U.S. Department of Justice - CyberCrime.gov Archived

Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigation Manual

Chapter 4

Electronic Surveillance in Communications Networks

A. Introduction

Criminal investigations often involve real-time electronic surveillance. In computer crime cases, agents may want to monitor a hacker as he breaks into a victim computer system or set up a "cloned" email account to monitor a suspect sending or receiving child pornography. In cases involving cellular telephones, agents may wish to obtain "cell-site" location information for a suspect's cellular telephone to determine the suspect's approximate location at the time of a call. Agents may wish to wiretap a suspect's telephone or learn whom the suspect has called. This chapter explains how the electronic surveillance statutes apply to criminal investigations involving computers and also discusses how to obtain cell-site location information for cellular phones.

Real-time electronic surveillance in federal criminal investigations is governed primarily by two statutes. The first is the federal Wiretap Act, 18 U.S.C. §§ 2510-2522, first passed as Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (and generally known as "Title III"). The second statute is the Pen Registers and Trap and Trace Devices chapter of Title 18 ("the Pen/Trap statute"), 18 U.S.C. §§ 3121-3127, first passed as part of the Electronic Communications Privacy Act of 1986. Failure to comply with these statutes may result in civil and criminal liability, and in the case of Title III, may also result in suppression of evidence.

B. Content vs. Addressing Information

In general, the Pen/Trap statute regulates the collection of addressing and other non-content information for wire and electronic communications. Title III regulates the collection of actual content of wire and electronic communications.

Title III and the Pen/Trap statute regulate access to different types of information. Title III permits the government to obtain the contents of wire and electronic communications in transmission. In contrast, the Pen/Trap statute concerns the real-time collection of addressing and other non-content information relating to those communications. See 18 U.S.C. § 2511(2)(h)(i) (stating that it is not a violation of Title III to use a pen register or trap and trace device); United States Telecom Ass'n v. FCC, 227 F.3d 450, 453-54 (D.C. Cir. 2000) (contrasting pen registers and Title III intercept devices); Brown v. Waddell, 50 F.3d 285, 289-94 (4th Cir. 1995) (same).

The difference between addressing information and content is clear for telephone calls. The addressing information is the phone numbers of the originating and receiving telephones. The content of the communication is the actual conversation between the parties to the call.

The distinction between addressing information and content also applies to Internet communications. For example, when computers on the Internet communicate with each other, they break down messages into discrete chunks known as packets and then send each packet out to its intended destination. Every packet contains addressing information in the header of the packet (much like the "to" and "from" addresses on an envelope), followed by the payload of the packet, which contains the contents (much like a letter inside an envelope). The Pen/Trap statute permits law enforcement to obtain the addressing information of Internet communications much as it would addressing information for traditional phone calls. However, collecting the entire packet ordinarily implicates Title III. The primary difference between an Internet pen/trap device and an Internet Title III intercept device is that the former is designed to capture and retain only addressing information, while the latter is designed to capture and retain the entire packet.

The same distinction applies to Internet email. Every Internet email message consists of a set of headers that contain addressing and routing information generated by the mail program, followed by the actual contents of the message authored by the sender. The addressing and routing information includes the email address of the sender and recipient, as well as information about when and where the message was sent on its way (roughly analogous to the postmark on a letter). See United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008) (email to/from addresses and IP addresses constitute addressing information). The Pen/Trap statute permits law enforcement to obtain the header information of Internet emails (except for the subject line, which can contain content) using a court order, just like it permits law enforcement to obtain addressing information for phone calls and individual Internet packets using a court order. Conversely, the interception of email contents, including the subject line, requires compliance with the strict dictates of Title III.

In some circumstances, questions may arise regarding whether particular components of network communications contain content. See In re Application of United States, 396 F. Supp. 2d 45, 49 (D. Mass. 2005) (asserting that uniform resource locators ("URLs") may contain content); In re Pharmatrak, Inc. Privacy Litigation, 329 F.3d 9, 16 (1st Cir. 2003) (noting that user-entered search terms are sometimes appended to the query string of the URL for the search results page). Because of these and other issues, the United States Attorneys' Manual currently requires prior consultation with CCIPS before a pen/trap may be used to collect all or part of a URL. See United States Attorneys' Manual § 9-7.500. Prosecutors who have other questions about whether a particular type of information constitutes contents may contact CCIPS for assistance at (202) 514-1026.

C. The Pen/Trap Statute, 18 U.S.C. §§ 3121-3127

The Pen/Trap statute authorizes a government attorney to apply to a court for an order authorizing the installation of a pen register and/or trap and trace device if "the information likely to be obtained is relevant to an ongoing criminal investigation." 18 U.S.C. § 3122(b)(2). In rough terms, a pen register records outgoing addressing information (such as a number dialed from a monitored telephone), and a trap and trace device records incoming addressing information (such as caller ID information). The Pen/Trap statute applies to a wide range of communication technologies, including computer network communications. See In re Application of United States, 416 F. Supp. 2d 13, 16 (D.D.C. 2006).

1. Definition of Pen Register and Trap and Trace Device

The Pen/Trap statute defines pen registers and trap and trace devices broadly. As defined in 18 U.S.C. § 3127(3), a "pen register" is

a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication . . . .

The definition of pen register further excludes devices or processes used for billing or cost accounting. See 18 U.S.C. § 3127(3). The statute defines a "trap and trace device" as

a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication, provided, however that such information shall not include the contents of any communication.

18 U.S.C. § 3127(4). Because Internet headers contain both "to" and "from" information, a device that reads the entire header (minus the subject line in the case of email headers) is both a pen register and a trap and trace device, and it is commonly referred to as a pen/trap device.

The breadth of these definitions results from the scope of their components. First, "an instrument or facility from which a wire or electronic communication is transmitted" encompasses a wide variety of communications technologies, including a non-mobile telephone, a cellular telephone, an Internet user account, an email account, or an IP address. Second, the definitions' inclusion of all "dialing, routing, addressing, [and/or] signaling information" encompasses almost all non-content information in a communication. Third, because the definitions of a pen register and a trap and trace device include both a "device" and a "process," the statute covers software as well as physical devices. Because the definitions are written in broad, technology-neutral language, prosecutors or agents may have questions about whether particular devices constitute pen registers or trap and trace devices, and they should direct any such questions to CCIPS at (202) 514-1026, OEO at (202) 514-6809, or their local CHIP (see Introduction, p. xii)

2. Pen/Trap Orders: Application, Issuance, Service, and Reporting

To obtain a pen/trap order, applicants must identify themselves, identify the law enforcement agency conducting the investigation, and then certify their belief that the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by the agency. See 18 U.S.C. § 3122(b)(1)-(2). The issuing court must have jurisdiction over the offense being investigated. See 18 U.S.C. § 3122(a); 18 U.S.C. § 3127(2)(A). So long as the application contains these elements, the statute obligates the court to authorize the installation and use of a pen/trap device anywhere in the United States. See 18 U.S.C. § 3123(a)(1). The court will not conduct an "independent judicial inquiry into the veracity of the attested facts." In re Application of United States, 846 F. Supp. 1555, 1559 (M.D. Fla. 1994). See also United States v. Fregoso, 60 F.3d 1314, 1320 (8th Cir. 1995) ("The judicial role in approving use of trap and trace devices is ministerial in nature.").

A federal pen/trap order can have effect outside the district of the issuing court. In the case of a federal applicant, the order "appl[ies] to any person or entity providing wire or electronic communication service in the United States whose assistance may facilitate the execution of the order." 18 U.S.C. § 3123(a)(1). For example, a federal prosecutor may obtain an order to trace telephone calls made to a particular telephone. The order applies not only to the local carrier serving that line, but also to other providers (such as long-distance carriers and regional carriers in other parts of the country) in the United States through whom calls are placed to the target telephone. Similarly, in the Internet context, a federal prosecutor may obtain an order to trace communications sent to a particular victim computer or IP address. If a hacker is routing communications through a chain of intermediate pass-through computers, the order would apply to each computer in the United States in the chain from the victim to the source of the communications.

The Pen/Trap statute does not require an applicant for a pen/trap order to describe precisely what types of "dialing, routing, addressing, [and/or] signaling information" he or she seeks to obtain. Although one magistrate has ruled that an Internet pen/trap order should contain a list of categories of information that may not be collected, such as email subject lines, see In re Application of United States, 396 F. Supp. 2d 45, 49 (D. Mass. 2005), this requirement is not supported by the statute. One later district court held that such a "do not collect" list is unnecessary. See In re Application of United States, 416 F. Supp. 2d 13, 18 (D.D.C. 2006) (approving Internet pen/trap order seeking specified non-content information, such as originating IP addresses).

The government must also use "technology reasonably available to it" to avoid recording or decoding the contents of any wire or electronic communications. 18 U.S.C. § 3121(c). When there is no way to avoid the inadvertent collection of content through the use of reasonably available technology, DOJ policy requires that the government may not use any inadvertently collected content in its investigation. However, a few courts have gone beyond the statute's requirement that the government use technology reasonable available to it to avoid collecting content. Citing the exclusion of contents from the definitions of pen register and trap and trace device, these courts have stated or implied that the government cannot use pen/trap devices that might collect any content at all. See In re Application of the United States, 2007 WL 3036849, at *8-9 (S. D. Tex. 2007) ("[T]he Pen Register Statute does not permit the Government simply to minimize the effects of its collection of unauthorized content, but instead prohibits the collection of content in the first place."); In re Application of United States, 416 F. Supp. 2d 13, 17 (D.D.C. 2006) ("[T]he Government must ensure that the process used to obtain information about email communications excludes the contents of those communications."). Courts have been particularly likely to take this position in the context of phone pen/trap devices that would collect "post-cut-through dialed digits" because this data can include content that cannot be separated out using reasonably available technology.[1] See In re Applications of United States, 515 F. Supp. 2d 325, 339 (E.D.N.Y. 2007); In re Application of United States, 441 F. Supp. 2d 816, 827 (S.D. Tex. 2006); In re Application of United States, 2007 WL 3036849, at *8-*9 (S. D. Tex. 2007). Because this area of the law is developing rapidly, prosecutors or agents may have questions about current trends, and they may direct any such questions to Mark Eckenwiler, Associate Director, of OEO at (202) 514-6809, CCIPS at (202) 514-1026, or their local CHIP (see Introduction, p. xii)

A pen/trap order may authorize the installation and use of a pen/trap device for up to sixty days and may be extended for additional sixty-day periods. See 18 U.S.C. § 3123(c). The order should direct the provider not to disclose the existence of the pen/trap or the investigation "to any . . . person, unless or until otherwise ordered by the court," 18 U.S.C. § 3123(d)(2), and may order providers of wire or electronic communications service, landlords, custodians, or other persons to furnish all "information, facilities, and technical assistance" necessary to install pen/trap devices unobtrusively and with a minimum of interference with services. 18 U.S.C. § 3124(a), (b). Providers and other persons who are ordered to assist with the installation of pen/trap devices under § 3124 can receive reasonable compensation for reasonable expenses incurred in providing facilities or technical assistance to law enforcement. See 18 U.S.C. § 3124(c). A provider's good faith reliance on a pen/trap order provides a complete defense to any civil or criminal action arising from its assistance in accordance with the order. See 18 U.S.C. § 3124(d), (e).

The Pen/Trap statute does not require the pen/trap application or order to specify all of the providers subject to the order, although the order must specify "the identity, if known, of the person to whom is leased or in whose name is listed the telephone line or other facility to which the pen register or trap and trace device is to be attached or applied." See 18 U.S.C. § 3123(b)(1)(A). To receive a provider's assistance, an investigator simply needs to serve the provider with the order. Upon the provider's request, law enforcement must also provide "written or electronic certification" that the order applies to the provider. See 18 U.S.C. § 3123(a)(1). There are strong practical motivations for this relatively informal process. When prosecutors apply for a pen/trap order, they usually will not know the identity of upstream providers in the chain of communications covered by the order. If law enforcement personnel were required to return to court each time they discovered the identity of a new provider, investigations would be delayed significantly.

The Pen/Trap statute requires record keeping and reporting when law enforcement officers install their own pen/trap device on a packet-switched data network of a provider of electronic communications service to the public. See 18 U.S.C. § 3123(a)(3). In such cases, the agency must maintain a record that identifies: (1) the identity of the officers who installed the device or accessed it to obtain information; (2) the dates and times the device was installed, uninstalled, and accessed to obtain information; (3) the configuration of the device at the time of installation and any subsequent modifications thereof; and (4) the information collected by the device. See 18 U.S.C. § 3123(a)(3)(A). This record must be provided to the court within thirty days after termination of the pen/trap order (including any extensions thereof). See 18 U.S.C. § 3123(a)(3)(B).

Importantly, the limited judicial review of pen/trap orders coexists with a strong enforcement mechanism for violations of the statute. See 18 U.S.C. § 3121(d) (providing criminal penalties for violations of the Pen/Trap statute). As one court has explained,

[t]he salient purpose of requiring the application to the court for an order is to affix personal responsibility for the veracity of the application (i.e., to ensure that the attesting United States Attorney is readily identifiable and legally qualified) and to confirm that the United States Attorney has sworn that the required investigation is in progress. . . . As a form of deterrence and as a guarantee of compliance, the statute provides . . . for a term of imprisonment and a fine as punishment for a violation [of the statute].

In re Application of United States, 846 F. Supp. 1555, 1559 (M.D. Fla. 1994).

The Pen/Trap statute also grants providers of electronic or wire communication service broad authority to use pen/trap devices on their own networks without a court order. 18 U.S.C. § 3121(b) states that providers may use pen/trap devices without a court order

(1) relating to the operation, maintenance, and testing of a wire or electronic communication service or to the protection of the rights or property of such provider, or to the protection of users of that service from abuse of service or unlawful use of service; or

(2) to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire communication, or a user of that service, from fraudulent, unlawful or abusive use of service; or

(3) where the consent of the user of that service has been obtained.

18 U.S.C. § 3121(b).

3. Emergency Pen/Traps

The Pen/Trap statute authorizes the installation and use of a pen/trap without a court order in emergency situations involving: (1) immediate danger of death or serious bodily injury to any person; (2) conspiratorial activities characteristic of organized crime; (3) an immediate threat to a national security interest; or (4) an ongoing attack on a protected computer (as defined in 18 U.S.C. § 1030(e)(2)) that constitutes a crime punishable by a term of imprisonment greater than one year. See 18 U.S.C. § 3125(a)(1). The installation and use of an emergency pen/trap requires approval at least at the Deputy Assistant Attorney General level, or by the principal prosecuting attorney of any state or subdivision thereof who is acting pursuant to a state statute. See 18 U.S.C. § 3125(a). In order to authorize an emergency pen/trap, the relevant official must reasonably determine that (1) a specified emergency situation requires the installation and use of the pen/trap device before an order authorizing such installation and use can, with due diligence, be obtained, and (2) there are grounds upon which a pen/trap order could be entered to authorize the installation and use. See 18 U.S.C. § 3125(a). For assistance in seeking an emergency pen/trap authorization during regular business hours, contact OEO at (202) 514-6809 and ask to speak to a supervisor in the electronic surveillance unit. Outside of regular business hours, contact the DOJ Command Center at (202) 514-5000.

A court order authorizing the installation and use of the emergency pen/trap device must be sought within 48 hours after its installation and use. See 18 U.S.C. § 3125(a), (c). In the absence of such an order, the use of the emergency pen/trap device must immediately terminate when the earliest of these events occurs: (i) the information sought is obtained, (ii) the application for the order is denied, or (iii) 48 hours have lapsed since the installation of the pen/trap device. 18 U.S.C. § 3125(b).

4. The Pen/Trap Statute and Cell-Site Information

Cell-site data identifies the antenna tower and, in some cases, the 120-degree face of the tower to which a cell phone is connected at the beginning and end of each call made or received by a cell phone. "These towers can be up to 10 or more miles apart in rural areas and may be up to a half-mile or more apart even in urban areas." In re Application of United States, 405 F. Supp. 2d 435, 449 (S.D.N.Y. 2005). Thus, at best, this data reveals the neighborhood in which a cell phone user is located at the time a call starts and at the time it terminates; it does not provide continuous tracking and is not a virtual map of a cell phone user's movements. Despite its relative lack of precision, cell-site information is an important investigatory tool that can help law enforcement determine where to establish physical surveillance and locate kidnapping victims, fugitives, and targets of criminal investigations. This section discusses using the combined authority of the Pen/Trap statute and 18 U.S.C. § 2703(d) to obtain prospective cell-site data. For a discussion of how to obtain historical cell-site data, see Chapter 3.

In most districts, investigators may obtain prospective cell-site information through an application that satisfies both the Pen/Trap statute and 18 U.S.C. § 2703(d). The rationale behind this "hybrid" use of the Pen/Trap statute and § 2703(d) is as follows. Cell-site data is "dialing, routing, addressing, or signaling information," and therefore 18 U.S.C. § 3121(a) requires the government to obtain a pen/trap order to acquire this information. However, the Communications Assistance for Law Enforcement Act of 1994 ("CALEA") precludes the government from relying "solely" on the authority of the Pen/Trap statute to obtain cell-site data for a cell phone subscriber. 47 U.S.C. § 1002(a). Thus, some additional authority is required to obtain prospective cell-site information. Section 2703(d) provides this authority because, as discussed in Chapter 3, supra, it authorizes the government to use a court order to obtain all non-content information pertaining to a customer or subscriber of an electronic communication service.

When seeking a hybrid order for prospective cell-site information, prosecutors must satisfy the requirements of both the Pen/Trap statute and 18 U.S.C. § 2703(d). This application should contain: (i) a government attorney's affirmation "that the information likely to be obtained is relevant to an ongoing criminal investigation," 18 U.S.C. § 3122, and (ii) a further demonstration by the government attorney of "specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation." 18 U.S.C. § 2703(d). Hybrid orders otherwise generally follow the procedures for pen/trap orders.

District courts and magistrate judges have split on whether hybrid orders may be used to compel disclosure of prospective cell-site information. Compare In re Application of United States, 2008 WL 5082506 (E.D.N.Y. 2008) (upholding hybrid orders for cell-site information), In re Application of United States, 460 F. Supp. 2d. 448, 462 (S.D.N.Y. 2006) (same), and In re Application of United States, 433 F. Supp. 2d 804, 806 (S.D. Tex. 2006) (same), with In re Application of United States, 416 F. Supp. 2d 390, 396-97 (D. Md. 2006) (rejecting hybrid orders), and In re Application of United States, 396 F. Supp. 2d 294, 327 (E.D.N.Y. 2005) (same). Courts that have rejected hybrid orders for prospective cell-site information have generally required the government to obtain a warrant to compel its disclosure. See, e.g., In re Application of United States, 416 F. Supp. 2d at 397. Most of these courts have not held that a warrant is constitutionally required to obtain prospective cell-site information. Instead, they have held that as a matter of statutory construction, the Pen/Trap statute and 18 U.S.C. § 2703(d) cannot be used to obtain prospective cell-site information, and that Rule 41 can be used because it "governs any matter in which the government seeks judicial authorization to engage in certain investigative activities." In re Application of United States, 396 F. Supp. 2d at 322. Because this area of the law is developing rapidly, prosecutors or agents may have questions about current trends in different districts, and they should direct any such questions to John Lynch, Deputy Chief for Computer Crime, of CCIPS at (202) 514-1026, Mark Eckenwiler, Associate Director, of OEO at (202) 514-6809, or their local CHIP (see Introduction, p. xii)

D. The Wiretap Statute ("Title III"), 18 U.S.C. §§ 2510-2522

1. Introduction: The General Prohibition

Since its enactment in 1968 and amendment in 1986, Title III has provided the statutory framework that governs real-time electronic surveillance of the contents of communications. When agents want to wiretap a suspect's phone, monitor a hacker breaking into a computer system, or accept the fruits of wiretapping by a private citizen who has discovered evidence of a crime, the agents first must consider the implications of Title III.

The structure of Title III is surprisingly simple. The statute's drafters assumed that every private communication could be modeled as a two-way exchange between two participating parties, such as a telephone call between A and B. At a fundamental level, the statute prohibits using an electronic, mechanical, or other device to intercept private wire, oral, or electronic communications between the parties unless one of several statutory exceptions applies. See 18 U.S.C. §§ 2510(4), 2511(1). Importantly, this prohibition is quite broad. Unlike some privacy laws that regulate only certain cases or specific places, Title III expansively prohibits eavesdropping (subject to certain exceptions and interstate requirements) essentially everywhere by anyone in the United States. Whether investigators want to conduct surveillance at a home, at a workplace, in government offices, in prison, or on the Internet, they must almost invariably make sure that the monitoring complies with Title III's prohibitions.

The questions that agents and prosecutors must ask to ensure compliance with Title III are straightforward, at least in form:

1) Is the communication to be monitored one of the protected communications defined in 18 U.S.C. § 2510?

2) Will the proposed surveillance lead to an "interception" of the communications?

3) If the answer to the first two questions is "yes," does a statutory exception apply that permits the interception?

2. Key Phrases

Title III broadly prohibits the "interception" of "oral communications," "wire communications," and "electronic communications." These phrases are defined by the statute. See 18 U.S.C. §§ 2510(1), (2), (4), (12). In computer crime cases, agents and prosecutors planning electronic surveillance must understand the definition of "wire communication," "electronic communication," and "intercept." Surveillance of oral communications rarely arises in computer crime cases and will not be addressed directly here. Agents and prosecutors requiring assistance in cases involving oral communications should contact OEO at (202) 514-6809.

"Wire communication"

In general, telephone conversations are wire communications.

Title III defines "wire communication" as

any aural transfer made in whole or in part though the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception (including the use of such connection in a switching station) furnished or operated by any person engaged in providing or operating such facilities for the transmission of interstate or foreign communications or communications affecting interstate or foreign commerce.

18 U.S.C. § 2510(1).

Within this complicated definition, the most important requirement is that the content of the communication must include the human voice. See § 2510(18) (defining "aural transfer" as "a transfer containing the human voice at any point between and including the point of origin and the point of reception"). If a communication does not contain a human voice, either alone or in a group conversation, then it is not a wire communication. See S. Rep. No. 99-541, at 12 (1986), reprinted in 1986 U.S.C.C.A.N. 3555; United States v. Torres, 751 F.2d 875, 885-86 (7th Cir. 1984) (concluding that "silent television surveillance" cannot lead to an interception of wire communications under Title III because no aural acquisition occurs).

The additional requirement that wire communications must be sent "in whole or in part . . . by the aid of wire, cable, or other like connection" presents a fairly low hurdle. So long as the signal travels through wire at some point along its route between the point of origin and the point of reception, the requirement is satisfied. For example, all voice telephone transmissions, including those from satellite signals and cellular phones, qualify as wire communications. See H.R. Rep. No. 99-647, at 35 (1986). Because such transmissions are carried by wire within switching stations, they are expressly included in the definition of wire communication. See In re Application of United States, 349 F.3d 1132, 1138 n.12 (9th Cir. 2003) (cell phone communications are considered wire communications under Title III). Importantly, the presence of wires inside equipment at the sending or receiving end of a communication (such as an individual cellular phone) does not satisfy the requirement that a communication be sent "in part" by wire. The wire must transmit the communication "to a significant extent" along the path of transmission, outside of the equipment that sends or receives the communication. H.R. Rep. No. 99-647, at 35 (1986).

"Electronic communication"

Most Internet communications (including email) are electronic communications.

Title III originally covered only wire and oral communications, but Congress amended it in 1986 to include "electronic communications," defined as

any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include--

(A) any wire or oral communication;

(B) any communication made through a tone-only paging device;

(C) any communication from a tracking device . . . ; or

(D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds.

18 U.S.C. § 2510(12).

As the definition suggests, "electronic communication" is a broad, catch-all category. See United States v. Herring, 993 F.2d 784, 787 (11th Cir. 1993). "As a rule, a communication is an electronic communication if it is neither carried by sound waves nor can fairly be characterized as one containing the human voice (carried in part by wire)." H.R. Rep. No. 99-647, at 35 (1986). Most electric or electronic signals that do not fit the definition of wire communications qualify as electronic communications. For example, almost all Internet communications qualify as electronic communications. See, e.g., Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 876 (9th Cir. 2002) ("document" transmitted from web server); In re Application of United States, 416 F. Supp. 2d 13, 16 (D.D.C. 2006) ("there can be no doubt that [§ 2510(12)] is broad enough to encompass email communications and other similar signals transmitted over the Internet").

However, at least one district court has held that transmissions that occur within a single computer--such as the transmission of keystrokes from the keyboard to the central processing unit--are not "electronic communications" within the meaning of Title III. See United States v. Ropp, 347 F. Supp. 2d 831 (C.D. Cal. 2004). In Ropp, the defendant placed a piece of hardware between the victim's computer and her keyboard that recorded the signals transmitted between the two. Id. at 831. The court found that the acquired communications were not "electronic communications" because "the communications in question involved preparation of emails and other communications, but were not themselves emails or any other communication at the time of the interception." Id. at 835 n.1. Because the court found that the typing was a communication within the victim's own computer, it reasoned that "[a]t the time of interception, [the communications] no more affected interstate commerce than a letter, placed in a stamped envelope, that has not yet been mailed." Id. The court further stated that the acquired keystrokes could not be an "electronic communication" under Title III because these transmissions were not made by a "system that affects interstate or foreign commerce." Id. at 837. In the court's view, a computer is not a "system that affects interstate or foreign commerce" simply by virtue of the fact that it is connected to the Internet or to another external network at the time of the electronic transmission; rather, the relevant inquiry is whether the computer's network connection was involved in the transmission. See id. at 837-38. At least one court has criticized Ropp on the ground that it "seems to read the statute as requiring the communication to be traveling in interstate commerce, rather than merely 'affecting' interstate commerce." Potter v. Havlicek, 2007 WL 539534, at *8 (S.D. Ohio Feb. 14, 2007). The court explained that "keystrokes that send a message off into interstate commerce 'affect' interstate commerce." Id.

Notwithstanding the Ropp decision, investigators should use caution whenever they acquire the contents of communications on computers or internal networks in real time. For additional discussion of the statute and relevant legislative history as it relates to the meaning of "electronic communication," see U.S. Department of Justice, Prosecuting Computer Crimes (Office of Legal Education 2007), section II.A.4. Agents and prosecutors may call CCIPS at (202) 514-1026, OEO at (202) 514-6809, or the CHIP within their district (see Introduction, p. xii) for additional guidance in specific cases.

"Intercept"

The structure and language of the SCA and Title III require that the term "intercept" be applied only to communications acquired contemporaneously with their transmission.

Title III defines "intercept" as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." 18 U.S.C. § 2510(4). The statutory definition of "intercept" does not explicitly require that the "acquisition" of the communication be contemporaneous with the transmission of the communication. However, a contemporaneity requirement is necessary to maintain the proper relationship between Title III and the SCA's restrictions on access to stored communications. Otherwise, for example, a Title III order could be required to obtain unretrieved email from a service provider.

Most courts have held that both wire and electronic communications are "intercepted" within the meaning of Title III only when such communications are acquired contemporaneously with their transmission. An individual who obtains access to a stored copy of the communication does not "intercept" the communication. See, e.g., Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457, 460-63 (5th Cir. 1994) (access to stored email communications); Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 113-14 (3d Cir. 2003) (same); Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 876-79 (9th Cir. 2002) (website); United States v. Steiger, 318 F.3d 1039, 1047-50 (11th Cir. 2003) (files stored on hard drive); United States v. Mercado-Nava, 486 F. Supp. 2d 1271, 1279 (D. Kan. 2007) (numbers stored in cell phone); United States v. Jones, 451 F. Supp. 2d 71, 75 (D.D.C. 2006) (text messages); United States v. Reyes, 922 F. Supp. 818, 836-37 (S.D.N.Y. 1996) (pager communications); Bohach v. City of Reno, 932 F. Supp. 1232, 1235-36 (D. Nev. 1996) (same). However, the First Circuit has suggested that the contemporaneity requirement, which was developed during the era of telephone wiretaps, "may not be apt to address issues involving the application of the Wiretap Act to electronic communications." United States v. Councilman, 418 F.3d 67, 79-80 (1st Cir. 2005) (en banc) (citing In re Pharmatrak, Inc. Privacy Litigation, 329 F.3d 9, 21 (1st Cir. 2003)); see also Potter v. Havlicek, 2007 WL 539534, at *6-7 (S.D. Ohio Feb. 14, 2007) (finding "substantial likelihood" that the Sixth Circuit will find the contemporaneity requirement does not apply to electronic communications).

Notably, there is some disagreement between circuits about whether a computer communication is "intercepted" within the meaning of Title III if it is acquired while in "electronic storage," as defined in 18 U.S.C. § 2510(17). The Ninth Circuit has held that in order for a communication to be "intercepted" within the meaning of Title III, "it must be acquired during transmission, not while it is in electronic storage." See Konop, 302 F.3d at 878. The unstated implication of this holding is that communications in electronic storage are necessarily not in transmission. The First Circuit has held, however, that email messages are intercepted within the meaning of Title III when they are acquired while in "transient electronic storage that is intrinsic to the communication process." United States v. Councilman, 418 F.3d 67, 85 (1st Cir. 2005) (en banc). In so holding, the court suggested that an electronic communication can be in "electronic storage" and in transmission at the same time. See id. at 79. Exactly how close in time an acquisition must be to a transmission remains an open question. It is clear that "contemporaneous" does not mean "simultaneous." However, the Eleventh Circuit suggested that "contemporaneous" must equate with a communication "in flight." United States v. Steiger, 318 F.3d 1039, 1050 (11th Cir. 2003). By contrast, the First Circuit held the contemporaneity requirement could be read simply to exclude acquisitions "made a substantial amount of time after material was put into electronic storage." In re Pharmatrak, Inc. Privacy Litigation, 329 F.3d 9, 21 (1st Cir. 2003).

3. Exceptions to Title III's Prohibition

Title III broadly prohibits the intentional interception, use, or disclosure[2] of wire and electronic communications unless a statutory exception applies. See 18 U.S.C. § 2511(1). In general, this prohibition bars third parties (including the government) from wiretapping telephones and installing electronic "sniffers" that read Internet traffic.

The breadth of Title III's prohibition means that the legality of most surveillance techniques under Title III depends upon the applicability of a statutory exception. Title III contains dozens of exceptions that may or may not apply in hundreds of different situations. In cases involving computer crimes or computer evidence, however, seven exceptions are especially pertinent:

a. interception pursuant to a § 2518 court order;

b. the 'consent' exceptions, § 2511(2)(c)-(d);

c. the 'provider' exception, § 2511(2)(a)(i);

d. the 'computer trespasser' exception, § 2511(2)(i);

e. the 'extension telephone' exception, § 2510(5)(a);

f. the 'inadvertently obtained criminal evidence' exception, § 2511(3)(b)(iv); and

g. the 'accessible to the public' exception, § 2511(2)(g)(i).

a. Interception Authorized by a Title III Order, 18 U.S.C. § 2518

Title III permits law enforcement to intercept wire and electronic communications pursuant to a court order under 18 U.S.C. § 2518 (a "Title III order"). High-level Justice Department approval is required for federal Title III applications, by statute in the case of wire communications, see 18 U.S.C. § 2516(1), and by Justice Department policy in the case of electronic communications (except for numeric pagers). See United States Attorneys' Manual § 9-7.100. When authorized by the Justice Department and signed by a United States district court or court of appeals judge, a Title III order permits law enforcement to intercept communications for up to thirty days. See 18 U.S.C. § 2518(5).

Title III imposes several formidable requirements that must be satisfied before investigators can obtain a Title III order. See 18 U.S.C. §§ 2516-2518. Most importantly, the application for the order must show probable cause to believe that the interception will reveal evidence of a predicate felony offense listed in § 2516. See § 2518(3)(a)-(b). For federal agents, the predicate felony offense must be one of the crimes specifically enumerated in § 2516(1)(a)-(s) to intercept wire communications, or any federal felony to intercept electronic communications. See 18 U.S.C. § 2516(3). The predicate crimes for state investigations are listed in 18 U.S.C. § 2516(2). The application for a Title III order also (1) must show that normal investigative procedures have been tried and failed, or reasonably appear to be unlikely to succeed or to be too dangerous, see § 2518(1)(c); and (2) must show that the surveillance will be conducted in a way that minimizes the interception of communications that do not provide evidence of a crime. See § 2518(5).

For comprehensive guidance on the requirements of 18 U.S.C. § 2518, agents and prosecutors should consult the Electronic Surveillance Unit of OEO at (202) 514-6809.

b. Consent of a Party to the Communication, 18 U.S.C. § 2511(2)(c)-(d)

The consent exceptions under paragraphs 2511(2)(c) and (d) are perhaps the most frequently used exceptions to Title III's general prohibition on intercepting communications. The first consent exception applies to those acting under color of law:

It shall not be unlawful under this chapter for a person acting under color of law to intercept a wire, oral, or electronic communication, where such person is a party to the communication or one of the parties to the communication has given prior consent to such interception.

18 U.S.C. § 2511(2)(c). Under Title III, government employees are not "acting under color of law" merely because they are government employees. See Thomas v. Pearl, 998 F.2d 447, 451 (7th Cir. 1993). Whether a person is acting under color of law under Title III depends on whether the individual was acting at the government's direction when conducting the interception. See United States v. Andreas, 216 F.3d 645, 660 (7th Cir. 2000); United States v. Craig, 573 F.2d 455, 476 (7th Cir. 1977); see also Obron Atlantic Corp. v. Barr, 990 F.2d 861, 864 (6th Cir. 1993); United States v. Tousant, 619 F.2d 810, 813 (9th Cir. 1980).

The second consent exception applies more generally:

It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.

18 U.S.C. § 2511(2)(d). A criminal or tortious purpose must be a purpose other than merely to intercept the communication to which the individual is a party. See Roberts v. Americable Int'l, Inc., 883 F. Supp. 499, 503 (E.D. Cal. 1995).

In general, both of these provisions authorize the interception of communications when one of the parties to the communication consents to the interception.[3] For example, if an undercover government agent or informant records a telephone conversation between herself and a suspect, her consent to the recording authorizes the interception.[4] See, e.g., Obron Atlantic Corp. v. Barr, 990 F.2d 861, 863-64 (6th Cir. 1993) (relying on § 2511(2)(c)). Similarly, if a private person records her own telephone conversations with others, her consent authorizes the interception unless the commission of a criminal or tortious act was at least a determinative factor in her motivation for intercepting the communication. See United States v. Cassiere, 4 F.3d 1006, 1021 (1st Cir. 1993) (interpreting § 2511(2)(d)).

Courts have provided additional guidance about who constitutes a "party." For example, a police officer executing a warrant who answers the phone and pretends to be the defendant is a party to the communication. See United States v. Campagnuolo, 592 F.2d 852, 863 (5th Cir. 1979). At least one court has held that someone whose presence is known to other communicants may be a party, even if the communicants do not address her, nor she them. See United States v. Tzakis, 736 F.2d 867, 871-72 (2d Cir. 1984).

Consent under subsections 2511(2)(c) and (d) may be express or implied. See United States v. Amen, 831 F.2d 373, 378 (2d Cir. 1987). The key to establishing implied consent in most cases is showing that the consenting party received actual notice of the monitoring and used the monitored system anyway. See United States v. Workman, 80 F.3d 688, 693 (2d Cir. 1996); Griggs-Ryan v. Smith, 904 F.2d 112, 116-17 (1st Cir. 1990) ("[I]mplied consent is consent in fact which is inferred from surrounding circumstances indicating that the party knowingly agreed to the surveillance.") (internal quotations omitted); Berry v. Funk, 146 F.3d 1003, 1011 (D.C. Cir. 1998) ("Without actual notice, consent can only be implied when the surrounding circumstances convincingly show that the party knew about and consented to the interception.") (internal quotation marks omitted). However, consent must be "actual" rather than "constructive." See In re Pharmatrak, Inc. Privacy Litigation, 329 F.3d 9, 19-20 (1st Cir. 2003) (citing cases). Proof of notice to the party generally supports the conclusion that the party knew of the monitoring. See Workman, 80 F.3d. at 693; but see Deal v. Spears, 980 F.2d 1153, 1157 (8th Cir. 1992) (finding lack of consent despite notice of possibility of monitoring). Absent proof of notice, the government must "convincingly" show that the party knew about the interception based on surrounding circumstances in order to support a finding of implied consent. United States v. Lanoue, 71 F.3d 966, 981 (1st Cir. 1995), abrogated on other grounds by United States v. Watts, 519 U.S. 148 (1997). Mere knowledge of the capability of monitoring does not imply consent. Watkins v. L. M. Berry & Co., 704 F.2d 577, 581 (11th Cir. 1983).

i. Bannering and Consent

Monitoring use of a computer network does not violate Title III after users view an appropriate network banner informing them that use of the network constitutes consent to monitoring.

In computer cases, a network banner alerting the user that communications on the network are monitored and intercepted may be used to demonstrate that a user consented to intercepting communications on that network. A banner is a posted notice informing users as they log on to a network that their use may be monitored, and that subsequent use of the system constitutes consent to the monitoring. Often, a user must click to consent to the terms of the banner before gaining further access to the system; such a user has explicitly consented to the monitoring of her communications. Even if no clicking is required, a user who sees the banner before logging on to the network has received notice of the monitoring. By using the network in light of the notice, the user impliedly consents to monitoring pursuant to 18 U.S.C. § 2511(2)(c)-(d). Numerous courts have held that explicit notices that prison telephones would be monitored generated consent to monitor inmates' calls. See United States v. Conley, 531 F.3d 56, 58-59 (1st Cir. 2008); United States v. Verdin-Garcia, 516 F.3d 884, 894-95 (10th Cir. 2008); United States v. Workman, 80 F.3d 688, 693-94 (2d Cir. 1996); United States v. Amen, 831 F.2d 373, 379 (2d Cir. 1987). In the computer context, one court rejected an employee's challenge to his employer's remote monitoring of his Internet activity based on a banner authorizing the employer to "monitor communications transmitted" by the employee. United States v. Greiner, 2007 WL 2261642, at *1 (9th Cir. 2007).

The scope of consent generated by a banner generally depends on the banner's language: network banners are not "one size fits all." A narrowly worded banner may authorize only some kinds of monitoring; a broadly worded banner may permit monitoring in many circumstances for many reasons. For example, a sensitive Department of Defense computer network might require a broad banner, while a state university network used by professors and students could use a narrow one. Appendix A contains several sample banners that reflect a range of approaches to network monitoring.

In addition to banners, there are also other ways to show that a computer user has impliedly consented to monitoring of network activity. For example, terms of service agreements and computer use policies may contain language showing that network users have consented to monitoring. See, e.g., United States v. Angevine, 281 F.3d 1130, 1132-34 (10th Cir. 2002) (university's computer use policy stated, inter alia, that the university would periodically monitor network traffic); United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000) (government employer's Internet usage policy stated that employer would periodically monitor users' Internet access as deemed appropriate); Borninski v. Williamson, 2005 WL 1206872, at *13 (N.D. Tex. May 17, 2005) (employee signed Application for Internet Access, which stated that use of system implied consent to monitoring).

ii. Who is a "Party to the Communication" in a Network Intrusion?

Sections 2511(2)(c) and (d) permit any "person" who is a "party to the communication" to consent to monitoring of that communication. In the case of wire communications, a "party to the communication" is usually easy to identify. For example, either conversant in a two-way telephone conversation is a party to the communication. See, e.g., United States v. Davis, 1 F.3d 1014, 1016 (10th Cir. 1993). In a computer network environment, by contrast, the simple framework of a two-way communication between two parties may break down. When a hacker launches an attack against a computer network, for example, he may route the attack through a handful of compromised computer systems before directing the attack at a final victim. At times, the ultimate destination of the hacker's communications may be unclear. Finding a "person" who is a "party to the communication"--other than the hacker himself, of course--can therefore be difficult. Because of these difficulties, agents and prosecutors should adopt a cautious approach to the "party to the communication" consent exception. In hacking cases, the computer trespasser exception discussed in subsection (d) below may provide a more certain basis for monitoring communications.

The owner of a computer system may satisfy the "party to the communication" language when a user sends a command or communication to the owner's system. See United States v. Mullins, 992 F.2d 1472, 1478 (9th Cir. 1993) (stating that the consent exception of § 2511(2)(d) authorizes monitoring of computer system misuse because the owner of the computer system is a party to the communication); United States v. Seidlitz, 589 F.2d 152, 158 (4th Cir. 1978) (concluding in dicta that a company that leased and maintained a compromised computer system was "for all intents and purposes a party to the communications" when company employees intercepted intrusions into the system from an unauthorized user using a supervisor's hijacked account).

c. The Provider Exception, 18 U.S.C. § 2511(2)(a)(i)

Employees or agents of communications service providers may intercept and disclose communications to protect the providers' rights or property. For example, system administrators of computer networks generally may monitor hackers intruding into their networks and then disclose the fruits of monitoring to law enforcement without violating Title III. This privilege belongs to the provider alone, however, and cannot be exercised by law enforcement. Once the provider has communicated with law enforcement, the computer trespasser exception may provide a surer basis for monitoring by law enforcement.

Title III permits

an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.

18 U.S.C. § 2511(2)(a)(i).

The "rights or property of the provider" clause of § 2511(2)(a)(i) grants providers the right "to intercept and monitor [communications] placed over their facilities in order to combat fraud and theft of service." United States v. Villanueva, 32 F. Supp. 2d 635, 639 (S.D.N.Y. 1998). For example, employees of a cellular phone company may intercept communications from an illegally "cloned" cell phone in the course of locating its source. See United States v. Pervaz, 118 F.3d 1, 5 (1st Cir. 1997). The exception also permits providers to monitor misuse of a system in order to protect the system from damage or invasions of privacy. For example, system administrators can track intruders within their networks in order to prevent further damage. See Mullins, 992 F.2d at 1478 (need to monitor misuse of computer system justified interception of electronic communications pursuant to § 2511(2)(a)(i)).

Importantly, the rights and property clause of the provider exception does not permit providers to conduct unlimited monitoring. See United States v. Auler, 539 F.2d 642, 646 (7th Cir. 1976). Instead, the exception permits providers and their agents to conduct reasonable monitoring that balances the providers' needs to protect their rights and property with their subscribers' right to privacy in their communications. See United States v. Harvey, 540 F.2d 1345, 1351 (8th Cir. 1976) ("The federal courts . . . have construed the statute to impose a standard of reasonableness upon the investigating communication carrier."); United States v. Councilman, 418 F.3d 67, 82 (1st Cir. 2005) ("indisputable" that provider exception did not permit provider to read customer email when done in the hope of gaining a commercial advantage).

Thus, providers investigating unauthorized use of their systems have broad authority to monitor and disclose evidence of unauthorized use under § 2511(2)(a)(i), but should attempt to tailor their monitoring and disclosure to that which is reasonably related to the purpose of the monitoring. See, e.g., United States v. Freeman, 524 F.2d 337, 341 (7th Cir. 1975) (phone company investigating use of illegal devices designed to steal long-distance service acted permissibly under § 2511(2)(a)(i) when it intercepted the first two minutes of every illegal conversation but did not intercept legitimately authorized communications). Expressed another way, there should be a "substantial nexus" between the monitoring and the threat to the provider's rights or property. United States v. McLaren, 957 F. Supp. 215, 219 (M.D. Fla. 1997); see also Bubis v. United States, 384 F.2d 643, 648 (9th Cir. 1967) (interpreting Title III's predecessor statute, 47 U.S.C. § 605, and holding impermissible provider monitoring to convict blue box user of interstate transmission of wagering information).

Agents and prosecutors should refrain from using the provider exception to satisfy law enforcement needs that lack a substantial nexus with the protection of the provider's rights and property. Although the exception permits providers to intercept and disclose communications to law enforcement to protect their rights or property, see Harvey, 540 F.2d at 1352, it does not permit law enforcement officers to direct or ask system administrators to monitor for law enforcement purposes. Where a service provider supplies a communication to law enforcement that was intercepted pursuant to the rights and property exception, courts have scrutinized whether the service provider was acting as an agent of the government when intercepting communications. For example, in McClelland v. McGrath, 31 F. Supp. 2d 616 (N.D. Ill. 1998), a user of a cloned cellular telephone sued police officers for allegedly violating Title III by asking the telephone company to intercept his calls in connection with a kidnapping investigation. In denying in part the officers' motion for summary judgment, the district court found that a genuine issue of material fact existed as to whether the phone company was impermissibly acting as the government's agent when it intercepted the plaintiff's call. See id. at 618-19. The court held that the officers were not free to ask or direct the service provider to intercept any phone calls or disclose their contents without complying with the judicial authorization provisions of Title III, regardless of whether the service provider was entitled to intercept those calls on its own initiative. See id.; see also United States v. McLaren, 957 F. Supp. at 218-19. However, if the provider's interception of communications pursuant to the rights and property clause preceded law enforcement's involvement in the matter, no agency existed at the time of the interception, and the provider exception applies. See United States v. Pervaz, 118 F.3d 1, 5-6 (1st Cir. 1997).

In light of such difficulties, agents and prosecutors should adopt a cautious approach to accepting the fruits of future monitoring conducted by providers under the provider exception. (As discussed below, law enforcement may be able to avoid this problem by reliance on the computer trespasser exception.) Law enforcement agents generally should feel free to accept the fruits of monitoring that a provider collected pursuant to § 2511(2)(a)(i) prior to communicating with law enforcement about the suspected criminal activity. After law enforcement and the provider have communicated with each other, however, the cautious approach is to only accept the fruits of a provider's monitoring if certain criteria have been met that indicate that the provider is monitoring and disclosing to protect its rights or property. These criteria are: (1) the provider's rights and property are clearly implicated, and the provider affirmatively wishes both to intercept and to disclose to protect its rights or property, (2) law enforcement verifies that the provider's intercepting and disclosure was motivated by the provider's wish to protect its rights or property, rather than to assist law enforcement, (3) law enforcement has not tasked, directed, requested, or coached the monitoring for law enforcement purposes, and (4) law enforcement does not participate in or control the actual monitoring that occurs. Although not required by law, it is highly recommended that agents obtain a written document from the private provider indicating the provider's understanding of its rights and its desire to monitor and disclose to protect its rights or property. Review by a CHIP or CCIPS attorney is also recommended. By following these procedures, agents can greatly reduce the risk that any provider monitoring and disclosure will exceed the acceptable limits of § 2511(2)(a)(i). A sample provider letter appears in Appendix G.

The computer trespasser exception, discussed in subsection (d) below, was created in part to enable law enforcement to avoid the need to rely on prospective monitoring by a provider under the rights and property exception. It is important for agents and prosecutors to keep in mind that the computer trespasser exception will in certain cases offer a more reliable basis than the provider exception for monitoring an intruder once the provider has communicated with law enforcement.

Law enforcement involvement in provider monitoring of government networks creates special problems. Because the lines of authority often blur, law enforcement agents should exercise special care.

The rationale of the provider exception presupposes that a sharp line exists between providers and law enforcement officers. Under this scheme, providers are concerned with protecting their networks from abuse, and law enforcement officers are concerned with investigating crime and prosecuting wrongdoers. This line can seem to break down, however, when the network to be protected belongs to an agency or branch of the government. For example, federal government entities such as NASA, the Postal Service, and the military services have both massive computer networks and considerable law enforcement presences (within both military criminal investigative services and civilian agencies' Inspectors General offices). Because law enforcement officers and system administrators within the government generally consider themselves united in having their agency's best interests in mind, it is possible that law enforcement agents will consider relying upon provider monitoring, justifying it under the protection of the provider's "rights or property." Although the courts have not addressed the viability of this theory of provider monitoring, such an interpretation, at least in its broadest form, may be difficult to reconcile with some of the cases interpreting the provider exception. See, e.g., McLaren, 957 F. Supp. at 219. CCIPS counsels a cautious approach: agents and prosecutors should assume that the courts interpreting § 2511(2)(a)(i) in the government network context will enforce the same boundary between law enforcement and provider interests that they have enforced in the case of private networks. See, e.g., United States v. Savage, 564 F.2d 728, 731 (5th Cir. 1977); McClelland, 31 F. Supp. 2d at 619. Accordingly, a high degree of caution is appropriate when law enforcement agents wish to accept the fruits of monitoring under the provider exception from a government provider. Agents and prosecutors may call CCIPS at (202) 514-1026 or the CHIP within their district (see Introduction, p. xii) for additional guidance in specific cases.

The "normal course of his employment" and "necessary to the rendition of his service" clauses of § 2511(2)(a)(i) provide additional contexts in which the provider exception applies. Courts have held that the first of these exceptions authorizes a business to receive email sent to an account provided by the business to a former employee or to an account associated with a newly acquired business. See Freedom Calls Found. v. Bukstel, 2006 WL 845509, at *27 (E.D.N.Y. 2006) (employer entitled in the normal course of business to intercept emails sent to account of former employee because, inter alia, "monitoring is necessary to ensure that . . . email messages are answered in a timely fashion"); Ideal Aerosmith, Inc. v. Acutronic USA, Inc., 2007 WL 4394447, at *5-6 (E.D. Pa. 2007) (corporation entitled in the normal course of business to intercept emails sent to business it acquired). The "necessary to the rendition of his service" clause permits providers to intercept, use, or disclose communications in the ordinary course of business when the interception is unavoidable. See United States v. New York Tel. Co., 434 U.S. 159, 168 n.13 (1977) (noting that § 2511(2)(a)(i) "excludes all normal telephone company business practices" from the prohibition of Title III). These cases generally arose when analog phone lines were in use. For example, a switchboard operator may briefly overhear conversations when connecting calls. See, e.g., Savage, 564 F.2d at 731-32; Adams v. Sumner, 39 F.3d 933, 935 (9th Cir. 1994). Similarly, repairmen may overhear snippets of conversations in the course of repairs. See United States v. Ross, 713 F.2d 389, 392 (8th Cir. 1983). These cases concerning wire communications suggest that the "necessary incident to the rendition of his service" language would likewise permit a system administrator to intercept communications in the course of repairing or maintaining a computer network.

d. The Computer Trespasser Exception, 18 U.S.C. § 2511(2)(i)

Title III allows victims of computer attacks to authorize persons "acting under color of law" to monitor trespassers on their computer systems. Specifically, the computer trespasser exception provides:

It shall not be unlawful under this chapter for a person acting under color of law to intercept the wire or electronic communications of a computer trespasser transmitted to, through, or from the protected computer, if--

(I) the owner or operator of the protected computer authorizes the interception of the computer trespasser's communications on the protected computer;

(II) the person acting under color of law is lawfully engaged in an investigation;

(III) the person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser's communications will be relevant to the investigation; and

(IV) such interception does not acquire communications other than those transmitted to or from the computer trespasser.

18 U.S.C. § 2511(2)(i).

A "computer trespasser" is defined in 18 U.S.C. § 2510(21) to include any person who accesses a "protected computer" without authorization, provided the person is not "known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer."

Under this exception, law enforcement--or a private party acting at the direction of law enforcement--may intercept the communications of a computer trespasser transmitted to, through, or from a protected computer. Before interception can occur, the four requirements found in § 2511(2)(i)(I)-(IV) must be met. Under the first of these requirements, the owner or operator of the computer must authorize the interception. In general, although not specifically required by Title III, it is good practice for investigators to seek written consent for the interception from the computer's owner or a high-level agent of that owner. Under § 2511(2)(i)(IV), investigators may not invoke the computer trespasser exception unless they are able to avoid intercepting communications of authorized users. Critically, however, the computer trespasser exception may be used in combination with other authorities, such as the consent exception of § 2511(2)(d) and the provider exception of § 2511(2)(a)(I), and in such cases it may be permissible for investigators to also intercept communications of authorized users. For example, if all non-trespassing users of a network have consented to the monitoring their communications by law enforcement, and if the computer trespasser exception can be used to monitor the communications of all trespassers on the network, then law enforcement will be able to monitor all network communications. Similarly, a provider who has monitored its system to protect its rights and property under § 2511(2)(a)(i), and who has subsequently contacted law enforcement to report some criminal activity, may continue to monitor the criminal activity of trespassers on its system under the direction of law enforcement using the computer trespasser exception. In such circumstances, the provider will then be acting under color of law as an agent of the government.

e. The Extension Telephone Exception, 18 U.S.C. § 2510(5)(a)

As a result of Title III's "extension telephone" exception, the statute is not violated by the use of

any telephone or telegraph instrument, equipment or facility, or any component thereof, (i) furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business and being used by the subscriber or user in the ordinary course of its business or furnished by such subscriber or user for connection to the facilities of such service and used in the ordinary course of its business; or (ii) being used by a provider of wire or electronic communication service in the ordinary course of its business, or by an investigative or law enforcement officer in the ordinary course of his duties.

18 U.S.C. § 2510(5)(a). Congress intended this exception to have a fairly narrow application: the exception was designed to permit businesses to monitor by way of an "extension telephone" the performance of their employees who spoke on the phone to customers. The "extension telephone" exception makes clear that when a phone company furnishes an employer with an extension telephone for a legitimate work-related purpose, the employer's monitoring of employees using the extension phone for legitimate work-related purposes does not violate Title III. See Briggs v. Am. Air Filter Co., 630 F.2d 414, 418 (5th Cir. 1980) (reviewing legislative history of Title III); Watkins v. L.M. Berry & Co., 704 F.2d 577, 582 (11th Cir. 1983) (applying exception to permit monitoring of sales representatives); James v. Newspaper Agency Corp., 591 F.2d 579, 581 (10th Cir. 1979) (applying exception to permit monitoring of newspaper employees' conversations with customers).

The case law interpreting the extension telephone exception is notably erratic, largely owing to the ambiguity of the phrase "ordinary course of business." Some courts have interpreted "ordinary course of business" broadly to mean "within the scope of a person's legitimate concern," and have applied the extension telephone exception to contexts such as intra-family disputes. See, e.g., Simpson v. Simpson, 490 F.2d 803, 809 (5th Cir. 1974) (holding that husband did not violate Title III by recording wife's phone calls), overruled in 11th Cir. by Glazner v. Glazner, 347 F.3d 1212, 1214-16 (11th Cir. 2003); Anonymous v. Anonymous, 558 F.2d 677, 678-79 (2d Cir. 1977) (holding that husband did not violate Title III in recording wife's conversations with their daughter in his custody). Other courts have rejected this broad reading, and have implicitly or explicitly excluded surreptitious activity from conduct within the "ordinary course of business." See, e.g., Adams v. City of Battle Creek, 250 F.3d 980, 984 (6th Cir. 2001) ("[M]onitoring in the ordinary course of business requires notice to the person or persons being monitored."); Kempf v. Kempf, 868 F.2d 970, 973 (8th Cir. 1989) (holding that Title III prohibits all wiretapping activities unless specifically excepted and that the Act does not have an express exception for interspousal wiretapping); United States v. Harpel, 493 F.2d 346, 351 (10th Cir. 1974) ("We hold as a matter of law that a telephone extension used without authorization or consent to surreptitiously record a private telephone conversation is not used in the ordinary course of business."); Pritchard v. Pritchard, 732 F.2d 372, 374 (4th Cir. 1984) (rejecting view that § 2510(5)(a) exempts interspousal wiretapping from Title III liability). Some of the courts that have embraced the narrower construction of the extension telephone exception have stressed that it permits only limited work-related monitoring by employers. See, e.g., Deal v. Spears, 980 F.2d 1153, 1158 (8th Cir. 1992) (holding that employer monitoring of employee was not authorized by the extension telephone exception in part because the scope of the interception was broader than that normally required in the ordinary course of business).

There is also some ambiguity as to whether and how the extension telephone exception would apply in the computer context because the provision's reference to "any telephone or telegraph instrument, equipment or facility" is not entirely clear. 18 U.S.C. § 2510(5)(a). Specifically, it is not obvious from the text of the statute whether "telephone or telegraph" modifies all three objects--i.e., "instrument, equipment or facility"--or only "instruments." The former reading suggests that the exception could apply only to providers of telephone or telegraph services, while the latter reading supports the conclusion that the exception could apply to a computer service provider. The Second Circuit has resolved this ambiguity in favor of the more expansive interpretation in Hall v. EarthLink Network, Inc., 396 F.3d 500, 504-05 (2d Cir. 2005), in which it held that an ISP acted in its ordinary course of business when it continued to receive and store messages sent to the account of a terminated customer.

The exception in 18 U.S.C. § 2510(5)(a)(ii) that permits the use of "any telephone or telegraph instrument, equipment or facility, or any component thereof" by "an investigative or law enforcement officer in the ordinary course of his duties" is also a common source of confusion. This language does not permit agents to intercept the private communications of the targets of a criminal investigation on the theory that a law enforcement agent may need to intercept communications "in the ordinary course of his duties." As Chief Judge Posner explained:

Investigation is within the ordinary course of law enforcement, so if "ordinary" were read literally warrants would rarely if ever be required for electronic eavesdropping, which was surely not Congress's intent. Since the purpose of the statute was primarily to regulate the use of wiretapping and other electronic surveillance for investigatory purposes, "ordinary" should not be read so broadly; it is more reasonably interpreted to refer to routine noninvestigative recording of telephone conversations. . . . Such recording will rarely be very invasive of privacy, and for a reason that does after all bring the ordinary-course exclusion rather close to the consent exclusion: what is ordinary is apt to be known; it imports implicit notice.

Amati v. City of Woodstock, 176 F.3d 952, 955 (7th Cir. 1999). For example, routine taping of all telephone calls made to and from a police station or prison may fall within this law enforcement exception, but non-routine taping designed to target a particular suspect ordinarily would not. See id.; accord Adams v. City of Battle Creek, 250 F.3d 980, 984 (6th Cir. 2001) ("Congress most likely carved out an exception for law enforcement officials to make clear that the routine and almost universal recording of phone lines by police departments and prisons, as well as other law enforcement institutions, is exempt from the statute."); United States v. Lewis, 406 F.3d 11, 18-19 (1st Cir. 2005) (concluding that routine monitoring of calls made from prison falls within law enforcement exception); United States v. Hammond, 286 F.3d 189, 192 (4th Cir. 2002) (same); United States v. Van Poyck, 77 F.3d 285, 292 (9th Cir. 1996) (same).

f. The 'Inadvertently Obtained Criminal Evidence' Exception, 18 U.S.C. § 2511(3)(b)(iv)

Section 2511(3)(b) lists several narrow contexts in which a provider of electronic communication service to the public can divulge the contents of communications. The most important of these exceptions permits a public provider to divulge the contents of any communications that

were inadvertently obtained by the service provider and which appear to pertain to the commission of a crime, if such divulgence is made to a law enforcement agency.

18 U.S.C. § 2511(3)(b)(iv). Although this exception has not yet been applied by the courts in any published cases involving computers, its language appears to permit providers to report criminal conduct (e.g., child pornography or evidence of a fraud scheme) in certain circumstances without violating Title III. Cf. 18 U.S.C. § 2702(b)(7)(A) (creating an analogous rule for stored communications).

g. The 'Accessible to the Public' Exception, 18 U.S.C. § 2511(2)(g)(i)

Section 2511(2)(g)(i) permits "any person" to intercept an electronic communication made through a system "that is configured so that . . . [the] communication is readily accessible to the general public." Congress intended this language to permit the interception of an electronic communication that has been posted to a public bulletin board, a public chat room, or a Usenet newsgroup. See S. Rep. No. 99-541, at 36 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3590 (discussing bulletin boards). This exception may apply even if users are required to register and agree to terms of use in order to access the communication. See Snow v. DirecTV, Inc., 450 F.3d 1314, 1321-22 (11th Cir. 2006) (electronic bulletin board that required visitors to register, obtain a password, and certify that they were not associated with DirecTV was accessible to the public).

E. Remedies For Violations of Title III and the Pen/Trap Statute

Agents and prosecutors must comply with Title III and the Pen/Trap statute when planning electronic surveillance. Violations can result in criminal penalties, civil liability, and (in the case of certain Title III violations) suppression of the evidence obtained. See 18 U.S.C. § 2511(4) (criminal penalties for Title III violations); 18 U.S.C. § 2520 (civil action for Title III violations); 18 U.S.C. § 3121(d) (criminal penalties for Pen/Trap statute violations); 18 U.S.C. § 2707(a), (g) (civil action for certain Pen/Trap statute violations); 18 U.S.C. § 2518(10)(a) (suppression for certain Title III violations). As a practical matter, however, courts may conclude that the electronic surveillance statutes were violated even after agents and prosecutors have acted in good faith and with full regard for the law. For example, a private citizen may wiretap his neighbor and later turn over the evidence to the police, or agents may intercept communications using a court order that the agents later learn is defective. Similarly, a court may construe an ambiguous portion of Title III differently than did the investigators, leading the court to find that a violation of Title III occurred. Accordingly, prosecutors and agents must understand not only what conduct the surveillance statutes prohibit, but also what the ramifications might be if a court finds that the statutes have been violated.

1. Suppression Remedies

Title III provides for statutory suppression of wrongfully intercepted oral and wire communications, but not electronic communications. The Pen/Trap statute does not provide a statutory suppression remedy. Constitutional violations may also result in suppression of the evidence wrongfully obtained.

a. No Statutory Suppression for Interception of Electronic Communications

The statutes that govern electronic surveillance grant statutory suppression remedies to defendants only in a specific set of cases. A defendant may only move for suppression on statutory grounds when the defendant was a party to an oral or wire communication that was intercepted in violation of Title III, or when the intercepted oral or wire communications occurred on his premises. See 18 U.S.C. §§ 2510(11), 2518(10)(a). See also United States v. Giordano, 416 U.S. 505, 524 (1974) (stating that "[w]hat disclosures are forbidden [under § 2515], and are subject to motions to suppress, is . . . governed by § 2518(10)(a)"); United States v. Williams, 124 F.3d 411, 426 (3d Cir. 1997).

Section 2518(10)(a) states:

[A]ny aggrieved person . . . may move to suppress the contents of any wire or oral communication intercepted pursuant to this chapter, or evidence derived therefrom, on the grounds that--

(i) the communication was unlawfully intercepted;

(ii) the order of authorization or approval under which it was intercepted is insufficient on its face; or

(iii) the interception was not made in conformity with the order of authorization or approval.

18 U.S.C. § 2518(10)(a). An "aggrieved person" is defined in 18 U.S.C. § 2510(11) to mean "a person who was a party to any intercepted wire, oral, or electronic communication or a person against whom the interception was directed." In Alderman v. United States, 394 U.S. 165, 176 (1969), the Supreme Court held that a defendant has standing under the Fourth Amendment to challenge intercepted conversations if he was a party to the conversations or if the conversations occurred "on his premises, whether or not he was present or participating in those conversations."

Notably, Title III does not provide a statutory suppression remedy for unlawful interceptions of electronic communications. See, e.g., United States v. Jones, 364 F. Supp. 2d 1303, 1306-09 (D. Utah 2005); United States v. Steiger, 318 F.3d 1039, 1050-52 (11th Cir. 2003); Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457, 461 n.6 (5th Cir. 1994); United States v. Meriwether, 917 F.2d 955, 960 (6th Cir. 1990). There is one minor exception to this rule: electronic communications intercepted pursuant to a Title III court order may be suppressed for failure to seal the intercepted communications as required by 18 U.S.C. § 2518(8)(a). See United States v. Suarez, 906 F.2d 977, 982 n.11 (4th Cir. 1990). In addition, the Pen/Trap statute does not provide a statutory suppression remedy for violations. See United States v. Forrester, 512 F.3d 500, 512 (9th Cir. 2008); United States v. Fregoso, 60 F.3d 1314, 1320-21 (8th Cir. 1995); United States v. Thompson, 936 F.2d 1249, 1249-50 (11th Cir. 1991).

b. Suppression Following Interception with a Defective Title III Order

Under section 2518(10)(a), the courts generally will suppress evidence resulting from any unlawful interception of an aggrieved party's wire communication that takes place without a court order. However, when investigators procure a Title III order to intercept wire or oral communications that later turns out to be defective, the courts will suppress the evidence obtained with the order only if the defective order "fail[ed] to satisfy any of those statutory requirements that directly and substantially implement the congressional intention [in enacting Title III] to limit the use of intercept procedures to those situations clearly calling for the employment of this extraordinary investigative device." United States v. Giordano, 416 U.S. 505, 527 (1974).

This standard requires the courts to distinguish technical defects from substantive ones. If the defect in the Title III order concerns only technical aspects of Title III, the fruits of the interception will not be suppressed. In contrast, courts will suppress the evidence if the defect reflects a failure to comply with a significant requirement of Title III. Compare Giordano, 416 U.S. at 527-28 (suppression required for failure to receive authorization from Justice Department official listed in § 2516(1) for wire interception order in light of importance of such authorization to statutory scheme) with United States v. Radcliff, 331 F.3d 1153, 1162-63 (10th Cir. 2003) (suppression not required for wiretap orders' failure to specifically identify the Justice Department officials who authorized the applications because, inter alia, this defect did not subvert statutory scheme). Defects that directly implicate constitutional concerns, such as probable cause and particularity, see Berger v. New York, 388 U.S. 41, 58-60 (1967), will generally be considered substantive defects that require suppression. See United States v. Ford, 553 F.2d 146, 173 (D.C. Cir. 1977).

c. The "Clean Hands" Exception in the Sixth Circuit

Section 2518(10)(a)(i) states that an aggrieved person may move to suppress the contents of wire communications when "the communication was unlawfully intercepted." The language of this statute is susceptible to the interpretation that the government cannot use the fruits of an illegally intercepted wire communication as evidence in court, even if the government itself did not intercept the communication. Under this reading, if a private citizen wiretaps another private citizen and then hands over the results to the government, the government could not use the evidence in court. Five circuit courts have so held. See United States v. Crabtree, 565 F.3d 887, 889-92 (4th Cir. 2009); Berry v. Funk, 146 F.3d 1003, 1013 (D.C. Cir. 1998) (dicta); Chandler v. United States Army, 125 F.3d 1296, 1302 (9th Cir. 1997); In re Grand Jury, 111 F.3d 1066, 1077-78 (3d Cir. 1997) United States v. Vest, 813 F.2d 477, 481 (1st Cir. 1987).

The Sixth Circuit, however, has fashioned a "clean hands" exception that permits the government to use any illegally intercepted communication so long as the government "played no part in the unlawful interception." United States v. Murdock, 63 F.3d 1391, 1404 (6th Cir. 1995). In Murdock, the defendant's wife had surreptitiously recorded her estranged husband's phone conversations at their family-run funeral home. When she later listened to the recordings, she heard evidence that her husband had accepted a $90,000 bribe to award a government contract to a local dairy while serving as president of the Detroit School Board. Mrs. Murdock sent an anonymous copy of the recording to a competing bidder for the contract, who in turn offered the copy to law enforcement. The government then brought tax evasion charges against Mr. Murdock on the theory that Mr. Murdock had not reported the $90,000 bribe as taxable income.

Following a trial in which the recording was admitted in evidence against him, the jury convicted Mr. Murdock, and he appealed. The Sixth Circuit affirmed, ruling that although Mrs. Murdock had violated Title III by recording her husband's phone calls, this violation did not bar the admission of the recordings in a subsequent criminal trial. The court reasoned that Mrs. Murdock's illegal interception could be analogized to a Fourth Amendment private search and concluded that Title III did not preclude the government "from using evidence that literally falls into its hands" because it would have no deterrent effect on the government's conduct. Id. at 1403.

After the Sixth Circuit decided Murdock, several circuits rejected the "clean hands" exception and instead embraced the First Circuit's Vest rule that the government cannot use the fruits of unlawful interception even if the government was not involved in the initial interception. See United States v. Crabtree, 565 F.3d 887, 889-92 (4th Cir. 2009); Berry v. Funk, 146 F.3d 1003, 1013 (D.C. Cir. 1998) (dicta); Chandler v. United States Army, 125 F.3d 1296, 1302 (9th Cir. 1997); In re Grand Jury, 111 F.3d 1066, 1077-78 (3d Cir. 1997).

d. Constitutional Suppression Remedies

Defendants may move to suppress evidence from electronic surveillance of communications networks on either statutory or Fourth Amendment constitutional grounds. Although Fourth Amendment violations generally lead to suppression of evidence, see Mapp v. Ohio, 367 U.S. 643, 655 (1961), defendants move to suppress the fruits of electronic surveillance on constitutional grounds only rarely. This is true for at least two reasons. First, Congress's statutory suppression remedies tend to be as broad or broader in scope than their constitutional counterparts. See, e.g., Chandler, 125 F.3d at 1298; Ford, 553 F.2d at 173. Cf. United States v. Torres, 751 F.2d 875, 884 (7th Cir. 1984) (noting that Title III is a "carefully thought out, and constitutionally valid . . . effort to implement the requirements of the Fourth Amendment."). Second, electronic surveillance statutes often regulate government access to evidence that is not protected by the Fourth Amendment. For example, the Supreme Court has held that the use and installation of pen registers does not constitute a Fourth Amendment "search." See Smith v. Maryland, 442 U.S. 735, 742 (1979). The Ninth Circuit recently confirmed that this holding applies equally to computer surveillance techniques that reveal the "to" and "from" addresses of email messages, the IP addresses of websites visited, and the total amount of data transmitted to or from an account. See United States v. Forrester, 512 F.3d 500, 510-11 (9th Cir. 2008). As a result, use of a pen/trap device in violation of the Pen/Trap statute ordinarily does not lead to suppression of evidence on Fourth Amendment grounds. See United States v. Thompson, 936 F.2d 1249, 1251 (11th Cir. 1991).

It is also likely that a hacker would not enjoy a constitutional entitlement under the Fourth Amendment to suppression of unlawful monitoring of his unauthorized activity. As the Fourth Circuit noted in United States v. Seidlitz, 589 F.2d 152 (4th Cir. 1978), a computer hacker who breaks into a victim computer "intrude[s] or trespasse[s] upon the physical property of [the victim] as effectively as if he had broken into the . . . facility and instructed the computers from one of the terminals directly wired to the machines." Id.. at 160. A trespasser does not have a reasonable expectation of privacy where his presence is unlawful. See Rakas v. Illinois, 439 U.S. 128, 143 n.12 (1978) (noting that "[a] burglar plying his trade in a summer cabin during the off season may have a thoroughly justified subjective expectation of privacy, but it is not one which the law recognizes as 'legitimate'"); Amezquita v. Hernandez-Colon, 518 F.2d 8, 11 (1st Cir. 1975) (holding that squatters had no reasonable expectation of privacy on government land where the squatters had no colorable claim to occupy the land). Accordingly, a computer hacker would have no reasonable expectation of privacy in his unauthorized activities that were monitored from within a victim computer. "[H]aving been 'caught with his hand in the cookie jar,'" the hacker has no constitutional right to the suppression of evidence of his unauthorized activities. Seidlitz, 589 F.2d at 160.

2. Defenses to Civil and Criminal Actions

Agents and prosecutors are generally protected from liability under Title III for reasonable decisions made in good faith in the course of their official duties.

Civil and criminal actions may result when law enforcement officers violate the electronic surveillance statutes. In general, the law permits such actions when law enforcement officers abuse their authority, but protects officers from suit for reasonable good-faith mistakes made in the course of their official duties. The basic approach was articulated over a half century ago by Judge Learned Hand:

There must indeed be means of punishing public officers who have been truant to their duties; but that is quite another matter from exposing such as have been honestly mistaken to suit by anyone who has suffered from their errors. As is so often the case, the answer must be found in a balance between the evils inevitable in either alternative.

Gregoire v. Biddle, 177 F.2d 579, 581 (2d Cir. 1949). When agents and prosecutors are subject to civil or criminal suits for electronic surveillance, the balance of evils has been struck by both a statutory good-faith defense and a widely (but not uniformly) recognized judge-made qualified-immunity defense.

a. Good-Faith Defense

Both Title III and the Pen/Trap statute offer a statutory good-faith defense. According to these statutes,

a good faith reliance on . . . a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization . . . is a complete defense against any civil or criminal action brought under this chapter or any other law.

18 U.S.C. § 3124(e) (good-faith defense for Title III violations). See also 18 U.S.C. § 3124(e) (good-faith defense for Pen/Trap statute violations). These defenses are most commonly applicable to law enforcement officers executing legal process and service providers complying with legal process, even if the process later turns out to be deficient in some way. Similarly, Title III protects a person acting under color of law when that person believes in good faith that interception is warranted by the computer trespasser exception. See 18 U.S.C. § 2520(d)(3) (creating a defense for good faith reliance on a good faith determination that, inter alia, § 2511(2)(i) permitted the interception).

The cases interpreting the good-faith defense are notably erratic. In general, however, the courts have permitted law enforcement officers to rely on the good-faith defense when they make honest mistakes in the course of their official duties. See, e.g., Kilgore v. Mitchell, 623 F.2d 631, 633 (9th Cir. 1980) ("Officials charged with violation of Title III may invoke the defense of good faith under § 2520 if they can demonstrate: (1) that they had a subjective good faith belief that they were acting in compliance with the statute; and (2) that this belief was itself reasonable."); Hallinan v. Mitchell, 418 F. Supp. 1056, 1057 (N.D. Cal. 1976) (good-faith exception protects Attorney General from civil suit after Supreme Court rejects Attorney General's interpretation of Title III). The defense is also available to providers and other private parties who conduct surveillance in good faith reliance on a court order obtained by law enforcement. See Jacobson v. Rose, 592 F.2d 515, 522-23 (9th Cir. 1978) (Congress established good-faith defense for Title III violations in part "to protect telephone companies and other persons who cooperate under court order with law enforcement officials") (citation omitted). In contrast, courts have not permitted private parties to rely on good-faith "mistake of law" defenses in civil wiretapping cases. See, e.g.,Williams v. Poulos, 11 F.3d 271, 285 (1st Cir. 1993); Heggy v. Heggy, 944 F.2d 1537, 1541-42 (10th Cir. 1991).

b. Qualified Immunity

The majority of courts have recognized a qualified immunity defense to Title III civil suits in addition to the statutory good-faith defense. See, e.g., Lonegan v. Hasty, 436 F. Supp. 2d 419, 430 n.5 (E.D.N.Y. 2006) (noting that courts in Second Circuit have "routinely" allowed defendants to raise the qualified immunity defense in Title III cases); Tapley v. Collins, 211 F.3d 1210, 1216 (11th Cir. 2000) (holding that public officials sued under Title III may invoke qualified immunity in addition to the good faith defense); Blake v. Wright, 179 F.3d 1003, 1013 (6th Cir. 1999) ("a defendant may claim qualified immunity in response to a Title III claim"); Davis v. Zirkelbach, 149 F.3d 614, 618, 620 (7th Cir. 1998) (qualified immunity defense applies to police officers and prosecutors in civil wiretapping case). But see Berry v. Funk, 146 F.3d 1003, 1013-14 (D.C. Cir. 1998) (concluding that qualified immunity does not apply to Title III violations because the statutory good-faith defense exists); Hepting v. AT&T Corp., 439 F. Supp. 2d 974, 1009 (N.D. Cal. 2006) (disagreeing with Tapley and Blake and holding that providers who assist the government are not entitled to qualified immunity from Title III suits).

Under the doctrine of qualified immunity,

government officials performing discretionary functions generally are shielded from liability for civil damages insofar as their conduct does not violate clearly established statutory or constitutional rights of which a reasonable person would have known.

Harlow v. Fitzgerald, 457 U.S. 800, 818 (1982). In general, qualified immunity protects government officials from suit when "[t]he contours of the right" violated were not so clear that a reasonable official would understand that his conduct violated the law. Anderson v. Creighton, 483 U.S. 635, 640 (1987); Burns v. Reed, 500 U.S. 478, 496 (1991) (prosecutors receive qualified immunity for legal advice to police).

Of course, whether a statutory right under Title III is "clearly established" for purposes of qualified immunity is in the eye of the beholder. The sensitive privacy interests implicated by Title III may lead some courts to rule that a Title III privacy right is "clearly established" even if no courts have recognized the right in analogous circumstances. See, e.g., McClelland v. McGrath, 31 F. Supp. 2d 616, 619-20 (N.D. Ill. 1998) (holding that police violated the "clearly established" rights of a kidnapper who used a cloned cellular phone when the police asked the cellular provider to intercept the kidnapper's unauthorized communications to help locate the kidnapper, and adding that the kidnapper's right to be free from monitoring was "crystal clear" despite § 2511(2)(a)(i)).

 

 

 


 

1 "Post-cut-through dialed digits" are digits dialed after the initial call set-up is complete. Such digits can be non-content telephone numbers, "such as when a subject places a calling card, credit card, or collect call by first dialing a long-distance carrier access number and then, after the initial call is 'cut through,' dialing the telephone number of the destination party." United States Telecom Ass'n v. FCC, 227 F.3d 450, 462 (D.C. Cir. 2000). Such digits can also be content. "For example, subjects calling automated banking services enter account numbers. When calling voicemail systems, they enter passwords. When calling pagers, they dial digits that convey actual messages." Id.

2 As the focus of this manual is obtaining electronic evidence, prohibited "use" and "disclosure" are beyond the scope of this manual. Use and disclosure of intercepted communications are discussed in chapter 2 of CCIPS's Prosecuting Computer Crimes (Office of Legal Education 2007) and part XI of OEO's Electronic Surveillance Manual (2005 ed.).

3 State surveillance laws may differ. Some states forbid the interception of communications unless all parties consent.

4 DOJ policy sets forth certain approval requirements for consensual interception of oral communications. See United States Attorneys' Manual § 9-7.302 (citing 2002 Attorney General Guidelines). Approval from OEO is required in certain sensitive circumstances; AUSA approval is required at a minimum.



>> Return to the Electronic Evidence in Criminal Investigation Page

>> Return to the DOJ CyberCrime Index Page