The Electronic Communications Privacy Act, 18 U.S.C. §§2501 et seq., the Stored Communications Act, 18 U.S.C. §§2501 et seq. and their state law counterparts in Pennsylvania at, respectively, 18 Pa.C.S. §5701 et seq. and 18 Pa.C.S. §5741 et seq., are the federal and state laws that, inter alia, set forth what protections email and cellphone users have for their emails stored by Internet service providers, and records of email and cellphone connectivity and usage stored by ISPs and cellphone carriers. Changes in technology in the years since the creation of these laws have led to a cacophony of holdings and opinions by federal and state courts that interpret the same language completely differently, with the Supreme Court remaining silent on the issues.
Many of these contrary opinions have arisen because the courts have had to try to apply what, in cyberyears, are “ancient” laws, dating back to the 1980s and 1990s, to technology and usage never envisioned by the drafters. As a result, Congress has recently begun to try to make changes to the federal instances of these laws. In this month’s article, we will review the most prominent problems in the laws and ways to address them.
A Brief but Necessary Historical Discussion
The ECPA is the child of Congress’ foray, in 1968, into legislating wiretaps performed by both federal and state law enforcement officers. Congress sought to address two related concerns: the lack of judicial oversight, principally by state courts of state law enforcement officers, and the lack of uniform standards. Thus, the Wiretap Act specified that it authorized only federal law enforcement officers to obtain wiretap orders, and included a provision that if a state wanted its law enforcement to be able to conduct wiretaps, that state had to enact legislation that was, at a minimum, as protective of the privacy of potential targets as was the federal law, but could be more so.
The only “electronic communications” originally contemplated by the Wiretap Act were those needed to facilitate telephone communications, such as the “Pen Register” information, i.e., the telephone number of the caller and recipient, subscriber information for those numbers, and the duration of the call. However, when electronic communications such as emails and others we now regularly use were first addressed in the ECPA, the natural fit for the ECPA was as part of the Wiretap Act. Thus, the requirement that states enact their versions of the ECPA and the SCA if they wished to empower state law enforcement to obtain electronic communications from ISPs and cell carriers followed from the placement of the ECPA and the SCA as part of the Wiretap Act. Parties in civil actions also obtain such information under the statutes.
The need for the ECPA and the SCA arises from long-accepted but recently challenged jurisprudence that the Fourth Amendment does not accord to a person a reasonable expectation of privacy in the person’s property when that property is in the possession of a third party. Two cases illustrate application of the doctrine well. In Smith v. Maryland, 442 U.S. 735 (1979), the court found no right of privacy in Pen Register information, and in United States v. Miller, 425 U.S. 435 (1976), it held that a bank customer had no reasonable expectation of privacy in his or her bank records. Thus, Supreme Court doctrine holds that, while an ISP or cellphone carrier has a Fourth Amendment right to privacy in its records, the user does not. The ECPA and the SCA were enacted, in large part, to create privacy rights for those users. However, just as Congress is free to create such rights, it is equally free to fashion remedies for those rights.
An Ongoing Change: Good but By No Means Enough
The ECPA and the SCA distinguish between “content” and “records” information. Content is, typically, the body of an email or a stored e-document. Record information concerns Pen Register information for digital communications: who a subscriber is; what IP address — the digital address assigned to a user for a length of time, which will allow law enforcement to trace email back to that user — was assigned to what user on a certain date and time; when a user accessed an account supported by the ISP, and so on. The ECPA and the SCA accord greater protection to content than to records information. The former can be obtained solely through obtaining a search warrant supported by probable cause, while the latter can be obtained via an order supported only by “reasonable grounds,” which is nowhere defined but is, presumably, a smaller quantum of proof than probable cause.
The search warrant requirement, however, applies solely to content information in storage for 180 days or less; content information in storage for longer may be obtained by a showing of only reasonable grounds. The distinction traces back to when stored communications were rare, when any email worth saving was printed to paper and placed in the “real” (paper) file, and when it was not at all common practice to archive emails and e-documents, much less store all of a person or business’ most important records digitally “in the cloud.”
The Senate Judiciary Committee on November 29 sent to the full Senate HR 2471, which would do away with the distinction between older and newly stored communications and require that law enforcement obtain a search warrant for any such communication. Law enforcement has no reason to oppose this amendment, notwithstanding that it ostensibly places a greater burden of proof on it, for the practical reason that law enforcement always uses a search warrant to obtain content information. The reason for this is three-fold. First, law enforcement always asks for all emails, which will include the newer ones, and so always needs a search warrant. Second, the ISP will always send all emails; it cannot spare the time to sort through the emails by date. To avoid receiving emails in excess of its request, law enforcement always obtains a search warrant. Third, articulating probable cause is never a problem. Whenever emails or other stored electronic communications are sought, it is invariably during the course of a thorough, detailed investigation, where probable cause is never hard to amass.
Thus, HR 2471 has a consensus of supporters. It is certainly a good start, but by no means is it enough.
What Is a Stored Communication?
A far bigger issue than the one addressed by HR 2471 was recently illustrated in Jennings v. Jennings, No. 27177 (S.C. S.Ct. October 10, 2012), where the South Carolina Supreme Court, puzzling through archaic definitions in the SCA, held, counterintuitively, that a person who hacked into another person’s Yahoo email account was not liable under the SCA. The holding would be fatal to a large percentage of criminal and civil matters brought under the SCA.
Under Section 2701(a) of the SCA, anyone violates the act when, without or exceeding consent, the actor “obtains … a wire or electronic communication while it is in electronic storage in such system.” It is not enough to hack into a system, to use the common term; to be criminally or civilly liable under Section 2701, you must hack while the wire or electronic communication “is in electronic storage.” Section 2510 (17) of the SCA defines “electronic storage” as “(a) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (b) any storage of such communication by an electronic communication service for the purposes of backup protection of such communication.”
The defendant in Jennings did what we typically think of when we think of hacking: she went into an email account of another without the account-holder’s consent. The problem with applying the SCA to that archetypical scenario of hacking is that the definition of the electronic storage an actor can violate under the act does not account for the most common type of electronic storage: long-term savings of emails by the user. The email that you, the user, save in your email box is not saved as “temporary, intermediate storage … incidental to” the transmission of a communication, nor is it saved “for the purposes of backup protection.” Rather, it is saved so the user can have it and access it readily. Period.
This hole in the law may seem remarkable, but the SCA is an old law, written when saving electronic data was uncommon: any email worth saving was printed to paper. Saving emails in their native format did not become popular until computers became more reliable and hard drives and the space on email servers grew considerably. The SCA, however, did not get amended to catch up with changes in practice.
The Jennings court acknowledged that its interpretation of the SCA differed from the leading interpretation of the SCA, by the U.S. Court of Appeals for the Ninth Circuit, in the often-cited Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004), as well as many other cases. The Ninth Circuit had held that emails in a user’s webmail box “which had been received and read, and then left on the server instead of being deleted, could be characterized as being stored ‘for purposes of backup protection’ and therefore kept in electronic storage.” The Jennings court questioned “the reasoning expressed in Theofel that such passive inaction” could “constitute storage for backup protection under the SCA,” and went on to hold that because “the plain language of subsection (b)” did not apply to the emails in the instant matter, they were not protected under the SCA.
Given the contradiction in case law, it is not clear whether law enforcement, federal or state, needs a search warrant to get any emails from an ISP, putting aside the 180-days-or-less issue that is the subject of the current amendment. If Jennings is correct, then the SCA does not protect email stored on the server by the user and so, per Smith v. Maryland, because there is no Fourth Amendment protection for that email, there would be no legal requirement for law enforcement to get any kind of court order to obtain emails from an ISP (the ISP may require it, but that is another issue entirely). One can then debate whether Jennings or Theofel is correct, but there can be no question that: (1) Theofel and that line of cases came up with an expansive definition of “backup protection” in order to fit the SCA to present technical and usage realities; and (2) if the SCA is going to be amended, now would be the perfect time to add to the definitions of Section 2510(17) to remove the doubt.
There are several other issues that should be addressed in the ECPA and the SCA. I will look at just one. What type of court order — an ECPA order, requiring it be supported only by reasonable grounds, or a search warrant, supported by probable cause — is needed to get what is known as “cell tracking information”? Cell carriers have their closest cell sites constantly “check in” with a user’s telephone (so long as the telephone is on), so that the carrier’s server will know instantly where to route a call should one be placed. A log of these check-ins, as well as of calls placed, will place the user within a few-hundred feet of a cell tower for numerous instances across days and weeks — in other words, it will create a detailed tracking of a user’s movements over time.
Per Smith, because the user has no Fourth Amendment protection for that cell tracking data, it is up to Congress to create whatever level of protection it deems fit. Looking at the ECPA, it would seem that the cell site logs would be considered record information and, thus, would require law enforcement to show only reasonable grounds to obtain an order compelling the carrier to disclose them. Several courts have so ruled, but some others, most notably the U.S. Court of Appeals for the D.C. Circuit in United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), another part of which was affirmed on appeal to the Supreme Court in United States v. Jones, 132 S.Ct. 945 (2012), have held that because those records provide “protracted surveillance” of the target, such disclosure violates a target’s reasonable expectation of privacy and so a search warrant would be required. Those courts following Maynard simply ignore the fact that the “search” was done by the ISP, without any government instruction and purely as a matter of creating and compiling business records. In Jones, where Jones’ vehicle was the subject of GPS tracking by the government, four of the justices, in a concurring opinion, would have held that the “protracted surveillance” doctrine applied to the instant matter because of the 90-day duration of the tracking order. Justice Sonia Sotomayor, like the courts following Maynard, would have gone a step further and applied the protracted surveillance doctrine regardless of whether the government tracked the subject or the subject’s cellphone records were simply obtained from the cell carrier.
Plainly, cell site tracking requires legislative clarification in the ECPA. The practice will only continue to grow in popularity, as cellphones have become indispensable to the way we now live. Here is yet another area where Congress’ revision of a 30-year-old law is greatly needed.
HR 2471 is needed, but more is needed as well, and for the same reason: use of the laws and changes in technology expose weaknesses. Instead of simply adding a new app to the laws, Congress would do well to consider a full upgrade. •
Leonard Deutchman is general counsel and administrative partner of LDiscovery, a firm with offices in New York City, Fort Washington, Pa., McLean, Va., Chicago, San Francisco and London that specializes in electronic digital discovery and digital forensics.