The Problems CISA Solves: ECPA Reform in Disguise
Omni-CISA has passed. Privacy advocates are waxing outraged and pundits are tallying the winners and losers. Over at Just Security, Jennifer Granick ominously warns that:
Published by The Lawfare Institute
in Cooperation With
Omni-CISA has passed. Privacy advocates are waxing outraged and pundits are tallying the winners and losers. Over at Just Security, Jennifer Granick ominously warns that:
OmniCISA would waive [] provisions of the Wiretap Act and ECPA. Why do that except to expand that ability to monitor for broader “cybersecurity purposes” beyond the legal ability providers already have to intercept communications in order to protect service, rights, or property?
So this bill isn’t just about threat information sharing, it’s about enabling ISP monitoring in ways beyond current law that have not been clearly defined or explained.
What is CISA really? Is it a surveillance bill couched as an information sharing bill? Is it, as some critics claim, an insignificant piece of too little, too late? Does it, as Granick alleges, indiscriminately gut existing legal protections? These questions remain stubbornly obscure in a discussion that analyzes CISA in a vacuum of privacy interests and does not consider the serious cyber security challenges the law is aimed at curing. CISA’s merit must be evaluated against the problems it attempts to solve.
CISA comes at a cybersecurity crisis point. The principal solutions to the crisis all require that private industry do more to protect the personal data in its possession and and under its control. In evaluating CISA and other proposed measures, privacy advocates focus largely on governmental access to and use of information. And yes, CISA authorizes important voluntary information sharing and the government’s role in that sharing certainly merits attention. But the singular focus—and the attendant reflexive suspicions—on this aspect of the bill warps the real privacy interests at stake by failing to acknowledge that security is a necessary element of privacy. Once criminals have your personal information, it is no longer private. And if privacy is the ultimate goal, the first step it to keep data safe.
Information sharing is one element, but companies and communications service providers also need to be able to discover and address threats on their own systems. Effective cybersecurity includes network monitoring, scanning, and deep-packet inspection—and yes, that includes contents of communications—in order to detect malicious activity. Federal and state laws create major impediments to that activity.
CISA is designed to begin fixing this.
Granick is absolutely correct that CISA waives current provisions of the Stored Communications Act for cybersecurity monitoring. CISA’s authorization and liability protection for monitoring makes ECPA inapplicable to cybersecurity monitoring conducted pursuant to the new statute. But she fails—along with other likeminded critics—to consider how unintended consequences of ECPA and the Wiretap Act currently prevent companies from taking responsible cybersecurity measures. To understand what CISA permits and why, let’s take a big step back and look at what legal limitations Congress is attempting to alleviate in the realm of cybersecurity and the harm those limitations are currently doing.
The Electronic Communications Privacy Act
The Electronic Communications Privacy Act (ECPA) prohibits the intentional interception of any "electronic communication," and imposes criminal and civil liability for interceptions in violation of its terms. Absent an exception enumerated in the statute, cybersecurity monitoring that examines content would likely violate ECPA's general prohibition on the interception of communications.
Herein lies the first problem CISA is trying to address. Under ECPA, "contents," with respect to any wire, oral or electronic communication, includes any information concerning the substance, purport or meaning of that communication. 18 U.S.C. 2510, (8). Because the act does not further define "substance, purport or meaning," the content of communications becomes a highly fact-specific determination in the context of emerging technologies. ECPA thus creates uncertainty over what sort of information is even covered by the act, and this makes it difficult for companies to understand precisely what sort of monitoring is okay and what sort is a crime. Ambiguity in a litigation-averse culture runs contrary to a goal of responsible, proactive cybersecurity monitoring. Whether we like it or not, effective cybersecurity monitoring likely does extend to the contents of communications in at least some circumstances.
In the context of defensive monitoring of private networks—presuming that the monitoring involves the contents of communications—there are two relevant exceptions included in ECPA. First, it is not unlawful to intercept communications where one party to the communication has given prior consent. (See 2511(c)). In addition, some state laws require that all parties consent. Second, it is not unlawful under ECPA for an electronic communication service provider to intercept communications where such monitoring is a necessary incident to rendition of service or in order to protect the provider's rights and property. (See 2511(2)(a)).
ECPA also authorizes communications security monitoring of US government communications in accordance with Attorney General-approved procedures. The “COMSEC” exception does not apply to private cybersecurity monitoring. However, this exception explains why the government and private industry are in materially different positions with regards to securing their own networks.
The Consent Exception
lf either party to a communication consents to its interception, there is no violation under ECPA, "unless such communication is intercepted for the purpose of committing any criminal or tortious act." 18 USC 2511(2)(d). Consent may be express or implied but, in essence, authorized users must be made aware of and manifest agreement to the interception.
At first glance, obtaining effective consent from authorized users presents a simple and attractive avenue for companies and cyber security providers to conduct monitoring without violating ECPA. User agreements can incorporate notification that communications may be monitored for purposes of network security. However, the ambiguities of ECPA have resulted in real and perceived limitations on the ability to obtain legally-effective consent.
Rapidly evolving case law generates significant uncertainty regarding the scope of consent as it relates to electronic communications monitoring conducted by service providers. In Campbell v. Facebook, a court for the Northern District of California denied Facebook's motion to dismiss charges under ECPA, rejecting the claim that Facebook had obtained user consent. Despite lengthy user agreements included in Facebook's "Statement of Rights and Responsibilities" and "Data Use Policy," the court determined that consent obtained "with respect to the processing and sending of messages does not necessarily constitute consent to … the scanning of message content for use in targeted advertising." Likewise in ln re Google Inc. Gmail Litigation, the same district determined that Google did not obtain adequate consent for the scanning of emails, though in that case, Google's conduct fell within the "ordinary course of business" definition and thus did not constitute interception for the purposes of ECPA.
Here, and in other instances, courts have determined that companies which are highly sophisticated actors in the field have failed to meet the bar for effective consent despite good faith efforts to comply.
Even where companies implement ironclad consent notifications—presumably ones that include highly-specific details about the monitoring being conducted, include the names of any specific security service provider, and explicitly make consent to monitor a condition of use—such efforts might still be insufficient over the long term.
In City of Ontario v. Quon, 560 U.S. 746 (2010), the Supreme Court determined that the scope of written consent may be altered by later verbal representations from a superior. Where individuals have given written consent to have all of their communications monitored with or without notice, a supervisor's later statement could be taken to modify the policy and effectively restore a reasonable expectation of privacy. Because Quon involved public employees, the Court applied a Fourth Amendment analysis, which is inapplicable to private cyber security monitoring. But the analysis of the ability for later communications to alter the scope of consent is instructive and relevant—and from the point of view of companies, very troubling. Electronic communications service providers, heeding the advice of their attorneys, cannot regard consent as a cure-all to ECPA.
Third-Party Providers and the Consent Exception
Relying on the consent exception becomes particularly fraught in the area of third-party cyber security and network security service providers (CSP). Most electronic communications service providers do not conduct their own network security monitoring. Unsurprisingly, it is both cost effective and more effective as a security matter to hire third-party specialist to provide these services. These third parties are in an especially difficult position with regards to ECPA liability, and this in turn causes these companies to provide more conservative and less-effective monitoring overall.
The first problem is that CSPs must typically rely on their clients to effectively obtain consent on their behalf. In the face of ECPA’s substantial criminal and civil liability provisions, this two-layer consent may have a chilling effect on the services CSPs are willing to provide. The chilling effect results from both legal and practical concerns. If companies themselves are unable to defend their consent language for purposes of litigation, it is difficult for security CSPs to rely on those same companies' representations that they have obtained consent sufficient to protect the third party as well. What’s more, the practical exercise of verifying effective consent can become extremely burdensome.
The legal calculus for third-party security providers is reflected in the outcomes of Kirch v. Embarq Management Co., 702 F.3d 1245 (2012). Embarq is an internet service provider which contracted with a third party, NebuAd, to conduct a technology test for improving advertising services by installing an Ultra-Transparent Appliance on their networks which all Internet traffic then passed through. Despite a lengthy user agreement which addressed the monitoring but failed to specifically name the third-party provider, Embarq's customers then sued Embarq and NebuAd for violation of ECPA. While the service provider, Embarq, ultimately prevailed in district and circuit courts, NebuAd, as the third-party, elected to settle with the plaintiffs for $52.4 million dollars.
The Service Provider or Rights and Property Exception
There’s another relevant exception: ECPA permits an "employee, or agent of a provider of . . . electronic communication service, whose facilities are used in the transmission of a[n] . . . electronic communication, to intercept, disclose, or use that communication . . . while engaged in any activity which is [a] necessary incident to the rendition of his service or to the protection of the rights or property of that service...." 2511(2)(a)
This exception only applies to electronic communication service providers. Importantly, a large number of private entities require network security monitoring but are not themselves electronic communication service providers. For those entities that do qualify as service providers, it is not unlawful to monitor communications while engaged in activity that is a "necessary incident to" the provision of service or in order to protect the "rights or property" of the provider. But this exception is narrowly construed. In general, it permits providers the right "to intercept and monitor [communications] placed over their facilities in order to combat fraud and theft of service." U.S. v. Villanueva, 32 F. Supp. 2d 635, 639 (S.D.N.Y. 1998). In practice, the exception does not allow for unlimited or widespread monitoring nor does it, standing alone, expressly permit the provision of data collected under this authority to the government or third parties. Section 2511(3)(a) expressly notes that "[e]xcept as provided in paragraph (b) of this subsection, a person or entity providing an electronic communication service to the public shall not intentionally divulge the contents of any communications (other than one to such person or entity, or agent thereof) while in transmission on that service to any person or entity other than the addressee or intended recipient of such communication . . . ."
The service provider exception expressly includes an "agent" of an electronic communication service provider. 2511 (2)(a)(i). In theory, third-party service providers could qualify as an "agent" of an electronic communication service provider by virtue of their contractual relationship with the primary service provider. However, there is no current case law examining the requirements of agency in this context. Furthermore, courts have yet to address whether, as a normative matter, such cyber security services would constitute activity that is a "necessary incident to" the provision of an electronic communications service or is necessary to protect rights and property.
In Embarq, the court concluded that because Embarq's receipt of the Internet traffic was in the "ordinary course of business," the access did not constitute an interception within the meaning of the statute. However, NebuAd's act of extracting the content of that same traffic did constitute an interception. In other words, Embarq was protected as an ISP even if NebuAd ultimately violated ECPA because Embarq's access was in the ordinary course of business and therefore not an unlawful interception. Furthermore, section 2520 does not impose civil liability on aiders or abettors. The only persons liable are those who engaged in “that violation" referenced in the statute. The lack of secondary civil liability alters the incentives in the consent context as well. A service provider who has alternative protection within the ordinary course of business might be less careful to obtain consent for third party monitoring absent liability incentives to strictly comply.
Federal Preemption and State All-Party Consent Laws
In her post, Granick also notes that
these “notwithstanding any other law” threat sharing bills will interfere with the ability of states, especially California and New York, to protect consumers and consumer privacy with statutes regulating the collection, use and disclosure of sensitive information. Such California laws include CalECPA, Shine the Light notifications, Smart Meter utility data protection, the Financial Information Privacy Act, the Reader Privacy Act, Security of Personal Information Law, and more.
Granick is correct. CISA expressly preempts state laws: “This title supersedes any statute or other provision of law of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under this title.” But that’s actually a good thing.
The need for federal preemption is a driving force behind the cybersecurity legislative efforts. ECPA does not preempt state laws governing the interception of electronic communications; this was recently affirmed by courts with regard to California's Invasion of Privacy Act. Therefore, absent legislation that expressly preempts state law in the undertaking of monitoring of electronic communications for the purposes of cybersecurity information sharing, both electronic communication service providers and other industry companies, as well as third-party CSPs, may face state liability or criminal sanctions even if conforming to the provisions of ECPA.
The majority of states have wiretap laws, some of which are more stringent than the federal Wiretap Act. Twelve states require all parties to a communication to consent to interception, though the states differ on application to internet communications. Significantly, the California Supreme Court has determined that state wiretap laws can be applied to activity occurring outside the state. In Kearne v. Salomon Smith Barney, lnc., the state Supreme Court determined that a Georgia law firm who placed a call from Georgia (one-party consent required) to California (all-party consent required) and recorded the conversation without consent, violated California law despite the act occurring outside of the state. This indicates that security CSPs may be required to obtain all-party consent in order to monitor the content of communications where those communications might originate or terminate in California. Beyond the practical limitations on knowing where parties to an electronic communication are geographically located, many, perhaps a majority, of technology companies and electronic communication service providers will be headquartered or have offices within California. Providers were therefore required by default to apply California law. CISA creates a set of uniform federal rules to apply on a national basis.
The Scope of a Cybersecurity Purpose
CISA is clearly aimed at eliminating the concerns and uncertainty created by ECPA and state laws about information sharing. However, it does so only to a limited set of monitorings—those which are conducted “for cybersecurity purposes.” Under the act, the “term ‘cybersecurity purpose’ means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.”
Therefore, ECPA’s protections remain in place for any activity—for example, advertising or human resources—that is not conducted for that purpose. Despite vague allegations from critics that “cybersecurity purpose” could be read to be all-encompassing, the various definitions and limitations within the act work to create a limited set of permissible activities. CISA seeks to generate more, not less, certainty for private industry regarding the legal limitations on cybersecurity monitoring.