Title II: Stored Communications Act
Fourth Amendment |
- - Colonial Roots
- - Olmstead
- - Katz
- T1: Wiretap Act
- T2: Stored Comm Act
- T3: Pen Register Act
- Rule by Exception
- - Privacy
- - Consent
- - Court Order
- - Service Providers
- - - Network Ops
- - - Protection
- - - Accident
- - - Hackers
- - - Child Protection
- - Emergency
- - Law Enforcement
- - - Natl Sec Letters
- - - Preservation
- - - Carnivore
- - - CALEA
- - - FISA
- Stored Content
- Subscriber Info
- Cost Recovery
- - White House
- - DHS
- - NIST
- - NTIA
- - FCC
Crimes Against Network
- Worms, Viruses, Attacks
- Wireless Malware
- WiFi Security
- Network Reliability
- Infrastructure Protection
- - Kill Switch
Crimes Over Network
- - Auctions
- - Phishing
- ID Theft
- Offensive Words
- Patriot Act
- Data Retention
- Safe Web Act
ECPA Title I: The Wiretap Act deals with communications that are in transit (which can be intercepted); ECPA Title II, the Stored Communications Act deals with communications that have been received and are in storage. The two frequently get confused and it all gets muddled quickly. The relationship of Wiretap Act to the Stored Communications Act has been described as "complex, often convoluted." [Councilman 80 1st Cir. 2005] [Smith 1055 9th Cir. 1998] Orin Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72 Geo. Wash. L. Rev. 1208, 1208, 1240 (2004) (opining that "[c]ourts, legislators, and even legal scholars have had a very hard time making sense of the SCA. . . . [I]ts vague language has needlessly confused the courts, which have tried to use § 2701 in civil cases to do far more than the SCA's drafters ever intended").
The Wiretap Act and the Stored Communications Act are not mutually exclusive remedies. [Councilman 82 1st Cir. 2005 " In general, if two statutes cover the same conduct, the government may charge a violation of either."] [Herring 788 n. 4 11th Cir. 1993 ("The overlapping coverage of the Wiretap Act and the Communications Act [of 1934] presents no problem. In such a case, the prosecution has the right to select the statute under which the indictment will be brought.")
What exactly are “stored communications”? Does this refer to the store and forward nature of the Internet? Does email that has received a subscriber’s system but is not opened fall under this? What about after the email has been opened? Generally, if its an interception, it will fall under ECPA; but if it is Stored Communications, it falls under the Stored Communications Act and the rules below.
“Stored communications” is defined at 18 U.S.C. § 2510(17).
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.
"Transient electronic storage that is intrinsic to the communication process for such communications" is "electronic communications," not stored communications. [Councilman 2005][Blumofe 21 ] [Hall 503 n. 1]
- An email
- in transit across the network is an email during transmission. [Councilman 79 1st 2005]
- in temporary storage on an email server awaiting download by a subscriber is a “stored communication.” [Councilman Slip 31 2005 ("The first category, which is relevant here, refers to temporary storage, such as when a message sits in an e-mail user's mailbox after transmission but before the user has retrieved the message from the mail server.")] [Fraser 113 3rd Cir. 2003] [Steve Jackson 461]
- left on a public email service provider service means the service is now a Remote Computer Service. "The role of LocalISP has changed from a transmitter of Joe's email to a storage facility for a file stored remotely for Jane by a provider of RCS." [Search Seizure 2009 p 126]
- Webmail that remains on the service provider computer might be stored. [Fischer]
- Email left on a private network email server (like a company email server) - the private email server is neither a remote computer service nor an electronic communications service (not a public service). [Search Seizure 2009 p 126]
- "email messages remaining on an internet service provider's server after delivery fall within the Act's definition of electronic storage." See, e.g., Theofel v. Farey-Jones, 359 F.3d 1066, 1075 (9th Cir. 2004); Strategic Wealth Grp., LLC v. Canno, No. 10-0321, 2011 WL 346592, at *3-4 (E.D. Pa. Feb. 4, 2011); Markert v. Becker Technical Staffing, Inc., No. 09-5774, 2010 WL 1856057, at *6 (E.D. Pa. May 7, 2010); Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp. 2d 548, 555 (S.D.N.Y. 2008).
- Download and stored on recipients computer - recipient is not an RCS or an ECS and thus Stored Communications Act does not apply. Access to files on an individual's computer is governed by 4th Amendment. [Fraser]
- Voice mail can be stored communication – but this provision sunsets December 31, 2005. [Smith] [Councilman 2005]
- A cookie is not “stored communications.” [Doubleclick 511-12] [Chance] [Intuit] But See [Kerr p. 8 n 44 (2004) (stating that these courts applied SCA to cookies)]
Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Computer Crime and Intellectual Property Section, Criminal Division, DOJ (2009)
Unfortunately, as a result of the Ninth Circuit's decision in Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004), there is now a split between two interpretations of "electronic storage"-a traditional narrow interpretation and an expansive interpretation supplied by the Ninth Circuit. Both interpretations are discussed below. As a practical matter, federal law enforcement within the Ninth Circuit is bound by the Ninth Circuit's decision in Theofel, but law enforcement elsewhere may continue to apply the traditional interpretation of "electronic storage."
As traditionally understood, "electronic storage" refers only to temporary storage made in the course of transmission by a service provider and to backups of such intermediate communications made by the service provider to ensure system integrity. It does not include post-transmission storage of communications. For example, email that has been received by a recipient's service provider but has not yet been accessed by the recipient is in "electronic storage." See Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457, 461 (5th Cir. 1994). At that stage, the communication is stored as a temporary and intermediate measure pending the recipient's retrieval of the communication from the service provider. Once the recipient retrieves the email, however, the communication reaches its final destination. If the recipient chooses to retain a copy of the accessed communication, the copy will not be in "temporary, intermediate storage" and is not stored incident to transmission. See Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 114 (3d Cir. 2004) (stating that email in post-transmission storage was not in "temporary, intermediate storage"). By the same reasoning, if the sender of an email maintains a copy of the sent email, the copy will not be in "electronic storage." Messages posted to an electronic "bulletin board" or similar service are also not in "electronic storage" because the website on which they are posted is the final destination for the information. See Snow v. DirecTV, Inc., 2005 WL 1226158, at *3 (M.D. Fla. May 9, 2005), adopted by 2005 WL 1266435 (M.D. Fla. May 27, 2005), aff'd on other grounds, 450 F.3d 1314 (11th Cir. 2006).
Furthermore, the "backup" component of the definition of "electronic storage" refers to copies made by an ISP to ensure system integrity. As one district court explained, the backup component "protects the communication in the event the system crashes before transmission is complete. The phrase 'for purposes of backup protection of such communication' in the statutory definition makes clear that messages that are in post-transmission storage, after transmission is complete, are not covered by part (B) of the definition of 'electronic storage.'" Fraser v. Nationwide Mut. Ins. Co., 135 F. Supp. 2d 623, 636 (E.D. Pa. 2001), aff'd in part on other grounds 352 F.3d 107, 114 (3d Cir. 2004) (affirming the SCA portion of the district court's ruling on other grounds); see also United States v. Weaver, 2009 WL 2163478, at *4 (C.D. Ill. July 15, 2009) (interpreting "electronic storage" to exclude previously sent email stored by web-based email service provider); In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 511-13 (S.D.N.Y. 2001) (emphasizing that "electronic storage" should have a narrow interpretation based on statutory language and legislative intent and holding that cookies fall outside of the definition of "electronic storage" because of their "long-term residence on plaintiffs' hard drives"); H.R. Rep. No. 99-647, at 65 (1986) (noting congressional intent that opened email left on a provider's system be covered by provisions of the SCA relating to remote computing services, rather than provisions relating to communications in "electronic storage").
This narrow interpretation of "electronic storage" was rejected by the Ninth Circuit in Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004), in which the court held that email messages were in "electronic storage" regardless of whether they had been previously accessed, because it concluded that retrieved email fell within the backup portion of the definition of "electronic storage." Id. at 1075-77. Although the Ninth Circuit did not dispute that previously accessed email was not in temporary, intermediate storage within the meaning of § 2510(17)(A), it insisted that a previously accessed email message fell within the scope of the "backup" portion of the definition of "electronic storage," because such a message "functions as a 'backup' for the user." Id. at 1075. However, CCIPS has consistently argued that the Ninth Circuit's broad interpretation of the "backup" portion of the definition of "electronic storage" should be rejected. There is no way for a service provider to determine whether a previously opened email on its servers is a backup for a copy of the email stored by a user on his computer, as the service provider simply cannot know whether the underlying email remains stored on the user's computer. Essentially, the Ninth Circuit's reasoning in Theofel confuses "backup protection" with ordinary storage of a file.
Although prosecutors within the Ninth Circuit are bound by Theofel, law enforcement elsewhere may continue to apply the traditional narrow interpretation of "electronic storage," even when the data sought is within the Ninth Circuit. Recent lower court decisions addressing the scope of "electronic storage" have split between the traditional interpretation and the Theofel approach. Compare United States v. Weaver, 2009 WL 2163478, at *4 (C.D. Ill. July 15, 2009) (rejecting Theofel), and Bansal v. Russ, 513 F. Supp. 2d 264, 276 (E.D. Pa. 2007) (holding that access to opened email in account held by non-public service provider did not violate the SCA), with Bailey v. Bailey, 2008 WL 324156, at *6 (E.D. Mich. Feb. 6, 2008) (endorsing Theofel), and Cardinal Health 414, Inc. v. Adams, 482 F. Supp. 2d 967, 976 n.2 (M.D. Tenn. 2008) (same). Prosecutors confronted with Theofel-related issues should consult CCIPS  for further assistance.
|Confused? So are we. Check out the What Gets What Chart.|
18 USC § 2701 Access:
(a) Offense.- Except as provided in subsection (c) of this section whoever-
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility;
and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.
The restriction on access does not apply to ECS nor to the users of a service with respect to communications of that user or intended for that user. 18 USC § 2701(c) [Fraser 115 3rd Cir 2003 ("Like the court in Bohach , we read § 2701(c) literally to except from Title II's protection all searches by communications service providers.")] [Bohach DNev 1996]
- Theofel v. Farey-Jones, 359 F.3d 1066, 1073 (9th Cir. 2004) "Permission to access a stored communication does not constitute valid authorization if it would not defeat a trespass claim in analogous circumstances."
- Van Alstyne v. Elec. Scriptorium, Ltd., 560 F.3d 199, 208 (4th Cir. 2009) (finding "no need to opine on the precise common law analogue for the SCA" but noting that "trespass to chattel . . . more closely mirrors the SCA [than trespass to land]").
- Compare to CFAA "authorization" discussion.
18 USC § 2702 Disclosure: Generally, a public ECS or RCS shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service
There is no restrictions on private ECS or RCS. Andersen Consulting LLP v. UOP, 991 F. Supp. 1041, 1042–43 (N.D. Ill. 1998)
Public ECS or RCS shall not knowingly divulge customer records to the government (no restrictions to other people) 18 USC § 2702(a)(3) & (c)(6).
Like ECPA, the SCA is a rule governed by exceptions.
- As necessarily incident to the rendition of service
- The protection of the rights of property or service
- To the National Center for Missing and Exploited Children. See CPPA
- Law Enforcement:
Note: The SCA (18 USC 2702) does not contain an exception for civil discovery subpoenas.
Law Enforcement: Like ECPA, the big exceptions deal with when The Man can get access to Stored Communications.
- For electronic communications that has been stored, but not opened, for less than 181 days, the government must first obtain a warrant to obtain those messages. 18 U.S.C. § 2703(a).
- If the electronic communications has been opened (or for other stored files), the government may send the ISP a subpoena with notice to the subscriber in advance of the search. 18 U.S.C. § 2703(a) & (b).
- If the electronic communications is held by a remote communications service provider on behalf of a subscriber or customer of the remote computing service, the law enforcement official may obtain access to the stored communications
See also 18 U.S.C. § 2704 Backup Preservation for 18 U.S.C. § 2703(b)(2) electronic communications disclosure. But see the Federal Records Acts, requiring certain government email to be stored at the National Archives and made publicly available.
Compare Warshak (6th Cir) (requiring warrant for access to email)
Notice: Generally notice must be given to the subscriber or customer whose communication is being intercepted. 18 U.S.C. § 2703(b)(1). In certain situations, such as endangerment to life or public safety, risk of flight from persecution, destruction of or tampering with evidence, or intimidation of witnesses, the government can delay notice to the subscriber for 90 days. 18 U.S.C. § 2705(a). Delayed notice is permitted where there is "execution of a written certification of a supervisory official that there is reason to believe that notification of the existence of the subpoena may have an adverse result." 18 U.S.C. § 2705(a). [Villegas] At the end of the delayed period, notice must be provided to the individual. 18 U.S.C. § 2705(a)(5).
Sec. 2703(d) Order: An officer may seek to obtain information using a higher Section 2703(d) order. In this situation, an officer generally with have authority to obtain information to the same degree as a subpoena. If the officer seeks delayed notice, the legal standard is similar. The difference is that the representation is made to a court as opposed to a supervisory official. 18 U.S.C. § 2705(a)(1)(A), 18 U.S.C. § 2705(a)(2). [Compare Warshak (6th Cir) (requiring warrant for access to email)]
Geographic Scope: Previously, a search warrant could only compel the disclosure of content within the district of the issuing court. As the Internet constitutes the death of distance and geographic distinctions, legal authority only good locally was a bit of a problem, obligating law enforcement officers to apply again and again in different jurisdictions to get after the same email. The Patriot Act rectified this problem for law enforcement officers by making search warrants nationwide in reach. In other words, the authority of a federal court in Massachusetts is valid for an ISP in Arizona. 18 U.S.C. § 2703(a); 2711(3). This provision sunsets on December 31, 2005.
“Current law requires the government to use a search warrant to compel a provider to disclose unopened e-mail. 18 U.S.C. § 2703(a). Because Federal Rule of Criminal Procedure 41 requires that the ‘property’ to be obtained ‘be within the district’ of the issuing court, however, the rule may not allow the issuance of § 2703(a) warrants for e-mail located in other districts. Thus, for example, where an investigator in Boston is seeking electronic e-mail in the Yahoo! account of a suspected terrorist, he may need to coordinate with agents, prosecutors, and judges in the Northern District of California, none of whom have any other involvement in the investigation. This electronic communications information can be critical in establishing relationships, motives, means, and plans of terrorists. Moreover, it is equally relevant to cyber-incidents in which a terrorist motive has not (but may well be) identified. Finally, even cases that require the quickest response (kidnappings, threats, or other dangers to public safety or the economy) may rest on evidence gathered under § 2703(a). To further public safety, this section accordingly authorizes courts with jurisdiction over investigations to compel evidence directly, without requiring the intervention of their counterparts in other districts where major Internet service providers are located.”
Administration's Draft Anti-Terrorism Act of 2001, Hearing Before the House Comm. on the Judiciary, 107th Cong., 1st Sess. 54, §108 (2001).
The SCA does not contain an exception for civil discovery subpoenas.
- Mintz v. Mark Bartelstein & Assocs., Inc., 885 F. Supp. 2d 987, 991 (C.D. Cal. 2012) ("the absence of any exception for civil discovery subpoenas in the text of the statute should be construed as intentional." Id. at 992 n.3 (citing Crispin, 717 F. Supp. 2d at 975)).
- Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 (C.D. 2010) at 976 (rejecting argument that the SCA permits the disclosure of the contents of communications pursuant to a civil discovery subpoena
- Flagg v. City of Detroit, 252 F.R.D. 346, 350 (E.D. Mich. 2008) ("[A]s noted by the courts and commentators alike, § 2702 lacks any language that explicitly authorizes a service provider to divulge the contents of a communication pursuant to a subpoena or court order.");
- Viacom Int'l Inc. v. Youtube Inc., 253 F.R.D. 256, 264 (S.D.N.Y. 2008) (holding that the "§ 2702 contains no exception for disclosure of such communications pursuant to civil discovery requests");
- In re Subpoena Duces Tecum to AOL, LLC, 550 F. Supp. 2d 606, 611 (E.D. Va. 2008) ("Applying the clear and unambiguous language of § 2702 to this case, AOL, a corporation that provides electronic communication services to the public, may not divulge the contents of the Rigsbys' electronic communications to State Farm because the statutory language of the Privacy Act does not include an exception for the disclosure of electronic communications pursuant to civil discovery subpoenas.");
- O'Grady v. Superior Court, 139 Cal. App. 4th 1423, 1447 (Cal. Ct. App. 2006) ("Since the [SCA] makes no exception for civil discovery and no repugnancy has been shown between a denial of such discovery and congressional intent or purpose, the Act must be applied, in accordance with its plain terms, to render unenforceable the subpoenas seeking to compel Kraft and Nfox to disclose the contents of e-mails stored on their facilities.").
|Restriction||Contents of Communications||Customer Records|
|ECS to Public||18 USC 2702(a)(1) (shall not divulge)||18 USC 2702(a)(3) (shall not disclosure to govt)|
|RCS to public||18 USC 2702(a)(2) (shall not divulge)||18 USC 2702(a)(3) (shall not disclosure to govt)|
|Private ECS or RCS||n/a||n/a|
|Exceptions||18 USC 2702(c)(6) ("to any person other than a government entity")|
|To addressee or intended recipient||18 USC 2702(b)(1)||18 USC 2702(c)(6) ("to any person other than a government entity")|
|Lawful consent||18 USC 2702(b)(3)||18 USC 2702(c)(2)|
|Forwarding Facilities||18 USC 2702(b)(4)||18 USC 2702(c)(6) ("to any person other than a government entity")|
|Necessary Incident to Rendition of Service||18 USC 2702(b)(5)||18 USC 2702(c)(3)|
|Protection of Property and Service||18 USC 2702(b)(5)||18 USC 2702(c)(3)|
|to the NCMED (child porn)||18 USC 2702(b)(6)||18 USC 2702(c)(5)|
|In Response to Legal Authority||18 USC 2702(b)(2)||18 USC 2702(c)(1)|
|Law Enforcement if received inadvertent or appears to pertain to crime||18 USC 2702(b)(7)|
|To Government if emergency||18 USC 2702(b)(8)||18 USC 2702(c)(4)|
A cell phone does not constitute a "facility" under the SCA and therefore the SCA does not apply to data stored in a personal cell phone. Garcia v. City of Laredo, Court of Appeals, 5th Circuit 2012: [Shefts CDIll 2013 (server which syncs and backs-up emails does not constitute a facility through which ECS is provided)]
The Eleventh Circuit's decision in United States v. Steiger provides useful guidance. 318 F.3d 1039, 1049 (11th Cir. 2003). In Steiger, when a hacker accessed an individual's computer and obtained information saved to his hard drive, the court held such conduct was beyond the reach of the SCA. Id. The court found that "the SCA clearly applies . . . to information stored with a phone company, Internet Service Provider (ISP), or electronic bulletin board system," but does not, however, "appear to apply to the source's hacking into Steiger's computer to download images and identifying information stored on his hard-drive." Id. It noted that "the SCA may apply to the extent the source accessed and retrieved any information stored with Steiger's Internet service provider." Id. (emphasis added).
A number of district courts that have considered this question have also concluded that "the relevant `facilities' that the SCA is designed to protect are not computers that enable the use of an electronic communication service, but instead are facilities that are operated by electronic communication service providers and used to store and maintain electronic storage." Freedom Banc Mortg. Servs., Inc. v. O'Harra, No. 2:11-cv-01073, 2012 WL 3862209, at *9 (S. D. Ohio Sept. 5, 2012) (emphasis added). Recently, the Northern District of California held that a class of iPhone plaintiffs had no claim under the SCA because their iPhones did not "constitute `facilit[ies] through which an electronic communication service is provided.'" In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1057-58 (N.D. Cal. 2012).
Thus these courts agree that a "home computer of an end user is not protected by the SCA." Kerr, supra, at 1215 (footnote omitted). As explained by Orin Kerr in his widely cited law review article, the words of the statute were carefully chosen: "[T]he statute envisions a provider (the ISP or other network service provider) and a user (the individual with an account with the provider), with the user's communications in the possession of the provider." Id. at 1215 n.47 (emphasis added) (citation omitted).
This reading of the statute is consistent with legislative history, as "Sen. Rep. No. 99-541 (1986)'s entire discussion of [the SCA] deals only with facilities operated by electronic communications services such as `electronic bulletin boards' and `computer mail facilit[ies],' and the risk that communications temporarily stored in these facilities could be accessed by hackers. It makes no mention of individual users' computers . . . ." In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 512 (S.D.N.Y. 2001) (quoting S. REP. No. 99-541, at 36, reprinted in 1986 U.S.C.C.A.N. 3555, 3590).
See also ECPA: Cell Phone; Fourth Amendment: Cell Phone; Cloned Mobile Phones; Stored Communications Act Cell Phones
And what do we have as a parting gift for our contestants, Johnny? It's up to 5 years in the slammer and forking over a fine. See also ECPA Punishment and Recovery.
18 USC § 2701(b) Punishment.- The punishment for an offense under subsection (a) of this section is-
(1) if the offense is committed for purposes of commercial advantage, malicious destruction or damage, or private commercial gain, or in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or any State-
(A) a fine under this title or imprisonment for not more than 5 years, or both, in the case of a first offense under this subparagraph; and
(B) a fine under this title or imprisonment for not more than 10 years, or both, for any subsequent offense under this subparagraph; and
(2) in any other case-
(A) a fine under this title or imprisonment for not more than 1 year or both, in the case of a first offense under this paragraph; and
(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under this subparagraph that occurs after a conviction of another offense under this section.
Parties aggrieved by violations of either ECPA or SCA are afforded a private right of action pursuant to 18 USC § 2707
Derived From: GAOS v Google, NDCA 2012
"The injury required by [the SCA], however, can exist solely by virtue of "statutes creating legal rights, the invasion of which creates standing." Edwards v. First Am. Corp., 610 F.3d 514, 517 (9th Cir. 2010) (quoting Warth v. Seldin, 422 U.S. 490, 500 (1975)). In such cases, the "standing question . . . is whether the constitutional or statutory provision on which the claim rests properly can be understood as granting persons in the plaintiff's position a right to judicial relief." Id. (quoting Warth, 422 U.S. at 500). Although "Congress cannot erase Article III's standing requirements by statutorily granting the right to sue to a plaintiff who would not otherwise have standing," Raines v. Byrd, 521 U.S. 811, 820 n.3 (1997), a plaintiff may be able to establish constitutional injury in fact by pleading a violation of a right conferred by statute so long as she can allege that the injury she suffered was specific to her, see Warth, 422 U.S. at 501."
<< Emergencies << Previous | Next >> Trap & Trace >>