FOUNDATIONS
Content vs Metadata
ECPA & Stored Communications Act
Warrants & Orders
Quick Scenarios
100

Data already sitting on a provider’s server is considered what?

Stored communications

100

The body of an email is considered what?

Content

100

What does a preservation letter do?

Prevents deletion of data

100

Which legal tool has the highest bar for approval?

Title III wiretap

100

Investigators want old cloud-stored emails. Stored or real-time?

Stored

200

Capturing communications as they occur is considered what?

Real-time interception

200

IP addresses and timestamps are considered what?

Metadata

200

How long does a preservation letter typically last?

90 days

200

Title III wiretaps are typically authorized for how long?

30 days

200

Investigators want live phone call audio. What authority applies?

Title III

300

Pen/Trap captures content or metadata?

Metadata

300

Metadata generally requires a lower or higher legal threshold than content?

Lower

300

A 2703(d) order requires what level of proof?

Specific articulable facts

300

Which authority captures real-time metadata only?

Pen Register / Trap & Trace

300

Investigators want IP logs from an ISP. Content or metadata?

Metadata

400

Real-time content interception generally requires what authority?

Title III wiretap

400

A subject line of an email is content or metadata?

Content

400

Content of stored emails generally requires what?

A warrant

400

Which legal tool is commonly used for stored provider records without content?

2703(d) order

400

Freezing data before legal process uses what tool?

Preservation letter

500

A PCAP collected after the fact is considered stored or real-time?

Stored

500

Pen/Trap statutes explicitly exclude what?

Content

500

Preservation equals production — true or false?

False

500

What must be shown for a criminal warrant?

Probable cause

500

Stored data older than 180 days historically fell under which statute?

ECPA / SCA

M
e
n
u