B.1.2. Electronic Communications Privacy Act
The Electronic Communications Privacy Act (ECPA) regulates the privacy of data and communications in transit by any means of transfer (wire, radio, electromagnetic, photo optical, etc.) which it defines as:
Signs;
Signals;
Writing;
Images;
Sounds;
Data.
The Act is limited in scope in that it does not cover the following:
Oral communications (i.e. voice);
Communications made through a tone-only paging device;
Any communication from a court sanctioned 'tracking device' (defined as 'an electronic or mechanical device which permits the tracking of the movement of a person or object');
Electronic funds transfers.
Title II of the ECPA (referred to as the Stored Communications Act) protects communications held in electronic storage, for example, email messages held on a server.
I mention the ECPA because it's important for a penetration testing team to be legally covered under the auspices of the act. The ECPA is intended to protect against:
Government surveillance conducted without a court order.
Third parties without legitimate authorization accessing messages.
Illegal interception from carriers (i.e. Internet service providers).
However, it is not intended to protect employees from monitoring by their employers. Here we have the issue. As a third-party consultancy engaged to test security (in whatever form) by a client, do you constitute an 'unauthorized third party' from the perspective of an employee or are you an extension of their employer? This ...
Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
