Bruce E. Boyden has an article in Cardozo Law Review (Vol. 34, No. 2). Here’s the abstract:
In recent years, it has become feasible for computers to rapidly scan the contents of large amounts of communications traffic to identify certain characteristics of those messages: that they are spam, contain malware, discuss various products or services, are written in a particular dialect, contain copyright-infringing files, or discuss symptoms of particular diseases. There are a wide variety of potential uses for this technology, such as research, filtering, or advertising. But the legal status of automated processing, if it is done without advance consent, is unclear. Where it results in the disclosure of the contents of a message to others, that clearly violates the federal law governing communications privacy, the Electronic Communications Privacy Act (ECPA). But what if no record of the contents of the communication is ever made? Does it violate communications privacy simply to have a computer scan emails?
I argue that automated processing that leaves no record of the contents of a communication does not violate the ECPA, because it does not “intercept” that communication within the meaning of the Act. The history, purpose, and judicial interpretation of the ECPA all support this reading: interception requires at least the potential for human awareness of the contents. Furthermore, this is not simply an accident of drafting or an omission due to the limited foresight of legislators. Under most theories of privacy, automated processing does not harm privacy. Automated processing may in some cases lead to harm, but those harms are not, in fact, privacy harms, and should be analyzed instead under other legal regimes better adapted to dealing with such issues.