Did Congress Intend the Stored Communications Act To Protect Only SPAM?
Written by Greg Nojeim
Earlier this week, the Center for Democracy & Technology called on the Fourth Circuit Court of Appeals to reverse a district court decision holding that opening an email message causes it to lose certain protections of the Stored Communications Act (SCA). We, joined by the Electronic Frontier Foundation and the Open Technology Institute, filed a brief in Hately v. Watts with the help of the law firm of Ropes and Gray. We argued, among other things, that if opening an email causes it to lose protections the SCA affords to electronic communications held by a provider of electronic communications service, then only the email a user does not open – usually SPAM – would enjoy those protections, and the more sensitive or important email the user cares about and saves online would be unprotected. This cannot be what Congress intended when it enacted the SCA in 1986.
The District Court of the Eastern District of Virginia based its decision on a rigid interpretation of a convoluted definition applicable to the SCA – a part of the Electronic Communications Privacy Act (ECPA) that CDT and the Digital Due Process Coalition have been trying to update for eight years. The SCA subjects to civil liability anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided … and thereby obtains … access to a wire or electronic communication while it is in electronic storage in such system.” In this case, the plaintiff alleges that the defendant gained unauthorized access to his Gmail account. Whether the defendant is liable under the SCA turns in large part on whether opened email in that account was in electronic storage.
Instead of defining “electronic storage” as the storing of communications electronically, the applicable law defines “electronic storage” as:
“(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
“(B) any storage of such communication by an electronic communication service for backup protection of such communication.” 18 U.S.C. 2510(17).
This has the benefit of distinguishing the communications that a communication service provider holds electronically on its own behalf as corporate records from the communications of the provider’s users. Only the users’ communications are protected by the SCA. But, it has the unfortunate side effect of inviting interpretations that unduly limit the scope of the protections Congress intended the SCA to provide to users. In this case, the District Court reasoned that an opened email meets neither prong of this definition, agreeing with the Eighth Circuit which reached a similar conclusion in Anzaldua v. Northwest Ambulance and Fire Protection District, 793 F.3d 822, 839 (8th Cir. 2015).
The district court decision conflicts with the determination of the Ninth Circuit in Theofel v. Farely-Jones, 359 F.3d 1066 (9th Cir. 2004), which found that opening an email is irrelevant to determining whether the email is in electronic storage. We argued that the Theofel rule should prevail because Congress intended the SCA to provide broad privacy protection to such communications when they are held by electronic communications service providers. We also point out that with the explosive growth of cloud computing – which permits users to access their content stored in the cloud from any device – the backup protection that is being afforded is to the user, as opposed to the provider. Thus, the email in question is in electronic storage because it is being held as backup protection for the user.
Hately v. Watts is a civil case with implications for the criminal context: whether a communication is in electronic storage can determine not only whether unauthorized access results in civil liability, but also whether disclosure of the communication to law enforcement is governed by the SCA or not, and if governed by the SCA, whether the warrant requirements in the statute apply. Those implications, coupled with the split in the circuits on the “opened email issue” create a possibility that the Supreme Court will step in and finally resolve whether opening an email strips it of the protections afforded in the SCA to communications in electronic storage held by providers of electronic communications service.
Congress might also address the issue by enacting the Email Privacy Act, H.R. 387. The Email Privacy Act would subject to a warrant requirement any communications content that is “in electronic storage with, or otherwise stored, held or maintained” by an electronic communications service. This language would make it clear that the SCA protects email in an electronic communications service regardless of whether it has been opened. The Email Privacy Act includes a rule of construction that makes it clear that corporate records of the provider itself are not subject to the SCA warrant requirement. On February 6, 2017, the House passed the Email Privacy Act unanimously, and the legislation has been attached to the National Defense Authorization Act (H.R. 5515), which the House passed on May 24, 2018. However, concerns in the Senate that have dogged the legislation for three years have not yet been resolved, making prospects for passage of a clean Email Privacy Act difficult to secure in this Congress.
In light of the uncertainty of achieving success in Congress, we have sought to achieve success in the courts, and a determination that opening an email message does not adversely impact the protections afforded it under the Stored Communications Act.