Privacy 9: ECPA: Material You Might Have Stored on Your Computer

(Number 9 of 13 on the topic PRIVACY)
Email number: 21
Date Posted: 6 August 1996, 5:30 pm EDT

We all have heard about hackers -- computer experts who have used their power to gain access to systems that they were not authorized to access. Most hackers are quite harmless. But harmlessness aside, hacking is a crime. ECPA, as well as other federal statutes (the Computer Fraud and Abuse Act in particular) make it a crime. Our focus here is ECPA: Under chapter 121 of ECPA, it is a crime to gain "unauthorized access" to a stored communications on a computer system.

What that means is this: It is a crime either

You may, for example, have permission to send and receive email on an on-line service; that does not mean you have permission to hack into the email of someone else. In either case, the hacking must be intentional. You must mean to cross a border for your crossing to be a crime.

That does not mean you have to intend to cause harm before your crossing is a crime. Under the Computer Fraud and Abuse Act (CFAA), if you intentionally exceed your authorization on a computer system and cause harm, then you are guilty under the statute whether or not you intended to cause any harm.

This was decided in the famous Robert Morris case, where Morris released a "worm" onto the internet, designed to show the world a hole in the security of the net. Morris intended his worm to gain unauthorized access to machines around the world, but he did not intend the worm to do harm. The worm, it turns out, had a different intent, and very quickly it did a large amount of harm. Morris was guilty under the CFAA, even though his intent was good. It was the worm's effect, not Morris' intent, that mattered.

Finally, ECPA also protects against unauthorized disclosure of the contents of private communications. This just follows from the protection against unauthorized access. If you don't have access, then you can't disclose what you have learned.

ECPA is just one statute that is designed to supplement constitutional protections for privacy. There are others that we have not discussed. For example, though we said in an earlier post that the constitution does not make it illegal for the government to install pen registers, Congress has regulated the use of pen registers by statute. We have tried to identify the most significant statutory protections, but our coverage is not exhaustive.

Next time: Steps you can take to protect your privacy.

Larry Lessig - David Post - Eugene Volokh

We now have over 18,000 subscribers! This has caused some server queuing problems. We thank you for your patience and apologize for any irregular deliveries that may have resulted due to technical snafus.

Please note that this is an announcement-only list and not a discussion list. Do not attempt to post comments to the list, as they will be ignored. An open discussion about these issues is being held at our archive web site at

which also contains an archive of the course materials.

To SUBSCRIBE to Cyberspace-Law, send a message to
with the command
in the body of your e-mail, (replacing "Firstname" and "Lastname" with your first and last names -- or such pseudonyms as you prefer).

To UNSUBSCRIBE to Cyberspace-Law, send a message to
with the command
in the body. (Do NOT include your name in an unsubscribe message.)

(N.B. Neither the address nor the listprocessor commands are case-sensitive.)

Yours virtually,

  Alan Lewine
  Cyberspace-Law Listmeister