Internet Library of Law
and Court Decisions

Electronic Communications Privacy Act - Wiretap and Stored Communications Acts - Internet Library of Law and Court Decisions - Updated June 23, 2008

Corporation which operates internal e-mail system for intra-company communications held not to be subject to the Electronic Communications Privacy Act, 18 U.S.C. Section 2701 et seq., because it was not providing electronic communication service to the public, or community at large. As a result, the ECPA did not bar defendant from disclosing to a newspaper e-mail sent on its system by an independent contractor who was performing services for defendant.

Court denies bloggers' motion for a protective order, which sought to quash a subpoena served by plaintiff Apple Computer, Inc. ("Apple") on Nfox, the e-mail service provider for the blog PowerPage.  The subpoena sought materials, including e-mails, that would permit Apple to identify the individual(s) who transmitted trade secret information about an Apple product to PowerPage, which information PowerPage subsequently published on its blog/website.  The Court held that the bloggers were not entitled to such relief under California's 'Shield Law,' as that statute only protects journalists from being found in contempt for failing to produce information, and does not support a motion to quash.  Similarly, such relief could not be grounded on the privilege afforded journalists under the First Amendment, as this privilege cannot be used to prevent the disclosure of information related to criminal activity such as that at issue here, the disclosure of trade secrets.  Because Apple had made a prima facie case that a crime had occurred, it was entitled to the requested discovery.

Court dismisses claims brought by plaintiffs under the Computer Fraud and Abuse Act ("CFAA"), the Wiretap Act and the Stored Communications Act, arising out of Avenue A's use and placement of cookies on plaintiffs' computers. Avenue A uses such cookies to gather information about the user's use of Avenue A client web sites, and to present various advertisements on those web sites that Avenue A believes will be of interest to the user based on such information. The claims under the CFAA were dismissed because any damages plaintiffs' sustained as a result of Avenue A's actions did not meet the threshold necessary to assert a claim under the CFAA. Plaintiffs' claims under both the Stored Communications Act and the Wiretap Act were dismissed because Avenue A's client web sites gave Avenue A permission to review the communications between those sites and the plaintiff users related to their use of the sites. Having dismissed the federal claims plaintiffs asserted, the court declined to exercise supplemental jurisdiction over the remaining state law claims, which it accordingly dismissed without prejudice.

Court dismisses claims advanced by the plaintiff class under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and the Wiretap Act arising out of Doubleclick's use and placement of "cookies" on plaintiffs' computers. Doubleclick uses such "cookies" to gather information about the users' use of Doubleclick client web sites. Because Doubleclick's clients consented to such information gathering, the court held that Doubleclick's activities did not run afoul of either the Electronic Communications Privacy Act or the Wiretap Act. The court also dismissed the claims plaintiffs advanced under the Computer Fraud and Abuse Act because any damages caused by Doubleclick's activities did not meet the threshold required by the Computer Fraud and Abuse Act. Finally, the court, having dismissed all of plaintiffs' federal claims, declined to retain jurisdiction over plaintiffs' state law claims, and dismissed the action.

Court dismisses plaintiffs' claims that Northwest Airlines violated the Electronic Communications Privacy Act ("ECPA") by disclosing personal information about plaintiff passengers to governmental authorities.  The Court grounded its decision on its determination that the ECPA did not apply because Northwest, by virtue of its operation of a web site at which consumers can purchase airline tickets, was not a provider of "electronic communication services" within the meaning of the ECPA.  The Court also dismissed plaintiffs' claims that this disclosure constituted a breach of the parties' agreement, as reflected in the privacy policy Northwest posted on its web site, not to disclose such personal information, finding that the posting of such a policy did not create an enforceable agreement between the parties.

Court dismisses plaintiff's claim, brought under the Federal Wire and Electronic Communications Interception Act, 18 U.S.C. §§ 2510 et seq., ("Wire Tap Act") which arose out of the defendants' acquisition of an e-mail from plaintiff's comptroller to plaintiff's President after the e-mail had been sent and received. The court based its holding on its determination that the Wire Tap Act only prohibited the interception of electronic communications "during transmission." The court's holding did not preclude plaintiff from bringing a claim seeking relief for the interception of this communications under the Federal Stored Wire and Electronic Communications Act, 18 U.S.C. §§ 2701 et seq. (the "Stored Communications Act.")

Court allows plaintiff to proceed with claims advanced against his employer and various fellow employees under the Electronic Communications Privacy Act, the Electronic Communications Storage Act, and Wisconsin's right to privacy statute, Wis. Stat. Section 895.50, as well as a common law defamation claim, arising out of defendants' interception of a telephone call plaintiff placed from his place of employ, and defendants' review of e-mails contained in a personal e-mail account plaintiff maintained with Hot Mail, which account plaintiff accessed from his work place.  There were sharply differing versions of the content of these various communications.  Defendants alleged that during the telephone call, the participants, while masturbating, graphically described homosexual activity between two males.  Plaintiff denied this.  Defendants also alleged that e-mails read from plaintiff's email account evidenced that plaintiff was involved in homosexual activity.  Plaintiff denied that these e-mails had been sent to him.

Defendants' version of the telephone conversation was related to various third parties, which resulted in the termination of plaintiff's employment.  This lawsuit ensued.  The court determined that plaintiff should be permitted to proceed with various claims he asserted. 

The court refused to dismiss plaintiff's claim, advanced under Wisconsin's right of privacy law, section 895.50, arising out of the review of e-mail from plaintiff's personal Hot Mail account.  The court held that issues of fact existed as to whether the review of such e-mail would be highly offensive to a reasonable person, and as to whether a reasonable person could consider such an account to be private, which precluded a grant of summary judgment to defendants.  The court also refused to dismiss the claim plaintiff brought under the Electronic Communications Storage Act arising out of the review of these e-mails.  If such a review took place (as opposed to defendants' having fabricated the e-mails) it would run afoul of the Stored Communications Act.  The court did dismiss the claims plaintiff raised under the Computer Fraud and Abuse Act, holding that plaintiff had not alleged economic damages arising from the review of these e-mails sufficient to state a claim under the Act.

The court also refused to dismiss the claims plaintiff advanced under the Electronic Communications Privacy Act and Wisconsin Privacy Act arising out of the interception of the telephone call described above.  The court refused to dismiss plaintiff's ECPA claim because, depending on what actually occurred, the defendants should have stopped listening to the telephone call when they discovered it was personal in nature.  The court refused to dismiss plaintiff's privacy act claims because plaintiff may have had a reasonable expectation of privacy in the telephone call if his claim that he made the call from a place his employer designated for private personal calls was true.

Lastly, the court refused to dismiss plaintiff's defamation claim, finding that issues of fact precluded it from determining whether defendants' communication of their version of the telephone call to third parties was protected by the common interest privilege possessed by members of religious associations as to communications pertaining to the qualifications of those who work for the organization.  Such privilege may have been lost, given plaintiff's claim that the defendants were lying about what took place during the telephone call.

Court holds that insurance companies' review of email sent by one independent contractor working for company to another, after it had been reviewed by second independent contractor and stored on company server, did not violate either the Federal Wiretap or Stored Communications Acts, or their Pennsylvania state counterparts.  The Wiretap Act protects against unauthorized interception of electronic communications.  The court held that to constitute a violation of the Act, the email must be intercepted during its transmission, and before it is reviewed by the intended recipient.  There was accordingly no violation of the Wiretap Act because the email in question was only reviewed by the insurance company after it had been reviewed by the intended recipient.  The court also held that the insurance companies' review of the email did not constitute a violation of the Stored Communications Act.  As interpreted by the court, that Act only provides protection to electronic communications while they are in transit from sender to intended recipient.  While in transit, communications are protected by the Act if held in storage.  However, once reviewed by the intended recipient, the communications are no longer in transit, or subject to the protection of the Stored Communications Act, even if they thereafter remain in storage.  As the email in question had already been received by the intended recipient, it was no longer in transit, and not protected by the Stored Communications Act.  It should be noted that this decision addresses a number of additional claims, including breach of contract, wrongful discharge, and violation of the Pennsylvania Constitution, arising out of the insurance companies' termination of its Agent's Agreement with plaintiff which will not be addressed in this summary.

Affirming the decision of the Magistrate Judge, the District Court quashed a subpoena issued by State Farm Fire and Casualty Co. (“State Farm”) to AOL, seeking disclosure of the stored emails of two of its customers.  The Court held such disclosure prohibited by the Electronic Communications Privacy Act, 18 U.S.C. Section 2702, which prohibits Internet Service Providers such as AOL, in the absence of express authorization by the statute, from divulging the contents of customers’ electronic communications.  Notably, the Court held that the receipt of a civil subpoena does not, by itself, authorize the ISP’s disclosure of such materials under the ECPA. 

The Court further upheld the Magistrate’s decision to quash the subpoena because it imposed an undue burden on the account holders, was not appropriately limited to communications pertaining to the lawsuit in question, and arguably sought discovery of privileged communications, the propriety of which assertion the Court deferred for ruling by the court in which the underlying dispute for which the discovery was sought was being litigated.

Court holds that the unauthorized use of a spyware program to capture screen shots of a husband's online communications violates Florida's Security of Communications Act, modeled after the Federal Wiretap Act, 18 U.S.C. Section 2501, et seq.  An intermediate Florida appellate court accordingly affirms the trial court decision to bar the wife from introducing these screen shots into evidence in her divorce proceeding with her husband.

Reversing the court below, the California Court of Appeals holds that the Stored Communications Act prohibits an ISP that hosted a blog's email account from disclosing e-mails sent to the blog in response to a subpoena issued in a civil litigation.  The subpoena sought production of e-mails that would permit Apple Computer ("Apple") to identify the individual(s) who transmitted trade secret information about an as yet unreleased Apple product to the blog/website Power Page, which information was the source of articles Power Page subsequently published on its blog/website.

The Court further held that petitioners, who acted as publishers of, and/or editors or reporters for, the news blogs that published the stories at issue about this Apple product, were entitled to a protective order against their disclosure of the confidential sources of their stories.  Notwithstanding Apple's claim that the information petitioners received from these services constituted trade secrets disclosed in violation of confidentiality agreements each of its employees had signed, the Court held such disclosure barred by both California's Reporter's Shield Law and the First Amendment.  The Court held that the Shield Law, which prohibits a court from holding in contempt a publisher, editor or reporter of "a newspaper, magazines or other periodical publication" for failing to disclose the source of a published story, protected petitioners, publishers and/or reporters of news blogs, from having to disclose the sources of the stories at issue.  The First Amendment similarly provided protection, given Apple's failure to fully exhaust other avenues of disclosure before pursuing discovery from petitioners.

The Second Circuit holds that an Internet Service Provider does not violate Title I of the Electronic Communications Privacy Act when, in the ordinary course of its business, it continues to receive and store emails sent to the email address of a terminated account holder.

Court grants defendants' motion for summary judgment, and dismisses plaintiffs' claims under the Electronic Communications Privacy Act ("ECPA") and the Computer Fraud and Abuse Act ("CFAA") arising out defendant Pharmatrak's monitoring of plaintiffs' activities on the web sites of various pharmaceutical companies.  With the authorization of these pharmaceutical companies, who were also named as defendants in this litigation, defendant Pharmatrak placed software on their web sites which enabled Pharmatrak to gather information submitted by the plaintiffs to, and to track their activities at, these sites.  Pharmatrak's software also enabled Pharmatrak to gather information both about the web site plaintiffs visited immediately prior to their visit to defendants' sites, as well as the search plaintiffs conducted to get to defendants' sites.  According to plaintiffs, the information Pharmatrak gathered included personally identifiable information, although there was no evidence that Pharmatrak disseminated anything other than aggregated non-personally identifiable information to third parties.

The Court held that defendants did not violate Title I of the ECPA, the Wire Tap Act, because they qualified for the protection of Section 2511(2)(d) of the ECPA, which permits interception of a communication when it is authorized by one of the participants in the communication, provided the interception is not undertaken for a tortuous or criminal purpose.  Defendants were permitted to intercept the communications at issue because (a) the pharmaceutical defendants which participated in them had authorized such interception, and (b) there was no evidence that such interception was done for an improper purpose.

The Court dismissed plaintiffs' claims under Title II of the ECPA, the Stored Communications Act, both because the devices defendants accessed, plaintiffs' PCs, were not protected "facilities" under the Stored Communications Act, and because the pharmaceutical defendants consented to accessing the communications at issue.

Lastly, the Court dismissed the claims plaintiffs raised under the Computer Fraud and Abuse Act, because plaintiffs did not sustain damages sufficient to meet the damage threshold requirements of that statute.

Reversing the decision of the court below, the First Circuit holds that the grant of permission by web site owners to defendant Pharmatrak to operate web tracking software on their web sites does not constitute consent to intercept their communications with site users, because the site owners expressly instructed defendant Pharmatrak not to gather personal information about site users.  As a result, the First Circuit reversed the District Court's decision, which had dismissed claims brought by site users under the Electronic Communications Privacy Act ("ECPA") arising out of defendant Pharmatrak's gathering of information concerning individual site users, and their use of the web site owners' sites, from communications between the users and the sites themselves.  The First Circuit remanded the case for further consideration as to whether defendant Pharmatrak's actions were intentional, a prerequisite to an ECPA claim, in light of the fact that Pharmatrak appeared to have gathered personally identifiable information as to only 232 of the approximately 18.7 million users whose activities it tracked.

Ninth Circuit holds that the unauthorized access and review of the contents of a password protected web site can constitute violations of both the Wiretap Act, 18 USC §§ 2510-2520, and the Stored Communications Act, 18 USC §§ 2701-2710. The court further holds that an employer's accessing without authorization of such a web site created by one of its employees, which site is critical of officers of the employer and urges company employees to consider alternative union representation, can constitute impermissible surveillance of union organizing activities in violation of the Railway Labor Act, 45 USC § 152. The Ninth Circuit accordingly reversed the decision of the District Court below, denied defendant's motion for summary judgment, and reinstated plaintiff's claims.

Affirming the court below, the First Circuit, by a 2-1 vote, holds that defendant's alleged involvement in a scheme in which e-mails were copied while in transit to, but before their receipt by, their intended recipients, was not a violation of the Wiretap Act, 18 U.S.C. §§ 2510 et seq. and accordingly dismisses an indictment charging defendant with conspiring to violate the Wiretap Act.  In reaching this result, the Court held that the Wiretap Act does not apply to the interception of e-mails in storage.  Because the e-mails at issue were in temporary storage when intercepted, no violation of the Wiretap Act occurred.

In a vigorous dissent, Circuit Judge Lipez warned that the majority's holding would effectively eliminate all protection for e-mail under the Wiretap Act, as all e-mail, when in transit, is stored in either the hard drives or RAM of the various computers involved in its delivery.  As such, e-mail recipients would be relegated to the lesser protections provided by the Stored Communications Act, 18 U.S.C. §§ 2701 et seq., which, among other things, provides certain exceptions for "conduct authorized by the person or entity providing a wire or electronic communications service …", and lowers the showing law enforcement officials must make to access such stored communications.  Judge Lipez accordingly would reverse the court below, and hold that the Wiretap Act applies to the unauthorized interception of e-mail while such e-mail is being transmitted, whether then in storage or not.

Quick Hits

Court grants Church’s petition pursuant to Fed. R. Civ. P. Rule 27, and directs respondent Cablevision Lightpath Inc. (“Cablevision”) to disclose the identity of the subscriber to whom a particular IP address was assigned.  Petitioner alleged that the IP address in question was used to access without authorization email accounts the Church supplied to seven employees.  Petitioner also alleged that this IP address was used to improperly send an email from one of those accounts, in the name of the account holder, that advised other company employees that they had been terminated for poor job performance.  Petitioner alleged that this conduct violated the Stored Communications Act, 18 U.S.C. Section 2701.

Petitioner sought the requested discovery to “preserve testimony,” as it had been advised by respondent Cablevision that in the ordinary course of business, it would delete the requested information within 90 days of the email transactions in question.

The Court found that petitioner had made the requisite showing for relief under Fed. R. Civ. P. Rule 27 and directed Cablevision to disclose the requested information.  In reaching this result, the Court held that petitioner’s need for disclosure outweighed any First Amendment right of the speaker in question to maintain anonymity.  In so holding the Court analyzed five factors: “(1) a concrete showing of a prima facie claim of actionable harm; (2) specificity of the discovery request; (3) the absence of alternative means to obtain the subpoenaed information; (4) a central need for the subpoenaed information to advance the claim, and (5) the party’s expectation of privacy.”  The Court found each of these factors favored the requested disclosure.  Petitioner had made out a prima facie case that the individual in question violated the Stored Communications Act by improperly accessing employee email accounts without authorization.  Because of the nature of the challenged conduct – such improper access, and the use thereof to impersonate one of the account holders – the court further held that the individual in question had a low expectation of privacy in maintaining the anonymity of her actions.  Petitioner’s request was narrowly tailored to seek only the identity of the speaker from Cablevision, the only known source of such information.  Finally, the court held that the requested information – the identity of the speaker in question -- was needed to permit petitioner to bring a claim seeking redress for the wrongs at issue.  The Court accordingly directed disclosure.

Download PDF of Court Decision