Additional Questions Concerning Use of the
EINSTEIN 2.0 Intrusion-Detection System
The deployment of an intrusion-detection system known as the EINSTEIN 2.0 program
on the unclassified computer networks of the Executive Branch is consistent with the
federal and state laws discussed in this opinion.
Under the best reading of the statute, the EINSTEIN 2.0 program would not violate
section 705 of the Communications Act, because it would fall within section 705’s
exception permitting a person to “divulge” a communication through “authorized
channels of transmission or reception,” which allows either the sender or the recipient
of an Internet communication to convey the required authorization by consenting to a
communication’s disclosure, including by clicking through an approved log-on banner
or signing the computer-user agreement in order to gain access to a government-owned
information system.
If section 2702(a)(3) of the Stored Communications Act applied to the EINSTEIN 2.0
program, the exception in section 2702(c)(1)(C) permitting disclosure based on “the
lawful consent of the customer or subscriber” would also apply, because in this context
the government, and no other party, should be understood as the “customer or sub-
scriber” of the Internet service provider.
If a state law imposed requirements on the EINSTEIN 2.0 program exceeding those
imposed by these federal statutes, it would stand as an obstacle to the accomplishment
and execution of the full purposes and objectives of Congress and therefore be unen-
forceable under the Supremacy Clause of the Constitution.
August 14, 2009
MEMORANDUM OPINION FOR THE
ASSOCIATE DEPUTY ATTORNEY GENERAL
You have asked us to address whether the deployment of an intru-
sion-detection system known as the “EINSTEIN 2.0” program on the
unclassified computer networks of the Executive Branch is consistent
with (1) section 705(a) of the Communications Act of 1934, as amended,
47 U.S.C. § 605(a) (2006); (2) the provision of the Stored Communica-
tions Act codified at 18 U.S.C. § 2702(a)(3) (2006); and (3) state laws
concerning interception or electronic surveillance. For the reasons given
below, we conclude that it is. 1
1 We solicited the views of the Criminal Division and National Security Division on
each of these questions. Both components concur in our conclusions.
269
33 Op. O.L.C. 269 (2009)
I.
You have asked whether by engaging in any of the activities that are
part of the EINSTEIN 2.0 program, 2 the Department of Agriculture
(“USDA”), the Department of Homeland Security (“DHS”), or the
relevant Internet service provider (“ISP”) would violate section 705(a)
of the Communications Act of 1934, as amended, 47 U.S.C. § 605(a)
(2006). Although this is a novel question, and the statute is hardly a model
of clarity, we conclude that under the best reading of the statute, the
EINSTEIN 2.0 activities would not violate section 705.
In pertinent part, section 705 provides:
Except as authorized by chapter 119, title 18 [i.e., the Wiretap
Act], no person receiving, assisting in receiving, transmitting, or as-
sisting in transmitting, any interstate or foreign communication by
wire or radio shall divulge or publish the existence, contents, sub-
stance, purport, effect, or meaning thereof, except through author-
ized channels of transmission or reception,
(1) to any person other than the addressee, his agent, or attor-
ney,
(2) to a person employed or authorized to forward such com-
munication to its destination,
(3) to proper accounting or distributing officers of the various
communicating centers over which the communication may be
passed,
(4) to the master of a ship under whom he is serving,
(5) in response to a subpena issued by a court of competent ju-
risdiction, or
(6) on demand of other lawful authority.
47 U.S.C. § 605(a). 3 The Communications Act defines “person” in 47
U.S.C. § 153(32) (2006) to “include[] an individual, partnership, associa-
2 These activities are described in detail in a memorandum of this Office. See Use of
the EINSTEIN 2.0 Intrusion-Detection System to Protect Unclassified Computer Networks
in the Executive Branch, 33 Op. O.L.C. 63 (2009) (“EINSTEIN 2.0 Opinion”).
3 Section 705 contains additional prohibitions, such as on the “intercept[ion] [of] any
radio communication and divulg[ing] or publish[ing]” of its contents, and on the use for
personal benefit of radio communications intercepted or received without authorization.
270
Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
tion, joint-stock company, trust, or corporation.” “[C]ommunication by
wire” is defined as “the transmission of writing, signs, signals, pictures,
and sounds of all kinds by aid of wire, cable, or other like connection
between the points of origin and reception of such transmission, including
all instrumentalities, facilities, apparatus, and services (among other
things, the receipt, forwarding, and delivery of communications) inci-
dental to such transmission.” Id. § 153(52). 4
Although the scope of section 705’s prohibition is not entirely clear on
its face, case law supports reading the provision as a general bar on a
“person receiving, assisting in receiving, transmitting, or assisting in
transmitting” wire or radio communications from “divulg[ing]” or “pub-
lish[ing]” such communications to persons other than the addressee, his
agent or attorney, except “through authorized channels of transmission or
reception,” as “authorized by” the Wiretap Act, or in the circumstances
enumerated in clauses (2) through (6). In United States v. Finn, 502 F.2d
938, 942 (7th Cir. 1974), for instance, the court identified the “absurdi-
ties” that would result from a literal reading of the text, including that
“[c]lauses (2) through (6) would be rendered meaningless, for all of those
categories are completely covered by the more general clause (1).” Simi-
larly, reading clause (6) as a prohibition “would forbid divulgence of a
communication ‘on demand of other lawful authority,’” thereby “ren-
der[ing] all such demands unlawful and by its own terms [] eliminat[ing]
the very category to which it refers.” Instead, the court concluded, clauses
(2) through (6) should be read “as exceptions to the general prohibition of
clause (1),” a construction the court viewed as “the only way to give
effect to the Congressional intent.” Id. Finn is consistent with a line of
precedents interpreting the pre-Wiretap Act version of this provision,
Except for the first sentence of section 705 quoted above, these additional provisions
extend only to “radio” communications, which are not at issue here. See 47 U.S.C.
§ 605(a); id. § 153(33) (defining “radio communication” to “mean[] the transmission by
radio of writing, signs, signals, pictures, and sounds of all kinds”).
4 This definition of “wire communication” is substantially similar to the definition
of “electronic communication” under the Wiretap Act, 18 U.S.C. § 2510(12) (2006),
which includes “any transfer of signs, signals, writing, images, sounds, data, or intelli-
gence of any nature transmitted in whole or in part by a wire, radio, electromagnetic,
photoelectronic or photooptical system that affects interstate or foreign commerce.” Cf.
id. § 2510(1) (defining “wire communication” under the Wiretap Act to mean an “aural
transfer”).
271
33 Op. O.L.C. 269 (2009)
which contained substantially similar language. For instance, in Nardone
v. United States, 302 U.S. 379, 380–81 (1937), the Supreme Court charac-
terized the version of section 705 then in effect as providing that “no
person who, as an employee, has to do with the sending or receiving of
any interstate communication by wire shall divulge or publish it or its
substance to anyone other than the addressee or his authorized representa-
tive or to authorized fellow employees, save in response to a subpoena
issued by a court of competent jurisdiction or on demand of other lawful
authority.” 5 See also Hanna v. United States, 404 F.2d 405, 408–09 (5th
Cir. 1968) (“[I]nformation thus lawfully obtained may be divulged ‘in
response to a subpoena issued by a court of competent jurisdiction, or on
demand of other lawful authority.’” (quoting section 705)); Bubis v.
United States, 384 F.2d 643, 646–47 (9th Cir. 1967) (“[N]o . . . person
shall divulge or publish the existence, contents, substance, purport, or
effect of any such communication to anyone other than the addressee or
his authorized representative, or to authorized fellow employees, or in
response to a subpoena issued by a court of competent jurisdiction, or on
The version of the statute at issue in Nardone provided that:
5
No person receiving or assisting in receiving, or transmitting, or assisting in
transmitting, any interstate or foreign communication by wire or radio shall divulge
or publish the existence, contents, substance, purport, effect, or meaning thereof,
except through authorized channels of transmission or reception, to any person oth-
er than the addressee, his agent, or attorney, or to a person employed or authorized
to forward such communication to its destination, or to proper accounting or dis-
tributing officers of the various communicating centers over which the communica-
tion may be passed, or to the master of a ship under whom he is serving, or in re-
sponse to a subpena issued by a court of competent jurisdiction, or on demand of
other lawful authority; and no person not being authorized by the sender shall inter-
cept any communication and divulge or publish the existence, contents, substance,
purport, effect, or meaning of such intercepted communication to any person; and
no person not being entitled thereto shall receive or assist in receiving any inter-
state or foreign communication by wire or radio and use the same or any infor-
mation therein contained for his own benefit or for the benefit of another not enti-
tled thereto; and no person having received such intercepted communication or
having become acquainted with the contents, substance, purport, effect, or meaning
of the same or any part therof, knowing that such information was so obtained,
shall divulge or publish the existence, contents, substance, purport, effect, or mean-
ing of the same or any part thereof, or use the same or any information therein con-
tained for his own benefit or for the benefit of another not entitled thereto . . . .
Communications Act of 1934, Pub. L. No. 73-416, § 605, 48 Stat. 1064, 1103–04.
272
Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
demand of other lawful authority.”); Brandon v. United States, 382 F.2d
607, 611 (10th Cir. 1967) (similar).
Although our research has not uncovered any case law applying sec-
tion 705 in the context of cybersecurity activities, we conclude that the
EINSTEIN 2.0 program falls within section 705’s authorization to “di-
vulge” a communication through an “authorized channel[] of transmission
or reception.” We assume for purposes of this analysis—but do not de-
cide—that federal-systems Internet traffic would constitute “communica-
tion[s] by wire” under section 705, that the EINSTEIN 2.0 program would
involve “divulg[ence] or publi[cation]” of the contents of such communi-
cations, that DHS or USDA would be a “person receiving, assisting in
receiving, transmitting, or assisting in transmitting” such communica-
tions, and that the program would not be “authorized by” the Wiretap
Act. 6
6 A number of those assumptions may not be necessary, and thus there may be addi-
tional bases for concluding that the EINSTEIN 2.0 program would not violate section
705. An argument might be made, for instance, that program activities are “authorized by”
the Wiretap Act for purposes of section 705 because they are not affirmatively prohibited
by that Act. Compare United States v. Freeman, 524 F.2d 337, 340 & n.5 (7th Cir. 1976)
(phrase “[e]xcept as authorized by [the Wiretap Act]” in section 705 “permits” telephone
companies to protect their rights or property pursuant to the relevant exception in 18
U.S.C. § 2511(2)(a)(i)), with EINSTEIN 2.0 Opinion, 33 Op. O.L.C. at 103 (concluding
that “the better reading” of a related exception in FISA for conduct “authorized by” the
Wiretap Act was to refer to affirmative “orders” obtained under that Act, rather than
activities that “merely are not prohibited by those statutes”). Although we need not, and
do not, resolve this question here, we note that such a reading of section 705 would not
only incorporate the Wiretap Act’s consent exception, see 18 U.S.C. § 2511(2)(a)(ii)
(2006), but would also appear to import wholesale all of the statutory exceptions found in
that Act, cf., e.g., id. § 2511(2)(a)(i) (“rights or property”), essentially collapsing section
705 and the Wiretap Act into a single standard, notwithstanding that section 705(a)
retained, by its plain terms, an independent limitation regarding wire communications.
It might separately be contended that any disclosure of communications by the service
provider to DHS would occur on “demand of other lawful authority,” although here DHS
has entered into an agreement with USDA and thus arguably is not “demand[ing]”
disclosure of communications. Cf. Brown v. Continental Tel. Co., 670 F.2d 1364, 1365–
66 (4th Cir. 1982) (request for records and telephone bills served on telephone company
by Attorney for the Commonwealth was a “demand of . . . lawful authority” under section
705 because the statute’s plain text contemplated the release of protected information “to
appropriate authorities in response to a demand less compelling than a subpoena”). And
with respect to any conduct of USDA or DHS that is potentially within the scope of
section 705, there is some question whether the first sentence of section 705 applies to
273
33 Op. O.L.C. 269 (2009)
We begin with the text of section 705, which expressly permits a “di-
vulge[nce] or publi[cation]” of a wire communication made “through
authorized channels of transmission or reception.” We believe the plain
language of section 705 is fairly interpreted to include the EINSTEIN
scanning sensors as a “channel[] of transmission or reception” of Internet
communications, particularly where a party to the communication has, as
here, expressly authorized such scanning. In reaching this conclusion, we
have considered the potential ambiguities concerning both what consti-
tutes a “channel of transmission or reception” and what constitutes a
channel that has been “authorized” for purposes of section 705.
As to the first issue, we are aware of a narrower construction of the
phrase “channel[] of transmission or reception” that would be limited to
the channel through which the communication actually passes from recip-
ient to sender. Under such a reading, section 705 would prohibit, inter
alia, forwarding of a mirror copy of federal systems Internet traffic to
EINSTEIN 2.0 sensors for processing, see EINSTEIN 2.0 Opinion, 33
Op. O.L.C. at 67–68, or DHS’s disclosure to another federal agency if that
disclosure did not involve transmitting the communication to its recipient,
unless one of the other express exceptions in the statute applied. But the
text of the section does not by terms compel that narrower reading, given
the placement of the relevant phrase. That phrase is located where it could
be read to qualify the prohibition against divulgence to third parties, and
thus to indicate that the channels being referenced are those that might be
used to reach third parties. Indeed, the phrase itself, in its second appear-
ance in the section, is not limited to channels of transmission by “wire,”
government employees. Compare United States v. Hall, 488 F.2d 193, 195 (9th Cir. 1973)
(superseded on other grounds) (“The legislative history [] explicitly shows that Congress
intended to exclude law enforcement officers from the purview of the new [section
705]”); S. Rep. No. 90-1097, at 108 (1968) (“[The first sentence of section 705] is
designed to regulate the conduct of communications personnel.”); and Int’l Cablevision,
Inc. v. Sykes, 75 F.3d 123, 131 n.4 (2d Cir. 1996) (similar), with Nardone, 302 U.S. at 381
(“Taken at face value the phrase ‘no person’ [in the pre-Wiretap Act version of section
705] comprehends federal agents[.]”); and United States v. Sugden, 226 F.2d 281 (9th Cir.
1955) (interpreting pre-Wiretap Act version of section 705 to permit FCC agents to “listen
[to radio communications] for the purpose of enforcing the [Communications] [A]ct” but
to require exclusion of evidence, in a criminal prosecution unrelated to violations of that
Act, obtained by FCC agents who intercepted defendant’s short range radio transmis-
sions). We need not, and do not, resolve these issues in light of our conclusion that the
exercise falls within section 705’s “authorized channels of transmission” provision.
274
Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
suggesting a potentially broad conception of the means by which commu-
nications may be passed along. Furthermore, the text is not clear that the
channel in question must be the one through which the original communi-
cation travels, as the text specifically refers to the divulgence, not of the
communication itself, but of its substance or meaning. Insofar as the
phrase “channels of transmission or reception” qualifies the divulgence,
as its placement indicates, it is clearly intended to refer to channels other
than those through which the communication flows.
As to whether the channel would be “authorized” for purposes of sec-
tion 705, the dictionary defines “authorized” as “having authority[;] . . .
recognized as having authority[;] . . . approved,” and defines “authori-
ty” as, inter alia, “justifying grounds: basis, warrant.” Webster’s Third
New International Dictionary 146 (3d ed. 1993). The statute does not
specify the source or nature of the “authoriz[ation]” required. As a
matter of ordinary meaning, the term “authorized” is certainly broad
enough to encompass either the sender or receiver of a communication
expressly authorizing—by means of indicating consent to—divulgence
or publication. This reading is also supported by the terms of section
705’s second sentence, which states that “[n]o person not being author-
ized by the sender shall intercept any radio communication and divulge
or publish” that communication. 47 U.S.C. § 605(a) (emphasis added).
That Congress chose the unqualified term “authorized” in the first
sentence, while expressly limiting which party could authorize disclo-
sure in the second, suggests an intent that the term be given a broader
reading in the former instance. 7 We therefore would interpret the phrase
“authorized channels of transmission or reception” to permit either the
sender or the recipient of an Internet communication to convey the
required authorization by consenting to a communication’s disclosure
in the context of the EINSTEIN 2.0 system.
Although we are not aware of any judicial precedent directly on point,
we draw support for this reading of the statute from case law analyzing
7 Our reading of “authorized” arguably also draws support from, and is entirely con-
sistent with, the use of the word “authorizing” in the text of section 705(b), which con-
templates a “marketing system” for satellite communications in which “agents have been
lawfully designated for the purpose of authorizing private viewing by individuals” and
“individuals receiving [satellite] programming ha[ve] obtained authorization for private
viewing under that [marketing] system.” 47 U.S.C. § 605(b).
275
33 Op. O.L.C. 269 (2009)
consent by either the sender or receiver of a communication in determin-
ing whether interception or divulgence of a telephone call violated certain
related provisions in section 705. In Rathbun v. United States, 355 U.S.
107 (1957), for instance, the Supreme Court held that the second clause of
the version of section 705 then in effect (which provided that “no person
not being authorized by the sender shall intercept any communication and
divulge or publish the existence, contents, substance, purport, effect, or
meaning of such intercepted communication to any person,” see supra
note 5) was not violated where the recipient of a phone call asked the
police to listen to the call on an extension telephone in his home. The
Court concluded, notwithstanding the statute’s specific reference to the
“authoriz[ation] [of] the sender,” that “there ha[d] been no ‘interception’
as Congress intended that the word be used.” 355 U.S. at 109. The Court
looked to another related provision of section 705, which then prohibited
any person from “receiv[ing] or assist[ing] in receiving any interstate or
foreign communication by wire or radio and us[ing] the same or any
information therein contained for his own benefit.” That provision, the
Court explained, gave “[t]he clear inference . . . that one entitled to re-
ceive the communication may use it for his own benefit or have another
use it for him.” Id. at 110. In dictum the Court further observed that even
the defendant in that case conceded that under section 705 “either party
may record the [telephone] conversation and publish it.” Id.
Similarly, in Weiss v. United States, 308 U.S. 321 (1939), the Court
held evidence to be inadmissible in a criminal trial where federal agents
had violated the same provision of section 705 as in Rathbun (the prohibi-
tion against any person “not being authorized by the sender” intercepting
and divulging communications) by tapping the defendant’s intrastate
phone calls. In rejecting the government’s argument that the defendant’s
trial testimony about the intercepted conversations constituted consent,
the Court relied on the fact that “divulgence was not consented to by
either of the parties to any of the telephone conversations.” Id. at 330
(emphasis added). More recently, in United States v. Hodge, 539 F.2d 898
(6th Cir. 1976), the court rejected a defendant’s claim that agents of the
Drug Enforcement Agency had violated section 705 by recording tele-
phone conversations between the defendant and a government informant.
(The informant in the case had consented to the DEA monitoring.) The
court quoted section 705 in full before tersely dismissing the defendant’s
claim, explaining that “[i]t is well settled that there is no violation of the
276
Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
[Communications] Act if the interception was, as here, authorized by a
party to the conversation.” Id. at 905. 8
Although these cases do not interpret the phrase in section 705 upon
which we rely here, they provide at least indirect support for reading the
word “authorized,” which appears without qualification as to the scope of
the persons encompassed by it, to permit the recipient of a communication
(either a federal agency, in the case of communications directly to that
agency, or individual federal employees, in the case of communications to
those employees) to consent to and thereby authorize the communica-
tion’s disclosure in the context of the EINSTEIN 2.0 program. 9 At a
minimum, our reading of the unqualified word “authorized” is consistent
with what appears to have been the prior understanding that the statute
was not, absent an express limitation regarding the scope of any consent
exception, intended to require two-party consent for any such exception to
apply.
As we explain below, we believe that under our reading of section 705,
the manifestations of consent by USDA in conjunction with those of
8 A modern line of cases brought by plaintiff corporations to prevent the unauthorized
reception or transmission of satellite television signals has focused on the consent of the
sending party in determining whether a “divulg[ence]” was “authorized.” See, e.g.,
National Satellite Sports, Inc. v. Eliadis, Inc., 253 F.3d 900, 916 –17 (6th Cir. 2001)
(holding that private cable company had violated section 705 by selling the broadcast
transmission of a boxing match to a commercial customer, when the company was only
authorized by the program’s originator to distribute it to residential customers). We do not
read these cases as negating the relevance of the precedents discussed above, which
contemplate consent by either party to communications such as telephone calls. For one
thing, the modern case law does not purport to overrule or limit the precedents discussed
above. More significantly, in this line of cases there is no contention that the recipient of a
licensed commercial broadcast—who often acts pursuant to a contractual agreement with
the originator—is “authorized” to distribute the material beyond the terms of that agree-
ment.
9 In light of this case law, we do not believe the existence of an express consent excep-
tion in the Wiretap Act requires a contrary interpretation of “authorized channel[] of
transmission or reception” in section 705. When Congress reenacted the language of
section 705 in the 1968 Wiretap Act, it did so against the settled background of case law
interpreting the pre-Wiretap Act statute to allow consensual interception. By reenacting
statutory text that was in large part identical to the preexisting language, and by indicating
no disapproval of settled case law, Congress can be understood to have left in place the
established meaning of the text it employed rather than to have impliedly precluded
recognition of a consent exception.
277
33 Op. O.L.C. 269 (2009)
individual federal employees using government information systems are
sufficient to avoid a violation of that provision by the ISP, DHS, or
USDA, in conjunction with the authorized operation of the EINSTEIN 2.0
system. First, with respect to potential violations by the service provider,
we believe any “divulge[nce]” of communications would occur through
an “authorized channel[] of transmission or reception.” As to any disclo-
sure by the provider of communications between third parties and USDA,
the agency has “authorized” the service provider to disclose such commu-
nications to DHS by virtue of the Memorandum of Agreement between
USDA and DHS, which memorializes USDA’s consent to the scanning of
its Internet traffic for cybersecurity purposes. As to disclosure by the
service provider of communications addressed to or sent by individual
employees, we have previously concluded that a federal employee’s valid,
voluntary consent to the scanning of Internet traffic is apparent from his
clicking through an approved log-on banner or signing the computer-user
agreement in order to gain access to a government-owned information
system, see EINSTEIN 2.0 Opinion, 33 Op. O.L.C. at 98, and we believe
this consent would foreclose any claim that the service provider would
violate section 705 by transmitting communications through the intrusion-
detection sensors operated by DHS because it would authorize any result-
ing divulgence.
We similarly conclude that the same consents—by USDA and USDA
employees—“authorize” DHS to “divulge” the communications to any
other authorized agency without running afoul of the prohibition in sec-
tion 705. As to communications involving the agency itself, USDA has
expressly consented to any such disclosures by DHS through the Memo-
randum of Agreement and other documents detailing the operation of the
EINSTEIN 2.0 program. As to communications involving individual
employees, the model log-on banner and computer-user agreement dis-
cussed in our EINSTEIN 2.0 Opinion state expressly that “[a]ny commu-
nications or data transiting or stored on this information system may be
disclosed or used for any lawful government purpose.” 33 Op. O.L.C. at
70. The scope of the employee’s consent to disclosure for any “lawful
government purpose” is informed by our separate conclusion in the con-
text of 18 U.S.C. § 2511 that DHS is “authorized by law” to conduct an
exercise involving EINSTEIN technology, as described in the implemen-
tation plan governing that exercise, by virtue of several affirmative statu-
tory authorities, particularly a recent appropriations statute providing
278
Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
funding for the precise exercise in question, as well as DHS’s organic
statute and the Federal Information Security Management Act.
Finally, we believe the log-on banner and computer-user agreements
discussed above would also be sufficient to foreclose any claim that
USDA would violate section 705 by divulging to DHS, through its partic-
ipation in EINSTEIN 2.0, the contents of communications addressed to its
employees.
This reading of section 705 is consistent with the conclusion in our
EINSTEIN 2.0 Opinion that the EINSTEIN 2.0 program would not violate
parallel non-disclosure provisions contained in the Wiretap Act. Section
2511(3) of title 18, U.S. Code, provides that “a person or entity providing
an electronic communication service to the public shall not intentionally
divulge the contents of any communication . . . while in transmission on
that service to any person or entity other than an addressee or intended
recipient of such communication or an agent of such addressee or intend-
ed recipient,” except “with the lawful consent of the originator or any
addressee or intended recipient of such communication,” or “to a person
employed or authorized, or whose facilities are used, to forward such
communication to its destination.” Our EINSTEIN 2.0 Opinion conclud-
ed that EINSTEIN 2.0 would not unlawfully “divulge” the contents of
Internet communications within the meaning of section 2511(3), both
because the participating agency and its employees would have manifest-
ed consent to the scanning, and “because the federal government is ‘au-
thorized,’ and its ‘facilities are used, to forward such communications to
[their] destination.’” 33 Op. O.L.C. at 96. With respect to individual
federal employees, we further noted that Internet communications cannot
reach employees at work without routing through the government’s com-
puter systems. Id. Thus, even if section 705 is not read by terms to incor-
porate this exception, we find it significant that the exception we conclude
section 705 adopts is hardly a novel one in this area. We are also not
aware of any legislative history that indicates a congressional intention to
preclude recognition of such an exception here.
II.
We believe the EINSTEIN 2.0 system would also comply with the pro-
vision of the Stored Communications Act (“SCA”), codified at 18 U.S.C.
§ 2702(a)(3), that provides that “a provider of remote computing service
279
33 Op. O.L.C. 269 (2009)
or electronic communication service to the public shall not knowingly
divulge a record or other information pertaining to a subscriber to or
customer of such service (not including the contents of communications
covered by [section 2702(a)(1) or (a)(2)]) to any governmental entity.”
Insofar as the EINSTEIN 2.0 system examines, in real time, Internet
traffic-flow data that is not retained by the ISP, there may be grounds to
assert that this provision is simply inapplicable, because the data in ques-
tion is not a “record or other information” within the possession of the
ISP. Even assuming, however, that section 2702(a)(3) by its terms may
apply to EINSTEIN 2.0, we believe that the statutory exception permitting
disclosure based on “the lawful consent of the customer or subscriber”
would apply. 18 U.S.C. § 2702(c)(1)(C) (2006). That is because we be-
lieve that in this context the government, and no other party, should be
understood as the “customer or subscriber” of the ISP for purposes of
this exception. On this view, even assuming that non-content informa-
tion obtained from or with the assistance of the ISP regarding Internet
traffic that passed onto or off of the government’s system would qualify
as “record[s] or other information” under the SCA, these “record[s] or
other information” would “pertain[] to” the government as a “subscriber
to or customer of [the ISP’s] service,” and the government could there-
fore provide “lawful consent” to divulge this information. 18 U.S.C.
§ 2702(c)(2).
This construction of the statute fits naturally with the plain text: insofar
as a government agency has contracted with an ISP for Internet service,
the government is indisputably a “customer” (if not also a subscriber) of
the ISP. In accordance with this view, the Ninth Circuit has characterized
a municipality as a “subscriber” of a text-messaging service where the
municipality contracted with the service to provide two-way text pagers
to police officers and other municipal employees. See Quon v. Arch
Wireless Operating Co., 529 F.3d 892, 895, 903 (9th Cir. 2008).
Insofar as end users such as individual employees hold a protected pri-
vacy interest in non-content information, the employer’s consent to dis-
closure might violate some legal obligation of the employer, but it would
not create liability for the ISP under the SCA, since the ISP had obtained
the necessary consent of its “customer or subscriber.” In any event, in our
case, the individual employees have also consented to the disclosure, so
disclosure should not violate any SCA-protected interest of theirs (even
if they are also somehow “customers or subscribers” of the ISP). Nor
280
Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
does there appear to be any Fourth Amendment issue with the disclosure.
Not only have the employees here consented to the disclosure, but courts
have generally concluded that there is no reasonable expectation of
privacy in non-content information provided to an ISP. See, e.g., United
States v. Perrine, 518 F.3d 1196, 1204–05 (10th Cir. 2008) (collecting
cases); Freedman v. America Online, Inc., 412 F. Supp. 2d 174, 181–82
(D. Conn. 2005).
We recognize the concern that non-content information pertaining to
one customer or subscriber (such as the government in our case) could
include information pertaining to other customers or subscribers of the
ISP insofar as those other parties have sent or received traffic from the
first customers/subscriber’s computers. But we do not believe the SCA
should be read to require separate consent from both customers/sub-
scribers in that circumstance. Such records or information “pertain” to the
customer/subscriber providing consent, even if they reveal information
about other customers/subscribers too, so under the plain text of the
statute one-party consent seems sufficient for disclosure. Indeed, any
other interpretation would yield the odd result that a customer’s ability to
consent to disclosure of its information would depend on whether other
parties it telephoned or emailed happened to be customers of the same
provider. Also, unlike content information, which relates to discrete
messages each with a particular sender and particular recipients, the
“record or other information” covered by section 2702(a)(3) often in-
volves an aggregation of data—the total record of a customer/subscriber’s
Internet traffic or phone calls, for example—that is unique to the individ-
ual customer/subscriber and for which (as a result) no other party could
provide meaningful consent. Information regarding other custom-
ers/subscribers who have not provided consent could of course be dis-
closed under this analysis only to the extent that such information is
contained in a “record or other information” pertaining to the customer or
subscriber who has provided lawful consent (here, the government).
Furthermore, the SCA’s consent exception for content information ex-
pressly allows one-party consent—either the “originator” or the “address-
ee” or “intended recipient” of the communication may authorize disclo-
sure of its contents, 18 U.S.C. § 2702(b)(3)—and it would be anomalous
if the provisions on non-content information, which are generally less
restrictive, imposed a more stringent consent requirement than those for
content information. Cf. In re American Airlines, Inc. Privacy Litig., 370
281
33 Op. O.L.C. 269 (2009)
F. Supp. 2d 552, 561 (N.D. Tex. 2005) (construing statute to allow any
intended recipient of a communication to authorize disclosure of content
information). Congress appears to have adopted the current SCA provi-
sions on non-content information in part to bring those provisions more in
line with provisions on content information. Before 2001, the SCA pro-
vided only that a provider could disclose “a record or other information
pertaining to a subscriber to or customer of [the provider’s] service (not
including [content information]) to any person other than a governmental
entity” and that the provider generally could disclose such records or
information to a governmental entity “only when the governmental entity
. . . ha[d] the consent of the subscriber or customer to such disclosure” or
satisfied one of several other enumerated exceptions. See 18 U.S.C.
§ 2703(c) (2000); Pub. L. No. 99-508, § 201, 100 Stat. 1848, 1860 (1986).
Congress amended the statute to provide that, even without an affirmative
government request, the provider may disclose records and information
covered by section 2702(a)(3) “with the lawful consent of the customer
or subscriber” or in certain other specified circumstances. See 18 U.S.C.
§ 2702(c)(2) (Supp. I 2001); Pub. L. No. 107-56, § 212(a)(1)(E), 115
Stat. 272, 284 (2001). As explained in the legislative history, Congress
intended this change “to allow communications providers to disclose non-
content information (such as the subscriber’s login records).” H.R. Rep.
No. 107-236, pt. 1, at 58 (2001). Under pre-2001 law, the House Judiciary
Committee explained, “the communications provider [was] expressly
permitted to disclose content information but not expressly permitted to
provide non-content information. This change would cure this problem
and would permit the disclosure of the less-protected information, parallel
to the disclosure of the more protected information.” Id.; see also 147
Cong. Rec. 19,001, 19,009 (statement of Sen. Leahy) (discussing 2001
amendments and observing that “the right to disclose the content of com-
munications necessarily implies the less intrusive ability to disclose non-
content records”). In addition, although we are aware of little relevant
legislative history bearing directly on the meaning of “consent” in section
2702(a)(3), the legislative history of the SCA as originally enacted sug-
gests that Congress understood background legal principles to allow one-
party consent, which arguably supports construing consent provisions of
the statute in accordance with that understanding. See S. Rep. No. 99-541,
at 3 (1986) (observing that “because [information on remote computer
systems] is subject to control by a third party computer operator, the
282
Additional Questions Concerning Use of EINSTEIN 2.0 Intrusion-Detection System
information may be subject to no constitutional privacy protection” (citing
United States v. Miller, 425 U.S. 435 (1976))).
III.
Finally, we do not believe the EINSTEIN 2.0 program impermissibly
infringes state wiretapping and communication privacy laws. See, e.g.,
Fla. Stat. Ann. § 934.03(3)(d) (West 2009); 18 Pa. Cons. Stat. Ann.
§ 5704(4) (West Supp. 2009); Md. Code Ann., Cts. & Jud. Proc. § 10-
402(c)(3) (Lexis Nexis 2009); Cal. Penal Code § 631(a) (West 1999). To
the extent that such laws purported to apply to the conduct of federal
agencies and agents conducting authorized EINSTEIN 2.0 operations and
imposed requirements that exceeded those imposed by the federal statutes
discussed above and in our EINSTEIN 2.0 Opinion, they would “stand[]
as an obstacle to the accomplishment and execution of the full purposes
and objectives of Congress,” and be unenforceable under the Supremacy
Clause. Hines v. Davidowitz, 312 U.S. 52, 67 (1941); see also Geier v.
Am. Honda Motor Co., 529 U.S. 861, 873 (2000); Old Dominion Branch
v. Austin, 418 U.S. 264 (1974); Bansal v. Russ, 513 F. Supp. 2d 264, 283
(E.D. Pa. 2007) (concluding that “federal officers participating in a feder-
al investigation are not required to follow” state wiretapping law contain-
ing additional requirements not present in the federal Wiretap Act, be-
cause in such circumstances, “the state law would stand as an obstacle to
federal law enforcement”); Johnson v. Maryland, 254 U.S. 51 (1920); cf.
United States v. Adams, 694 F.2d 200, 201 (9th Cir. 1982) (“evidence
obtained from a consensual wiretap conforming to 18 U.S.C. § 2511(2)(c)
is admissible in federal court proceedings without regard to state law”).
DAVID J. BARRON
Acting Assistant Attorney General
Office of Legal Counsel
283