Quiz — ECPA: Wiretap Act, Stored Communications, and Pen Registers

Module: 02c — ECPA: Wiretap Act, Stored Communications, and Pen Registers Difficulty: Intermediate

Questions

Q1. Under the Wiretap Act, which federal statute codifies the core prohibition on intentionally intercepting electronic communications?

• A) 18 U.S.C. § 2701
• B) 18 U.S.C. § 2511(1)(a)
• C) 18 U.S.C. § 3121
• D) 18 U.S.C. § 2510(4)

Correct answer: B Explanation: Section 2511(1)(a) contains the operative criminal prohibition — making it a federal crime to intentionally intercept, endeavor to intercept, or procure any other person to intercept any wire, oral, or electronic communication. Section 2510(4) defines "intercept" but is a definitions section, not the prohibition.

Q2. In Joffe v. Google, Inc. (9th Cir. 2013), the court held that Google's capture of payload data from unencrypted Wi-Fi networks during Street View operations was:

• A) Lawful under the "readily accessible to the general public" exception in § 2511(2)(g)(i)
• B) A violation of the Stored Communications Act because the data was at rest
• C) A Wiretap Act violation because unencrypted Wi-Fi payload data does not qualify as "readily accessible to the general public"
• D) Exempt under the provider exception because Google operates a communications network

Correct answer: C Explanation: The Ninth Circuit held that the "readily accessible to the general public" exception under § 2511(2)(g)(i) applies to true broadcast media like AM/FM radio, not to Wi-Fi where capturing payload requires specialized equipment and deliberate positioning. The ruling means capturing payload data from open Wi-Fi networks violates the Wiretap Act regardless of encryption status.

Q3. The Stored Communications Act (18 U.S.C. § 2701) divides service providers into two categories. Which category receives stronger legal protections for stored communications?

• A) Remote Computing Service (RCS), because cloud providers handle more sensitive data
• B) Electronic Communication Service (ECS), which generally requires a warrant for government access to content under United States v. Warshak
• C) Both categories receive identical protections under the SCA
• D) Remote Computing Service (RCS), because the 1986 statute was written specifically for cloud environments

Correct answer: B Explanation: ECS providers receive stronger protection. Following United States v. Warshak (6th Cir. 2010), users have a reasonable expectation of privacy in stored emails, making law enforcement obtain a full Fourth Amendment warrant for ECS content under § 2703(a). RCS providers originally had weaker protections under the 1986 statute, though the gap has narrowed with the CLOUD Act.

Q4. Under the SCA's three-tier structure for government compelled disclosure (§ 2703), what legal process is required to obtain basic subscriber and transactional records such as a user's name, address, and IP address?

• A) A full Fourth Amendment probable cause warrant
• B) A § 2703(d) court order based on "specific and articulable facts"
• C) A subpoena, with no showing of probable cause required
• D) A Title III wiretap order from a federal district court

Correct answer: C Explanation: Under the SCA's three-tier structure, Tier 1 basic subscriber and transactional records (name, address, session times, IP address) can be obtained with a subpoena — the lowest legal standard. A § 2703(d) "specific and articulable facts" order is required for Tier 2 non-content records, and a warrant is required for Tier 3 content.

Q5. A security researcher installs a passive network tap on a client's corporate network with written authorization. The client-company, as operator, has consented. Under ECPA, which two legal doctrines most directly support the researcher's protection from Wiretap Act liability?

• A) The "readily accessible" exception and the provider exception
• B) The consent exception under § 2511(2)(c)/(d) and the provider exception under § 2511(2)(a)(i)
• C) The pen register exception and the SCA voluntary disclosure provision
• D) The § 2515 suppression remedy and the § 2702(b) emergency exception

Correct answer: B Explanation: The client-company as a party to communications traversing its network can provide consent under § 2511(2)(c)/(d), and if the researcher is operating as an agent of the network operator for security purposes, the provider exception under § 2511(2)(a)(i) also applies. Written authorization documenting both the consent and the security purpose is essential to establish both doctrines.

Q6. In United States v. Councilman (1st Cir. 2005, en banc), the court held that an email service operator who intercepted customers' emails before delivery for competitive intelligence was NOT protected by the provider exception. What was the primary reason?

• A) The operator was not an ECS provider and therefore had no provider exception claim
• B) The provider exception does not apply to email at all — only to telephone communications
• C) The provider exception does not extend to intentional monitoring of customer communications for commercial gain, rather than for service protection purposes
• D) The emails were in transit and therefore covered only by the Stored Communications Act, not the Wiretap Act

Correct answer: C Explanation: The en banc First Circuit held that while Councilman was a provider of electronic communication service, the provider exception under § 2511(2)(a)(i) only protects interception as a necessary incident to service rendition or protection of the provider's rights or property. Monetizing competitive intelligence from customer communications falls entirely outside this protection. The court also clarified that email in temporary server storage during transmission is covered by the Wiretap Act.

Q7. California Penal Code § 632 is considered especially dangerous for remote penetration testers because:

• A) It extends California all-party consent requirements to any confidential communication where either party is in California, regardless of where the recorder is located
• B) It requires federal authorization before any electronic communication may be recorded in California
• C) It imposes criminal penalties only on the party who initiates the recording, not the party who receives it
• D) It applies only to telephone calls, not to VoIP or internet-based communications

Correct answer: A Explanation: Section 632 applies whenever a confidential communication is recorded where either party is in California — meaning a remote tester outside California who records a vishing call with a California-based employee triggers § 632 even under federal one-party consent. Civil damages are $5,000 per recording per plaintiff, with no intent requirement for civil liability.

Q8. The Pen Register Act (18 U.S.C. §§ 3121–3127) governs collection of dialing, routing, addressing, or signaling information but explicitly excludes:

• A) IP headers and source/destination port numbers
• B) The contents of any communication
• C) DNS queries and HTTP request URLs
• D) Email header fields including To, From, and Subject lines

Correct answer: B Explanation: The Pen Register Act applies only to metadata — dialing, routing, addressing, or signaling information — and explicitly excludes "the contents of any communication." IP headers, DNS queries, and HTTP request URLs fall under the Pen Register Act. Capturing actual payload content (such as the body of an email or the data in an HTTP response) moves from pen register territory into Wiretap Act territory.

Q9. In United States v. Ropp (C.D. Cal. 2004), the court held that an employer's keylogger was NOT protected by the provider exception. Which principle did this establish for security researchers operating as third-party contractors?

• A) Keyloggers are categorically illegal under ECPA regardless of authorization
• B) The provider exception protects only ISPs, not corporate network operators
• C) Purpose matters under the provider exception — security-motivated monitoring is more protected than surveillance-motivated monitoring, and contractors should rely on explicit consent rather than the exception alone
• D) Any interception of employee communications by an employer violates § 2511 regardless of ownership of the network

Correct answer: C Explanation: Ropp established that the "necessary incident" requirement of the provider exception requires a security-protection rationale, not merely ownership of the network. General surveillance or HR-motivated monitoring does not qualify. The case reinforces that third-party contractors should obtain explicit written authorization rather than relying solely on the provider exception, and that the purpose of the interception must be documented.

Q10. A honeypot operator deploys a server on their own authorized infrastructure to capture attacker behavior. Under ECPA, the operator can lawfully capture all content attackers send to the honeypot primarily because:

• A) Honeypots are expressly exempted from ECPA under § 2511(2)(f)
• B) The operator is a party to all communications with the honeypot and thus falls within the consent exception
• C) Attackers have no reasonable expectation of privacy under any circumstances
• D) Capturing malicious traffic is covered by the Pen Register Act, not the Wiretap Act, and requires no authorization

Correct answer: B Explanation: A honeypot operator is treated as a party to all inbound communications with the honeypot, satisfying the consent exception under § 2511(2)(d). The module notes that courts have generally held honeypot operators can lawfully capture all content sent by attackers, but the honeypot must be operated by the authorized system owner. Adding warning banners further strengthens the legal position by eliminating any reasonable expectation of privacy argument.