If you are responsible for implementing and policing company policies to protect stored electronic communications or compliance with government requests to disclose such communications, you no doubt are familiar with the Stored Communications Act, as well as its deficiencies. Moreover, if the company is a provider of network services “in the cloud,” knowing whether the company is entitled to the protections afforded by the Stored Communications Act is critical. For years, though, judges, legal scholars, legislators, privacy advocates and Internet and network/communications service providers have complained about the deficiencies of the Stored Communications Act. Many have urged Congress to simplify its complex structure and opaque language and, most importantly, to broaden its scope to clearly address 21st century technology.
The Stored Communications Act (18 U.S.C. §§ 2701-2711) (SCA) was enacted in 1986 as Title II of the Electronic Communications Privacy Act and is the primary federal statute regulating the government’s right to obtain stored electronic communications from certain providers of network services. In order to make sense of the SCA and appreciate its deficiencies, it is important to understand the policies on which the SCA is based. Understanding these policies, in turn, requires revisiting the state of technology circa 1986.
Although 1986 was not exactly the “dark ages” for technology, it is unlikely that anyone would dispute that technology has significantly evolved in the past 25 years. Still, by 1986, the use of computers and network-related technology had become more decentralized, reflecting the proliferation of personal computers, both in the office and at home. Individuals increasingly used their personal computers (equipped with a modem) to access proprietary network services, such as America Online or CompuServe, in order to send and receive emails, to post messages on public bulletin board systems and to engage in similar activities.
When Congress enacted the SCA, its primary concern was to encourage and support the growth of companies in the then-emerging Internet and wireless communications industries and to ensure that such growth would not be inhibited by customer concerns regarding the privacy of their communications. (Under then-existing Supreme Court precedent, it was far from clear that the Supreme Court would extend Fourth Amendment protection to these new types of communications.) But, Congress was also concerned with maintaining an appropriate balance between an individual’s right to privacy and the government’s need to obtain certain information for law enforcement purposes.
Scope and Structure
The SCA regulates and protects only wire and electronic communications stored by providers of electronic communication services (ECS) or remote computing services (RCS). Whether a wire or electronic communication is protected by those portions of the SCA that apply to a provider of an ECS (an “ECS Provider”) or to a provider of an RCS (an “RCS Provider”) depends on the manner in which a provider handles such a communication. It is possible that a provider may act as both an ECS Provider and an RCS Provider with respect to a single communication. It is also possible that a provider may not be deemed to act as either an ECS Provider or an RCS Provider with respect to a communication, in which case the communication stored will not be protected by the SCA.
Electronic Communication Service The SCA protects wire and electronic communications that are sent or received through an electronic communication service while the communications are in electronic storage (§ 2701). The key definitions are as follows:
- “Electronic communication service” means any service which provides to users thereof the ability to send and receive wire or electronic communications, and
- “Electronic storage” means: (1) Any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (2) Any storage of such communication by an electronic communication service for purposes of backup protection of such communications.
Remote Computing Service The SCA protects wire and electronic wire communications that are held or maintained in a remote computing service: (1) On behalf of and received by means of an electronic transmission from a customer/subscriber of the remote computing service; and (2) Solely for the purpose of providing storage or computer processing services to such customer/subscriber, if the provider is not authorized to access the content of any such communication for purposes of providing any services other than storage of computer processing (§ 2703). The key definitions are as follows:
- “Remote computing service” means the provision to the public of computer storage or processing services by means of an electronic communication system; and
- “Electronic communication system” means any wire, radio, electromagnetic, photo-optical or photoelectronic facilities for the transmission of wire or electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications.
The scope of the government’s right to compel disclosure of a stored wire or electronic communication depends on: (1) whether the provider is acting as an ECS Provider or an RCS Provider as to the communication, (2) whether the communication constitutes content (e.g., the text of an email) or customer/subscriber records or information; and (3) as to a communication stored by an ECS Provider only, the number of days that the communication has been in electronic storage.
Disclosure of Content by ECS Provider The government must obtain a warrant to compel disclosure of the content of a wire or electronic communication held in electronic storage by an ECS Provider for not more than 180 days (§ 2703(a)). If such communication has been in electronic storage for more than 180 days, the government may use a warrant or a so-called “less process alternative,” i.e., an administrative subpoena or court order (a “§ 2703(d) order”), which is issued upon a showing of “specific and articulable facts” (§ 2703(b)). The government must provide the customer/subscriber with prior written notice if it relies on one of the “less process alternatives,” but may delay providing notice up to 90 days (and in certain instances may have the notice requirement waived entirely) (§ 2705).
Disclosure of Content by RCS Provider The government may compel disclosure of a wire or electronic communication stored by an RCS Provider in an electronic communication system by obtaining a warrant or by one of the § 2703(b) “less process alternatives” described above.
Disclosures of Records/Information by ECS Provider or RCS Provider As to records or other information pertaining to a customer/subscriber of an ECS Provider or an RCS Provider, the government is required to obtain a warrant, a § 2703(d) order, or the consent of the customer/subscriber (§ 2703(c)(1)). The government is also entitled to compel disclosure of basic customer/subscriber information (e.g., name, contact information, length of service, payment source) by subpoena (§ 2703(c)(2)).
The SCA regulates the voluntary disclosure of electronic communications stored by an ECS Provider or an RCS Provider, but only if the provider’s service is made available to the public. An ECS Provider is prohibited from knowingly disclosing to a third party the contents of an electronic communication while it is in electronic storage (§ 2702(a)(1)), and an RCS Provider is similarly prohibited from knowingly disclosing to a third party the contents of an electronic communication while it is carried or maintained on the RCS Provider’s service (§ 2702(a)(2)). The SCA also prohibits disclosure of customer/subscriber records or information ((§ 2702(c)). However, multiple exceptions to the restrictions on voluntary disclosure exist (§ 2702(b) and(c)).
Some of the criticisms directed to the SCA’s deficiencies arise from structural flaws and substandard drafting that cause the statute to be difficult to understand and interpret. These types of flaws are relatively easy to address. Of far greater concern are the material deficiencies that have become apparent with the widespread adoption of 21st century technology:
- Having a lower standard of protection for emails held in electronic storage for longer than 180 days made sense in 1986, as email was available only through proprietary network services, such as America Online, using email was costly because these services charged based on connect time, and storage capacity was limited. Today, as a result of the widespread availability of free Web-based email accounts that offer individuals virtually unlimited storage capacity, individuals routinely store emails (including sensitive professional and personal emails) for longer than 180 days, making the lower standard outdated.
- The standard of protection for unopened emails is unclear as a result of the existence of inconsistent interpretations of the definition of “electronic storage.” The U.S. Department of Justice takes the position that only a subpoena is required to compel disclosure of emails that have been opened, on the theory that the “temporary or intermediate storage” prong of the definition of “electronic storage” (§ 2510(17)(A)) is satisfied only for as long as an email remains unopened. Although some courts have adopted this position, a controversial U.S. Court of Appeals, Ninth Circuit case, Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2003), held that an email stored by a network services provider, whether opened or unopened, is subject to the same standard of protection until the email “has expired in the normal course,” on the theory that the email is a backup copy under the “backup storage” prong of the definition of “electronic storage” (§ 2510(17)(B)).
Cloud Computing-related Some commentators have taken the position that providers of network services “in the cloud” do not satisfy the definition of an RCS (and therefore are subject to different protections) because they provide services other than storage or computer processing services, or because they have the right to access the content of a customer’s/subscriber’s communications for purposes of other services. In 1986, the definition of “remote computing services” contemplated only the provision of data processing/outsourcing services. Consequently, this definition needs to be made current and consistent with the much broader scope of services often provided by network services providers today.
On May 19, 2011, Senator Patrick Leahy introduced the ECPA Amendment Act of 2011, which, among other things, proposes: (1) replacing the so-called “180-day rule” for determining the standard of protection for communications held in electronic storage with a requirement that the government obtain a warrant for any stored electronic communication; and (2) adding “geolocation information services” as a third category of regulated entities to address concerns raised by privacy groups regarding the protection of information available through mobile devices, GPS or other electronic communications devices. Although introduction of this amendment was quickly followed by subcommittee and committee hearings, whether Senator Leahy ultimately will be able to steer it to passage, and the timing of doing so, is uncertain given the economic concerns that continue to take center stage in our government. Stay tuned.