Privacy: Stored Communications Act
The Stored Communications Act, 18 U.S.C. § 2701 et seq., (the “SCA”) regulates when an electronic communication service (“ECS”) provider may the contents of or other information about a customer’s emails and other electronic communications to private parties. Congress passed the SCA to prohibit a provider of an electronic communication service “from knowingly divulging the contents of any communication while in electronic storage by that service to any person other then the addressee or intended recipient.” S.Rep. No. 99-541, 97th Cong. 2nd Sess. 37, reprinted in 1986 U.S.C.C.A.N. 3555, 3591.
As courts have held, the SCA “protects users whose electronic communications are in electronic storage with an ISP or other electronic communications facility.” Theofel v. Farey-Jones, 341 F.3d 978, 982 (9th Cir. 2003). It “reflects Congress’s judgment that users have a legitimate interest in the confidentiality of communications in electronic storage at a communications facility.” Id. at 982.
Under 18 U.S.C. § 2701 , an offense is committed by anyone who: “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided;” or “(2) intentionally exceeds an authorization to access that facility; and thereby obtains...[an] electronic communication while it is in electronic storage in such system.” 18 U.S.C. § 2701(a)(1)-(2). However, it does not apply to an "electronic communication [that] is readily accessible to the general public." 18 U.S.C. § 2511(2)(g). See, e.g. Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, 72 GEO. WASH. L. REV. 1208, 1220 (2004).
Restrictions on Voluntary Disclosure
Disclosure of contents is strictly regulated. The SCA provides that any “person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service,” with limited exceptions. 18 U.S.C. § 2702(a)(1).
Contents of communications may not be disclosed to civil litigants even when presented with a civil subpoena. O'Grady v. Superior Court, 139 Cal.App.4th 1423, 1448 (Cal.App. 2006); accord The U.S. Internet Service Provider Association, Electronic Evidence Compliance—A Guide for Internet Service Providers, 18 BERKELEY TECH. L. J. 945, 965 (2003) ([No Stored Communications Act provision] “permits disclosure pursuant to a civil discovery order unless the order is obtained by a government entity. ... [T]he federal prohibition against divulging email contents remains stark, and there is no obvious exception for a civil discovery order on behalf of a private party."); see also Federal Trade Comm’n v. Netscape Communications Corp., 196 F.R.D. 559, 561 (N.D. Cal. 2000) (“There is no reason for the court to believe that Congress could not have specifically included discovery subpoenas in the statute had it meant to.”); In re Subpoena Duces Tecum to AOL, LLC, 550 F.Supp.2d 606 (E.D.Va. 2008) ("Agreeing with the reasoning in O'Grady, this Court holds that State Farm's subpoena may not be enforced consistent with the plain language of the Privacy Act because the exceptions enumerated in § 2702(b) do not include civil discovery subpoenas."); J.T. Shannon Lumber Co., Inc. v. Gilco Lumber Inc., 2008 WL 4755370 (N.D.Miss. 2008) (holding there is no "exception to the [SCA] for civil discovery or allow for coercion of defendants to allow such disclosure."); Viacom Intern. Inc. v. Youtube Inc., 253 F.R.D. 256 (S.D.N.Y. 2008) ("ECPA § 2702 contains no exception for disclosure of [the content of] communications pursuant to civil discovery requests."); Thayer v. Chiczewski, 2009 WL 2957317 (N.D.Ill. 2009) ("most courts have concluded that third parties cannot be compelled to disclose electronic communications pursuant to a civil--as opposed to criminal--discovery subpoena").
Section 2702 also generally forbids the disclosure of non-content records to the government, but allows non-content records to be disclosed to private parties. However, any disclosure of the identity of a user is subject to constitutional limitations.
Restrictions on Government Access
Section 2703 regulates government access to stored communications or transaction records in the hands of third party service providers. There are four categories of information, each with differing access requirements:
- contents of wire or electronic communications in electronic storage;
- contents of wire or electronic communications in a remote computing service;
- subscriber records concerning electronic communication service or remote computing service; and
- basic subscriber information.
These categories require a search warrant. 18 U.S.C. § 2703(a)-(c) Records pertaining a may be obtained by a court order upon proof of “specific and articulable facts showing ... reasonable grounds to believe that ... the records or other information sought, are relevant and material to an ongoing criminal investigation.” 18 U.S.C. § 2703(d); see also In re United States for an Order Pursuant to 18 U.S.C. 2703(d), 36 F. Supp. 2d 430 (D. Mass. 1999).
Certain basic subscriber information may be obtained with a "administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena." 18 U.S.C. § 2703(b)(1)(B)(i). A civil discovery subpoena, however, is not sufficient. See Federal Trade Comm’n v. Netscape Communications Corp., 196 F.R.D. 559, 561 (N.D. Cal. 2000) (finding that Section 2703’s allowance for “trial subpoenas” did not authorize the FTC’s use of a civil discovery subpoena to obtain non-content subscriber information from Netscape).
In some circumstances, the government may only obtain information with prior notice to the subscriber (see § 2703(b)(1)(B)) or if the government complies with the delayed notice provisions of § 2705(a). 18 U.S.C. §§ 2705(a)(1)(B) and 2705(a)(4) allow delayed notice (for ninety days) "upon the execution of a written certification of a supervisory official that there is reason to believe that notification of the existence of the subpoena may have an adverse result." 18 U.S.C. § 2705(a)(1)(B). See § 2705(a)(2) (definition of "adverse result") and § 2705(a)(6) (defintion of "supervisory official").
National Security Letters
18 U.S.C. § 2709 authorizes the FBI to compel the production of "subscriber information and toll billing records information, or electronic communication transactional records" in the possession of a broad range of Internet-related communications service providers through National Security Letters. It requires only that the FBI director or his designee makes the required certification that the records sought “are relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities....” 18 U.S.C. § 2709, as amended by the USA PATRIOT Act.
The DOJ's Office of Legal Counsel issued an opinion to the FBI on Nov. 5, 2008, which clarified that "the FBI may issue a national security letter (“NSL”) to request, and a provider may disclose, only the four types of information—name, address, length of service, and local and long distance toll billing records—listed in section 2709(b)(1)." Previously, the FBI issued NSLs that sought "electronic communications transactional records," and included a secret list of material it considered ECTRs. The OLC determined that term ECTR "reaches only those categories of information parallel to subscriber information and toll billing records for ordinary telephone service."
Each NSL is accompanied by a gag order prohibiting the ECSP from ever revealing the demand was made, see 18 U.S.C. § 2709(d). In Doe v. Ashcroft, 2004 WL 2185571 (S.D.N.Y. 2004), a federal court ruled that the gag order violates an ISP's First Amendment rights. It also ruled that NSLs violate the Fourth Amendment right against unreasonable searches because, unlike ordinary subpoenas, they do not offer a direct opportunity to challenge the subpoena in court. Finally, the court recognized that NSLs threaten the First Amendment rights of the Internet users whose online speech activities are revealed. However, the case was mooted on appeal by changes to the NSL law.
A 2007 case under the revised law, Doe v. Gonzales, 500 F. Supp. 2d 379 (S.D.N.Y. 2007), held:
§ 2709(c) is unconstitutional under the First Amendment because it functions as a licensing scheme that does not afford adequate procedural safeguards, and because it is not a sufficiently narrowly tailored restriction on protected speech. Because the Court finds that § 2709(c) cannot be severed from the remainder of the statute, the Court finds the entirety of § 2709 unconstitutional.
Id. at 425.
Among the changes was the addition of a library exception to 2709:
(f) Libraries.--A library (as that term is defined in section 213(1) of the Library Services and Technology Act (20 U.S.C. § 9122(1)), the services of which include access to the Internet, books, journals, magazines, newspapers, or other similar forms of communication in print or digitally by patrons for their use, review, examination, or circulation, is not a wire or electronic communication service provider for purposes of this section, unless the library is providing the services defined in section 2510(15) ("electronic communication service") of this title.
Under the SCA, “‘ contents’, when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication.” 18 U.S.C. § 2510(8).
“ Electronic communications service” is broadly defined as “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510(15). According to the legislative history, "telephone companies and electronic mail companies" are ordinarily providers of electronic communication services. See S. Rep. No. 99-541 (1986) at 14, reprinted in 1986 U.S.C.C.A.N. 3555, 3568; see also Freedman v. America Online, Inc., 325 F. Supp. 2d 638, 643 & n.4 (E.D. Va. 2004). The “electronic communications service” definition is not limited to services provided to the general public. Hence any corporate office, school or library that offers its employees, students or members the means to access the Internet or otherwise communicate via an electronic network is an ECSP. See, e.g., United States v. Mullins, 992 F.2d 1472, 1478 (9th Cir. 1993) (airline that provides travel agents with computerized travel reservation system accessed through separate computer terminals can be an ECSP); In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299, 307 (E.D.N.Y. 2005) (airline “does not become an ‘electronic communication service’ provider simply because it maintains a website that allows for the transmission of electronic communications between itself and its customers”); Andersen Consulting LLP v. UOP, 991 F.Supp. 1041, 1042 (N.D. Ill. 1998) (Andersen, which has internal e-mail system, is an ECSP); cf. Crowley v. Cybersource Corp., 166 F. Supp. 2d 1263, 1270 (N.D. Cal. 2001) (Amazon was a user rather than a provider of ECS);
An electronic communication is “any transfer of signs, signals, writing, images, sound, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectric or photooptical system that affects interstate or foreign commerce....” 18 U.S.C. § 2510(12).
Chapter 7 - Privacy And Data Collection
Data Terminology · Statutory Protections · The Wiretap Act (Title III) · The Stored Communications Act · Government Agency Regulation · Searching and Seizing Computers · Key Privacy Cases · Industry Self-Regulation · International Issues