other activities, including websites visited, pages and ads viewed, purchases made and more. This record of a user’s session on the Internet is sometimes called “clickstream” or “transactional” data. Examples of such data include:
- IP Address. When a user connects to the Internet through an ISP, the user’s ISP assigns the computer a numeric Internet Protocol address. The IP address allows the user’s computer to communicate with the servers of the Web sites he or she visits, and may be traced to the ISP or, in some cases, computer owner. Generally, IP addresses are automatically gathered and maintained by the Web site.
- Cookies. “Cookies” are small data text files that are sent from a server computer to a recipient computer during a browsing session. Cookies allow a Web site server to “remember” what the user did when he or she visited the site; for example, when the last visit occurred and which pages were viewed at that time. While a cookie identifies an individual user’s computer in the sense that it can distinguish one computer from another, it typically does not know the actual identity of the user. Generally, cookies do not pose a threat in terms of destroying or compromising a system.
- Referrers. Some online services may collect a “referrer” from the user’s Web browser which references the last URL that the user has visited. Such information can be used to identify and track a user’s movement across the Web.
- GUIDs. A Globally Unique Identifier is an alphanumeric identifier for a unique file or installation of software, or a particular user. For example, a website may assign a GUID to a user’s browser to track the user’s session, or the Windows operating system may use a GUID to identify software or other files created or downloaded on the user’s hard drive.
- Web Bugs. Web bugs are small, transparent image files, typically 1-by-1 pixel in size, placed on websites or in email messages. Site operators and email marketers may use Web bugs to determine whether an email message has been read; to identify the IP addresses of users’ computers; to know the time when a Web page was viewed or an email message read; and to retrieve cookie information. Web bugs are often used in conjunction with other data collection techniques.
Personal vs. Non-Personal Information
By themselves, cookies and other tracking technology typically do not reveal the actual identity of an individual. When matched with personal information provided by the user (such as registration data), however, the data can be used to create a profile of a specific user. Such information as identifies a user or is linked to information that identifies a user is generally deemed “personal information.” Cookies and other tracking technology enhance the browsing experience by identifying the user with his or her previously selected preferences or activities during earlier visits, which “personalizes” the site for the user’s repeated visits. Important to website operators and their advertisers, such technology also allows Web sites to develop profiles of page views (“hits”) to the site or hit logs, as well as the preferences of individual users. [edit] Customer Proprietary Network Information
Telecommunications carriers must comply with special regulations regarding the use and disclosure of Customer Proprietary Network Information (“CPNI”). CPNI typically includes information contained on phone bills such as usage data, handset information, services used by a customer, and user location information. CPNI does not include customers’ names, addresses and phone number or information derived from their use of information services.
ECPA Terms
The Electronic Communications Privacy Act defines a number of terms which are key to understanding the statute.
Types of Services
Remote Computing Service
The term "remote computing service" ("RCS") is defined by 18 U.S.C. § 2711(2) as "provision to the public of computer storage or processing services by means of an electronic communications system." An "electronic communications system" is "any wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission of wire or electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications." 18 U.S.C. § 2510(14).
A computer bulletin board service was a “remote computing service.” Steve Jackson Games, Inc. v. U.S. Secret Service, 816 F.Supp. 432, (W.D.Tex. 1993) affirmed 36 F.3d 457. In Viacom v. YouTube, 2008 WL 2627388 (S.D.N.Y. 2008) (slip. at p. 20)[1], the court held that YouTube was a remote computing service (and therefore ECPA prohibits YouTube from "disclosing to plaintiffs the private videos and the data which reveal their contents.")
A district court held that retrieving for subscribers text messages that had been sent over a cell phone communication network constituted a “remote computing service” within the meaning of the subscriber exception to the Stored Communications Act, but was later reversed by the Ninth Circuit. Quon v. Arch Wireless Operating Co., Inc., 445 F.Supp.2d 1116 (C.D.Cal. 2006), rev'd __ F.3d __ (2008)[2] ("Arch Wireless is more appropriately categorized as an ECS than an RCS.").
Electronic Communications Service
Electronic communications service is broadly defined as “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510(15). It is well-settled that ISPs qualify as ECSPs. See In re Doubleclick Inc., Privacy Litig., 154 F. Supp. 2d 497, 511 n. 20 (S.D.N.Y. 2001) (“ISPs such as America Online, Juno and UUNet, as well as, perhaps, the telecommunications companies whose cables and phone lines carry the traffic” are ECSPs); Freedman v. America Online, Inc., 303 F. Supp. 2d 121, 124 (D. Conn. 2004).
Private Providers The “electronic communications service” definition is not limited to services provided to the general public. Hence any corporate office, school or library that offers its employees, students or members the means to access the Internet or otherwise communicate via an electronic network is an ECSP. See, e.g., United States v. Mullins, 992 F.2d 1472, 1478 (9th Cir. 1993) (airline that provides travel agents with computerized travel reservation system accessed through separate computer terminals can be an ECSP); Andersen Consulting LLP v. UOP, 991 F.Supp. 1041, 1042 (N.D. Ill. 1998) (Andersen, which has internal e-mail system, is an ECSP). In Sega Enters. Ltd. v. MAPHIA, 948 F. Supp. 923, 930-31 (N.D. Cal. 1996), the court held that a video game manufacturer that accessed private e-mail stored on another company's bulletin board service in order to expose copyright infringement was not a provider of electronic communication service. See also State Wide Photocopy v. Tokai Fin. Servs. Inc., 909 F. Supp. 137, 145 (S.D.N.Y. 1995) (financing company that used fax machines and computers but did not provide the ability to send or receive communications was not provider of electronic communication service).
Email Service Providers Email service providers that are not themselves ISPs are still ECSPs. Hall v. Earthlink Network, Inc., 396 F.3d 500, 502 (2nd Cir. 2005) (ISP Earthlink, which also provided e-mail service, was ECSP); FTC v. Netscape Communications Corp., 196 F.R.D. 559, 560 (N.D. Cal. 2000) (noting that Netscape, a provider of e-mail accounts through netscape.net, is a provider of ECS); In re Application of United States for an Order Pursuant to 18 U.S.C. § 2703(D), 157 F. Supp. 2d 286, 289 (S.D.N.Y. 2001) (finding that Microsoft provides electronic communications service through its Web-based email service Hotmail); Fischer v. Mt. Olive Lutheran Church, 207 F. Supp. 2d 914, 925 (W.D. Wis. 2002) (same).
Message Boards and Website Similarly, even though not offering Internet access directly, providers of computer “bulletin board services” (“BBSs”) that allow users to post electronic messages are ECSPs. See United States v. Steiger, 318 F.3d 1039, 1049 (11th Cir. 2003), cert. denied, 538 U.S. 1051 (2003); Guest v. Leis, 255 F.3d 325, 338 (6th Cir. 2001); Davis v. Gracey, 111 F.3d 1472, 1484 (10th Cir. 1997); and Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457, 458, 462 (5th Cir. 1994). In Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 876 (9th Cir. 2002), cert. denied, 537 U.S. 1193 (2003), the Ninth Circuit adopted the parties assumption that the website message board was an ECS. Crowley v. Cybersource Corp., 166 F. Supp. 2d 1263, 1270 (N.D. Cal. 2001) (Amazon.com was properly characterized as a user rather than a provider of ECS).
Types of Information
Electronic Communications
See discussion of the definition of electronic communications in the Wiretap Act chapter.
Basic Subscriber Information
18 U.S.C. § 2703(c)(2) lists the categories of basic subscriber information:
(A) name; (B) address; (C) local and long distance telephone connection records, or records of session times and durations; (D) length of service (including start date) and types of service utilized; (E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and (F) means and source of payment for such service (including any credit card or bank account number)[.]
Records or Other Information Pertaining to a Customer or Subscriber
18 U.S.C. § 2703(c)(1) covers a second type of information: "a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications)." This is a broad category that includes records that are not contents, including basic subscriber information. This term only applies to retrospective data: "§ 2703 does not authorize a court to enter a prospective order to turn over data as it is captured. Instead, the statute establishes a mechanism for compelling the disclosure of information existing at the time an order is issued and for compelling the preservation of such information in the period before such an order is obtained." In re Application for Pen Register and Trap/Trace Device with Cell Site Location Authority, __ F.Supp.2d __ (EDNY 2005).
Content of Communications
18 U.S.C. § 2510(8) defines "'contents", when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication"). For example, stored e-mails or voice mails are "contents," as are word processing files stored in employee network accounts. The subject headers of e-mails are also contents. See Brown v. Waddell, 50 F.3d 285, 292 (4th Cir. 1995) (noting that numerical pager messages provide "an unlimited range of number-coded substantive messages" in the course of holding that the interception of pager messages requires compliance with the Wiretap Act). A court has held that the search terms a user transmits to an OSP to be processed into search results are the contents of a communication. In In re United States for an Order Authorizing the Use of Pen Register & Trap, 396 F.Supp.2d 45, 49 (D. Mass. 2005), the court stated:
- A user may visit the Google site. Presumably the pen register would capture the IP address for that site. However, if the user then enters a search phrase, that search phrase would appear in the URL after the first forward slash. This would reveal content -- that is, it would reveal, in the words of the statute, ‘. . . information concerning the substance, purport or meaning of that communication.’ Title 18 U.S.C. § 2510(8). The ‘substance’ and ‘meaning’ of the communication is that the user is conducting a search for information on a particular topic
Electronic Storage
18 U.S.C. § 2510(17) defines "electronic storage" as "any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof," or in the alternative as "any storage of such communication by an electronic communication service for purposes of backup protection of such communication." For example, e-mail that has been received by a recipient's service provider but has not yet been accessed by the recipient is in "electronic storage." See Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457, 461 (5th Cir. 1994); Fraser v. Nationwide Mut. Ins. Co., 135 F. Supp. 2d 623, 635-36 (E.D. Pa. 2001). In In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 511-12 (S.D.N.Y. 2001), the court held that cookies, which are information stored on a user's computer by a web site and sent back to the web site when the user accesses the web site, fall outside of the definition of "electronic storage" and hence outside of ECPA because of their "long-term residence on plaintiffs' hard drives."
Once an email is downloaded from an ECSP, it remains in electronic storage, but moves to the second prong of the definition - backup storage. See Theofel v. Farey-Jones, 359 F.3d 1066, 1075 (9th Cir. 2003), cert. denied, 125 S.Ct. 48 (2004) (finding that “obvious purpose” for storing a message on the provider’s server after delivery is to provide a second copy of the message in the event it needs to be downloaded again).
Web pages can be considered in electronic storage, because a web site's storage of pages can be considered “intermediate” - stored on the ways between those who post messages to the web site and those who download them to their home computers, and is therefore necessary and “incidental” to the transmission of the files to readers.
See also United States v. Councilman.