Stored Communications Act
The Stored Communications Act is a law that addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party internet service providers. It was enacted as Title II of the Electronic Communications Privacy Act of 1986.
The Fourth Amendment to the U.S. Constitution protects the people's right "to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures". However, when applied to information stored online, the Fourth Amendment's protections are potentially far weaker. In part, this is because the Fourth Amendment defines the "right to be secure" in spatial terms that do not directly apply to the "reasonable expectation of privacy" in an online context. The Fourth Amendment has been stressed as a right that protects people and not places, which leaves the interpretation of the amendment's language broad in scope. In addition, society has not reached clear consensus over expectations of privacy in terms of more modern forms of recorded and/or transmitted information.
Furthermore, users generally entrust the security of online information to a third party, an ISP. In many cases, Fourth Amendment doctrine has held that, in so doing, users relinquish any expectation of privacy. The Third-Party Doctrine holds "that knowingly revealing information to a third party relinquishes Fourth Amendment protection in that information." While a search warrant and probable cause are required to search one's home, under the third party doctrine only a subpoena and prior notice are needed to subject an ISP to disclose the contents of an email or of files stored on a server.
As per request by the House Committee on the Judiciary, Subcommittee on Courts, Civil Liberties, and the Administration of Justice, as well as the Senate Committee on Governmental Affairs asking the Office of Technology Assessment to create a report about protections surrounding electronic communications, it was found that individuals were at risk. This risk identified current protections for electronic mail as being "weak, ambiguous, or nonexistent." The report concluded that "he existing statutory framework and judicial interpretations thereof do not adequately cover new and emerging electronic surveillance technologies." Congress acknowledged the fact that traditional Fourth Amendment protections were lacking. As a result, the Electronic Communications Privacy Act was enacted in 1986 as an update on the Federal Wiretap Act of 1968, which addressed protections on telephone line privacies. The provisions are distributed into 3 titles, with Title II being the Stored Communications Act.
The SCA creates Fourth Amendment-like privacy protection for email and other digital communications stored on the internet. It limits the ability of the government to compel an ISP to turn over content information and noncontent information. In addition, it limits the ability of commercial ISPs to reveal content information to nongovernment entities.
Overview
Section 2701 of the SCA provides criminal penalties for anyone who "intentionally accesses without authorization a facility through which an electronic communication service is provided or … intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished...."Section 2702 of the SCA targets two types of online service, "electronic communication services" and "remote computing services." The statute defines an electronic communication service as "any service which provides to users thereof the ability to send or receive wire or electronic communications." A remote computing service is defined as "the provision to the public of computer storage or processing services by means of an electronic communications system." This section also describes conditions under which a public ISP can voluntarily disclose customer communications or records. In general, ISPs are forbidden to "divulge to any person or entity the contents of any communication which is carried or maintained on that service." However, ISPs are allowed to share "non-content" information, such as log data and the name and email address of the recipient, with anyone other than a governmental entity. In addition, ISPs that do not offer services to the public, such as businesses and universities, can freely disclose content and non-content information. An ISP can disclose the contents of a subscriber's communications authorized by that subscriber.
Section 2703 of the SCA describes the conditions under which the government is able to compel an ISP to disclose "customer or subscriber" content and non-content information for each of these types of service:
- Electronic communication service. If a "wire or electronic communication" has been in electronic storage for 180 days or less, the government must obtain a search warrant. There has been debate over the status of opened emails in storage for 180 days or less, which may fall in this category or the "remote computing service" category.
- Remote computing service. If a "wire or electronic communication" has been in electronic storage for more than 180 days or is held "solely for the purpose of providing storage or computer processing services" the government can use a search warrant, or, alternatively, a subpoena or a "specific and articulable facts" court order combined with prior notice to compel disclosure. Prior notice can be delayed for up to 90 days if it would jeopardize an investigation. Historically, opened or downloaded email held for 180 days or less has fallen in this category, on the grounds that it is held "solely for the purpose of storage."
Section 2704 of the SCA describes backup preservation such that an entity operating under 2703 may ask for a backup copy of the electronic communications in order to preserve the communications. This backup may be included in the subpoena or court order requirement requested from the ISP.
Section 2705 also provides for gag orders, which direct the recipient of a 2703 order to refrain from disclosing the existence of the order or investigation. The court will be able to delay the notification for ninety days if it determines that there is a reason that the court order could have adverse results.
Section 2706 of SCA addresses cost reimbursement such that a government entity obtaining communications and records under 2702,2703, or 2704 of the title should pay the party providing the information for incurred costs. The amount should be mutually agreed upon. This requirement is exempt when section does not apply to the records held by the communications carrier.
Section 2707 of SCA describes cause of civil action under this title, reliefs in a civil action, damages assessed in a civil action, administrative discipline, defence, limitation, and improper disclosure.
Section 2708 of SCA states that the remedies and sanctions are the only judicial remedies and sanctions for violations of the chapter that are not constitutional violations.
Section 2709 Is in regards to counterintelligence access to telephone toll and transactional records. Subsection says that a wire or electronic communication service should comply with any request for information, records, electronic communications made by the Federal Bureau of Investigation Director with required certification.
Section 2710 of SCA describes wrongful disclosure of videotape or sale records and resulting civil action in district court in the event of a violation under this section.
Section 2711 of SCA provides definitions for the chapter. The terms defined are those in section 2510 of the title, "remote computing service," "court of competent jurisdiction," and "government entity."
Section 2712 of SCA discusses civil actions against the United States. Any party who has claims violation of the chapter or chapter 119 of the title may take action against U.S. District Court to recover money damages.
Constitutionality of compelled government disclosure
With respect to the government's ability to compel disclosure, the most significant distinction made by the SCA is between communications held in electronic communications services, which require a search warrant and probable cause, and those in remote computing services, which require only a subpoena or court order, with prior notice. This lower level of protection is essentially the same as would be provided by the Fourth Amendment—or potentially less, since notice can be delayed indefinitely in 90-day increments. Orin Kerr argues that, "the SCA was passed to bolster the weak Fourth Amendment privacy protections that applied to the Internet. Incorporating those weak Fourth Amendment principles into statutory law makes little sense." In Warshak v U.S. this point of view found fleeting support from a panel of the Sixth Circuit, which ruled that a reasonable expectation of privacy extends to emails that would otherwise fall under the SCA's lower level of protection: "Where the third party is not expected to access the e-mails in the normal course of business, however, the party maintains a reasonable expectation of privacy, and subpoenaing the entity with mere custody over the documents is insufficient to trump the Fourth Amendment warrant requirement." Subsequently, the Sixth Circuit en banc vacated the panel's ruling and remanded for dismissal of the constitutional claim, reasoning that, because the Court had "no idea whether the government will conduct an ex parte search of Warshak's e-mail account in the future and plenty of reason to doubt that it will," the matter was not ripe for adjudication. Zwillinger and Sommer observed that this decision erected a barrier to "prospective" challenges by individuals with reason to believe they will be targets of surveillance. While Warshak's civil case ended without a resolution to this issue, his criminal case provided another opportunity. In United States v. Warshak the Sixth Circuit found that email users have a Fourth Amendment-protected reasonable expectation of privacy in the contents of their email accounts and that "to the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional."In In re Application of the United States for Historical Cell Site Data, 724 F.3d 600, the Fifth Circuit held that court orders under the Stored Communications Act compelling cell phone providers to disclose historical cell site information are not per se unconstitutional. However, in Carpenter v. United States the Supreme Court ruled that the government violates the Fourth Amendment by accessing such information without a search warrant or exception to the warrant requirement such as exigent circumstances.
Extraterritoriality
Many ISPs have server farms and data centers where their users' electronic data is stored, with locations chosen globally to bolster server performance. As a result, data could potentially be outside of U.S. Jurisdictional reach. The application of SCA to extraterritorial jurisdiction became a point of contention, as the statute is debatably applicable to conducting searches outside of the United States, even over parties not physically in the United States. In support of this, the Bank of Nova Scotia Doctrine, or BNS, allows for "a grand jury subpoena... used to compel a company subject to U.S. jurisdiction to produce evidence stored outside of the United States if the evidence is within the company's possession, custody, or control." With these applications come arguments for the use of an appropriate Mutual Legal Assistance Treaty. It is ultimately the interpretation of the courts on which dictates how the warrant is carried out.In light of an earlier ruling upholding extraterritorial application of the SCA in In Re Warrant of a Certain E-mail Account Controlled and Maintained by Microsoft Corporation, a new bill called the LEADS Act, was introduced. The bill "preclude the use of U.S. warrants to obtain communications content stored outside the unless the content is in the account of an American." This means that disclosure of private communications on servers abroad through a judicial warrant can only occur if the user of such emails is a U.S. Citizen.
''Microsoft Corporation v. United States of America''
On December 4, 2013, government authorities obtained a SCA warrant from Magistrate Judge Francis in the Southern District of New York's case In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. Microsoft identified that the requested account was served on a server in Ireland. Microsoft filed a motion to quash the warrant based on the extraterritorial application of the warrant. This motion was denied by the court and the SCA warrant was explained as a "hybrid order", which is "executed like a subpoena in that it is served on the ISP in possession of the information and does not involve government agents entering the premises of the ISP to search its servers and seize the email account in question." The court also confirmed that a call to utilize MLAT would not be necessary in the case. The case resulted in Microsoft voluntarily being held in contempt for non-compliance with the SCA warrant. This was meant to appeal to the U.S. Court of Appeals of the Second Circuit as soon as they could. Microsoft claimed that they would not comply unless an appellate review was conducted, at minimum.On July 14, 2016 a three-judge panel of the United States Court of Appeals for the Second Circuit decided in favor of Microsoft that the SCA warrant cannot be seen as "hybrid order" and the SCA's warrant provisions do not apply extraterritorially. A 4-4 split decision on an en banc rehearing by the full Second Circuit left the panel's decision for the case. The U.S. Department of Justice appealed to the Supreme Court of the United States, which has heard the case. A decision was expected by June 2018, but the CLOUD Act may render the question moot. The case is considered to highlight issues related to the antiquated nature of the SCA compared to modern Internet technologies.
Social media
At the time of the SCA's creation, social media platforms were not present in the context in that the legislation addressed. The SCA's limits are that of electronic communications that are not supposed to be available to the public. Despite this, court's decisions like Crispin v. Christian Audigier, Inc evidence that SCA granted protections can be allocated to certain social media communication channels. ECS and RCS identification is necessary in a decision regarding the SCA's social media application. The courts in the Crispin c. Christian Audigier, Inc. stated "messages that have not yet been opened... operate as ECS providers and the messages are in electronic storage because they fall within the definition of "temporary, intermediate storage" under § 2510... messages that have been opened and retained... operate as RCS providers providing storage services under § 2702.Wall postings and comments are not considered protectable as forms of temporary, intermediate storage. Wall posts and comments are stored for backup protection purposes, which means they are covered under SCA subsections. Wall posts and comments have been court-classified as electronic bulletin board service, or BBS. BBS, terminology used in the 1986 history of the SCA, defines BBS as communication networks by computer users to transfer information among computers that may be noncommercial systems being operated by users with shared interests. BBS available to the public is not covered by the SCA due to public access granted by the facilitator. However, if a user is restrictive of access to these communications on the account, then those communications are subject to SCA coverage.
It is unknown the level of specific BBSs privacy is sufficient for SCA protection. A numerical upper limit to the number of users, or "friends" a profile is connected to would be "arbitrary line drawing" leading to "anomalous result."
In 2017, the Massachusetts Supreme Judicial Court found that the SCA did not prevent the personal representatives of a deceased person from accessing his emails.
''Crispin v. Christian Audigier, Inc.''
In May 2010, a federal district court applied the SCA, for the first time, to data on social networking sites. The case intended to determine if the defendants could subpoena the plaintiff's electronic communications from the social media platforms Facebook, Media Temple, and MySpace. Buckley Crispin, the plaintiff, filed action against Christian Audigier, Christian Audigier, Inc., and their sublicensees. Crispin claimed that the defendants used his art in violation in which the defendants served subpoenas on the three aforementioned social media platforms. Crispin argued that these subpoenas sought electronic communications that ISPs do not have the authority to disclose under the SCA. When the judge claimed that social media platforms are not subject to the SCA, Crispin filed a motion to reconsider in the Central District of California.Following this, determination of ECS or RCS had to be made for Facebook, Media Temple, and Myspace. The courts in this case held Facebook and MySpace to be RCS providers in regard to comments and wall posts as open messages. Though these communications are not temporary or intermediate storage under subjection, the courts found that comments and wall posts are stored for purposes of backup protection. This means that they are covered by subsection of the title.
''Robbins v. Lower Merion School District''
The Act was invoked in the 2010 Robbins v. Lower Merion School District case, where plaintiffs charged two suburban Philadelphia high schools with secretly spying on students by surreptitiously and remotely activating webcams embedded in school-issued laptops the students were using at home, violating their right to privacy. The schools admitted to secretly snapping over 66,000 webshots and screenshots, including webcam shots of students in their bedrooms.Criticisms
The language and provisions set during the 1986 year of the SCA do not comprehensively apply to modern day technology and the advancements. The SCA has led to ambiguity in compliance for ISPs as the legislation is outdated. This causes technology companies to take risks and alter their businesses to appease both domestic and international users who wish to access servers.Courts have become unsure of the way that SCA can apply to modern service providers, being given flexibility of interpretation. The result could be little protection actually offered. Flexibility dictates that a court decision may come down to a rhetoric, like if a server is a storage site or a communications center This makes it so that broad principles and interpretations are meant to keep pace with technology.
A societal criticism of the SCA is that the courts should be looking at the intents of parties, rather than access to communications. This brings into question the role of service providers as neutral repositories for content. In the modern space, service providers are unclear as to whether applying the SCA would be a violation of user privacy rights or not. As a result, non compliance to subpoena could have a legal and economic impact on service providers.
The SCA is driven by case law and court interpretation. This can be criticized as an unstable grounds for an established standard. The SCA becomes less applicable as interpretations are stretched to meet new technology. Individual case law interpretations have the potential to leave undesirable political, social, and economic impacts both in the U.S. and globally.
Absence of Congressional legislative SCA reform since its 1986 enactment has been its biggest criticism due to historical and projected technological growth.