The Intersection of the Electronic Communications Privacy Act and the Open Internet's 'Reasonable Network Management' Exception

Abstract

Both the Electronic Communications Privacy Act (ECPA) and the FCC's Open Internet Rules have an exception for network management (ECPA's is called necessary incident to rendition of service, and to protection of property and service). ECPA has over forty years of caselaw navigating the waters of its exception. This paper seeks to explore what guidance ECPA's history can provide as the FCC embarks on its network management case-by-case analysis.With the Open Internet rules, the FCC will potentially be confronted with a number of case-by-case analyses of what lies within network management, with limited precedent guiding such determinations. A review of ECPA caselaw could contribute to a preliminary exploration of what network service provider activity has been identified as network management in the context of ECPA. These would generally be examples of how ECPA was implemented in the context of the legacy public telephone network, and these legacy examples might be intriguing but somewhat inapposite. More importantly, however, this review can explore the process by which courts traditionally conducted their ECPA analysis, offering a potential model framework for the FCC's case-by-case analyses. A network service provider's ability to intercept or access communications is not without limits. Generally, courts exploring whether a network's activity falls within the ECPA exceptions have engage in a three part analysis:• Does the network service provider have reasonable cause? • Is there a substantial nexus between the target of the service provider's actions and its concern?• Are the actions of the service provider narrowly tailored to the protection of the network or the rendition of service?Throughout the history of the network neutrality debate pizza has been a paradigm hypothetical. The pizza hypothetical can help demonstrate the intersection of ECPA and the OI Rules. For the purposes of this memo, Joe goes online to order pizza. Joe enters Pizza attempting to go to the ACME pizza site. Joe's ISP is a partner with ZEDA Pizza. Joe's ISP intercepts Joe's traffic, determines that Joe is attempting to order pizza, and redirects Joe's traffic to ZEDA Pizza. Two questions: (1) has Joe's ISP violated ECPA; and (2) has Joe's ISP violated the FCC's Open Internet order? The point for the moment is not to answer these questions, but rather to demonstrate that one set of facts calls into question both sets of authorities. Both authorities potentially have been violated. The process by which a decision maker resolves these questions has commonality. The facts are the same; the questionable activity is the same; the first-principles of public policy involved here are similar if not the same (as a matter of public policy we disfavor the unauthorized interception of communications traffic by public networks). Indeed the most significant difference between the two questions is that one is a criminal statute and the other is a communications regulatory policy.Forty years of ECPA caselaw has helped establish the boundaries where a communications network's activity does not run afoul of ECPA, and the method by which a court determines if an ISP is there. The question raised by this paper is what activities have been found to be permissible, and, more importantly, how did courts conduct this analysis?