US Internet Law/SCA

The U.S. federal Stored Communications Act, 18 U.S.C. § 2701 et seq., (the “SCA”) regulates when an electronic communication service (“ECS”) provider may the contents of or other information about a customer’s emails and other electronic communications to private parties. Congress passed the SCA to prohibit a provider of an electronic communication service “from knowingly divulging the contents of any communication while in electronic storage by that service to any person other then the addressee or intended recipient.” S.Rep. No. 99-541, 97th Cong. 2nd Sess. 37, reprinted in 1986 U.S.C.C.A.N. 3555, 3591.

Overview
The SCA provides that any “person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service,” with limited exceptions. 18 U.S.C. § 2702(a)(1) (emphasis added). Under the SCA, “‘contents’, when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication.” 18 U.S.C. § 2510(8).

As courts have held, the SCA “protects users whose electronic communications are in electronic storage with an ISP or other electronic communications facility.” Theofel v. Farey-Jones, 341 F.3d 978, 982 (9th Cir. 2003).

Providers of Electronic Communication Service vs. Remote Computing Service
ECPA divides providers covered by the statute into "provider[s] of electronic communication service" and "provider[s] of remote computing service." To understand these terms, it helps to recall the era in which ECPA, a 1986 statute, was drafted. At that time, network account holders generally used third-party network service providers for two reasons. First, account holders used their accounts to send and receive communications such as e-mail. The use of computer networks to communicate prompted privacy concerns because in the course of sending and retrieving messages, it was common for several computers to copy the messages and store them temporarily. Copies created by these providers of "electronic communication service" and placed in temporary "electronic storage" in the course of transmission sometimes stayed on a provider's computer for several months. See H.R. Rep. No. 99-647, at 22 (1986).

The second reason account holders used network service providers was to outsource computing tasks. For example, users paid to have remote computers store extra files, or process large amounts of data. When users hired such commercial "remote computing services" to perform tasks for them, they would send a copy of their private information to a third-party computing service, which retained the data for later reference. Remote computing services raised privacy concerns because the service providers often retained copies of their customers' files. See S. Rep. No. 99-541 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3557.

ECPA protects communications held by providers of electronic communication service when those communications are in "electronic storage," as well as communications held by providers of remote computing service. To that end, the statute defines "electronic communication service," "electronic storage," and "remote computing service" in the following way:

"Electronic communication service"
An electronic communication service ("ECS") is "any service which provides to users thereof the ability to send or receive wire or electronic communications." 18 U.S.C. § 2510(15). (For a discussion of the definitions of wire and electronic communications, see Chapter 4.C.2, infra.) For example, "telephone companies and electronic mail companies" generally act as providers of electronic communication services. See S. Rep. No. 99-541 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3568; see also FTC v. Netscape Communications Corp., 196 F.R.D. 559, 560 (N.D. Cal. 2000) (noting that Netscape, a provider of e-mail accounts through netscape.net, is a provider of ECS).

The legislative history and case law indicate that the key issue in determining whether a company provides ECS is that company's role in providing the ability to send or receive the precise communication at issue, regardless of the company's primary business. See H.R. Rep. No. 99-647, at 65 (1986). Any company or government entity that provides others with means of communicating electronically can be a "provider of electronic communication service" relating to the communications it provides, even if providing communications service is merely incidental to the provider's primary function. See Bohach v. City of Reno, 932 F. Supp. 1232, 1236 (D. Nev. 1996) (city that provided pager service to its police officers can be a provider of electronic communication service); United States v. Mullins, 992 F.2d 1472, 1478 (9th Cir. 1993) (airline that provides travel agents with computerized travel reservation system accessed through separate computer terminals can be a provider of electronic communication service).

Conversely, a service cannot provide ECS with respect to a communication if the service did not provide the ability to send or receive that communication. See Sega Enterprises Ltd. v. MAPHIA, 948 F. Supp. 923, 930-31 (N.D. Cal. 1996) (video game manufacturer that accessed private e-mail stored on another company's bulletin board service in order to expose copyright infringement was not a provider of electronic communication service); State Wide Photocopy v. Tokai Fin. Servs. Inc., 909 F. Supp. 137, 145 (S.D.N.Y. 1995) (financing company that used fax machines and computers but did not provide the ability to send or receive communications was not provider of electronic communication service).

Significantly, a mere user of ECS provided by another is not an ECS. For example, a web site is not a provider of electronic communication service, even though it may send and receive electronic communications from customers. In Crowley v. Cybersource Corp., 166 F. Supp. 2d 1263, 1270 (N.D. Cal. 2001), the plaintiff argued that Amazon.com (to whom plaintiff sent his name, credit card number, and other identification information) was an electronic communications service provider because "without recipients such as Amazon.com, users would have no ability to send electronic information." The court rejected this argument, holding that Amazon was properly characterized as a user rather than a provider of ECS. See id.

"Electronic storage"
18 U.S.C. § 2510(17) defines "electronic storage" as "any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof," or in the alternative as "any storage of such communication by an electronic communication service for purposes of backup protection of such communication." The mismatch between the everyday meaning of "electronic storage" and its narrow statutory definition has been a source of considerable confusion. It is crucial to remember that "electronic storage" refers only to temporary storage, made in the course of transmission, by a provider of electronic communication service. For example, the court in In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 511-12 (S.D.N.Y. 2001), held that cookies, which are information stored on a user's computer by a web site and sent back to the web site when the user accesses the web site, fall outside of the definition of "electronic storage" and hence outside of ECPA because of their "long-term residence on plaintiffs' hard drives."

To determine whether a communication is in "electronic storage," it helps to identify the communication's final destination. A copy of a communication is in "electronic storage" only if it is a copy of a communication created at an intermediate point that is designed to be sent on to its final destination. For example, e-mail that has been received by a recipient's service provider but has not yet been accessed by the recipient is in "electronic storage." See Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457, 461 (5th Cir. 1994). At that stage, the copy of the stored communication exists only as a temporary and intermediate measure, pending the recipient's retrieval of the communication from the service provider. Once the recipient retrieves the e-mail, however, the communication reaches its final destination. If a recipient then chooses to retain a copy of the accessed communication on the provider's system, the copy stored on the network is no longer in "electronic storage" because the retained copy is no longer in "temporary, intermediate storage . . . incidental to . . . electronic transmission." 18 U.S.C. § 2510(17). Rather, because the process of transmission to the intended recipient has been completed, the copy is simply a remotely stored file. See Fraser v. Nationwide Mut. Ins. Co., 135 F. Supp. 2d 623, 635-38 (E.D. Pa. 2001) (holding that because an e-mail was acquired from post-transmission storage, it was not in "electronic storage" and its acquisition was not prohibited under ECPA); H.R. Rep. No. 99-647, at 64-65 (1986) (noting Congressional intent that opened e-mail and voicemail left on a provider's system be covered by provisions relating to remote computing services, rather than provisions relating to services holding communications in "electronic storage").

As a practical matter, whether a communication is held in "electronic storage" by a provider governs whether that service provides ECS with respect to the communication. The two concepts are coextensive: a service provides ECS with respect to a communication if and only if the service holds the communication in electronic storage. Thus, it follows that if a communication is not in temporary, intermediate storage incidental to its electronic transmission, the service cannot provide ECS for that communication. Instead, the service must provide either "remote computing service" (also known as "RCS,"discussed below), or else neither ECS nor RCS. See discussion infra.

"Remote computing service"
The term "remote computing service" ("RCS") is defined by 18 U.S.C. § 2711(2) as "provision to the public of computer storage or processing services by means of an electronic communications system." An "electronic communications system" is "any wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission of wire or electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications." 18 U.S.C. § 2510(14).

Roughly speaking, a remote computing service is provided by an off-site computer that stores or processes data for a customer. See S. Rep. No. 99-541 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3564-65. For example, a service provider that processes data in a time-sharing arrangement provides an RCS. See H.R. Rep. No. 99-647, at 23 (1986). A mainframe computer that stores data for future retrieval also provides an RCS. See Steve Jackson Games, Inc. v. United States Secret Service, 816 F. Supp. 432, 443 (W.D. Tex. 1993) (holding that provider of bulletin board services was a remote computing service). In contrast with a provider of ECS, a provider of RCS does not hold customer files on their way to a third intended destination; instead, they are stored or processed by the provider for the convenience of the account holder. Accordingly, files held by a provider acting as an RCS cannot be in "electronic storage" according to § 2510(17).

Under the definition provided by § 2711(2), a service can only be a "remote computing service" if it is available "to the public." Services are available to the public if they are available to any member of the general population who complies with the requisite procedures and pays any requisite fees. For example, America Online is a provider to the public: anyone can obtain an AOL account. (It may seem odd at first that a service can charge a fee but still be considered available "to the public," but this mirrors commercial relationships in the physical world. For example, movie theaters are open "to the public" because anyone can buy a ticket and see a show, even though tickets are not free.) In contrast, providers whose services are open only to those with a special relationship with the provider are not available to the public. For example, employers may offer network accounts only to employees. See Andersen Consulting LLP v. UOP, 991 F. Supp. 1041, 1043 (N.D. Ill. 1998) (interpreting the "providing . . . to the public" clause in § 2702(a) to exclude an internal e-mail system that was made available to a hired contractor but was not available to "any member of the community at large"). Such providers cannot provide remote computing service because their network services are not available to the public.

Whether an entity is a provider of "electronic communication service," a provider of "remote computing service," or neither depends on the nature of the particular communication sought. For example, a single provider can simultaneously provide "electronic communication service" with respect to one communication and "remote computing service" with respect to another communication.

Classifying Types of Information Held by Service Providers
Network service providers can store different kinds of information relating to an individual customer or subscriber. Consider the case of the e-mail exchange between Joe and Jane discussed above. Jane's service provider, LocalISP, probably has access to a range of information about Jane and her account. For example, LocalISP may have opened and unopened e-mails; account logs that reveal when Jane logged on and off LocalISP; Jane's credit card information for billing purposes; and Jane's name and address. When agents and prosecutors wish to obtain such records, they must be able to classify these types of information using the language of ECPA. ECPA breaks the information down into three categories: basic subscriber information listed in 18 U.S.C. § 2703(c)(2); "record[s] or other information pertaining to a subscriber to or customer of [the] service"; and "contents." See 18 U.S.C. §§ 2510(8), 2703(c)(1).

1. Basic Subscriber Information Listed in 18 U.S.C. § 2703(c)(2)
18 U.S.C. § 2703(c)(2) lists the categories of basic subscriber information:

(A) name; (B) address; (C) local and long distance telephone connection records, or records of session times and durations; (D) length of service (including start date) and types of service utilized; (E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and (F) means and source of payment for such service (including any credit card or bank account number)[.]

In general, the items in this list relate to the identity of a subscriber, his relationship with his service provider, and his basic session connection records. This list does not include other, more extensive transaction-related records, such as logging information revealing the e-mail addresses of persons with whom a customer corresponded during a prior session. The PATRIOT Act enhanced the categories of basic subscriber information in three respects. See PATRIOT Act § 210, 115 Stat. 272, 283 (2001). It added "records of session times and durations," as well as "any temporarily assigned network address" to 18 U.S.C. § 2703(c)(2). In the Internet context, these records include the IP address assigned by an Internet service provider to a customer for a particular session. They also include other information relating to account access, such as the originating telephone number for dial-up Internet access or the IP address of a user accessing an account over the Internet. In addition, the PATRIOT Act added to this list of subscriber information the "means and source of payment" that a customer uses to pay for an account, "including any credit card or bank account number."

2. Records or Other Information Pertaining to a Customer or Subscriber
18 U.S.C. § 2703(c)(1) covers a second type of information: "a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications)." This is a catch-all category that includes all records that are not contents, including basic subscriber information.

Common examples of "record[s] . . . pertaining to a subscriber" include transactional records, such as account logs that record account usage; cell-site data for cellular telephone calls; and e-mail addresses of other individuals with whom the account holder has corresponded. See H.R. Rep. No. 103-827, at 10, 17, 31 (1994), reprinted in 1994 U.S.C.C.A.N. 3489, 3490, 3497, 3511; United States v. Allen, 53 M.J. 402, 409 (C.A.A.F. 2000) (concluding that "a log identifying the date, time, user, and detailed internet address of sites accessed" by a user constituted "a record or other information pertaining to a subscriber or customer of such service" under ECPA). See also Hill v. MCI Worldcom, 120 F. Supp. 2d 1194, 1195-96 (S.D. Iowa 2000) (concluding that the "names, addresses, and phone numbers of parties . . . called" constituted "a record or other information pertaining to a subscriber or customer of such service" for a telephone account). According to the legislative history of the 1994 amendments to § 2703(c), the purpose of separating the basic subscriber information from other non-content records was to distinguish basic subscriber information from more revealing transactional information that could contain a "person's entire on-line profile." H.R. Rep. No. 103-827 (1994), reprinted in 1994 U.S.C.C.A.N. 3489, 3497, 3511.

3. Contents
The contents of a network account are the actual files stored in the account. See 18 U.S.C. § 2510(8) ("'contents,' when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication"). For example, stored e-mails or voice mails are "contents," as are word processing files stored in employee network accounts. The subject headers of e-mails are also contents. Cf. Brown v. Waddell, 50 F.3d 285, 292 (4th Cir. 1995) (noting that numerical pager messages provide "an unlimited range of number-coded substantive messages" in the course of holding that the interception of pager messages requires compliance with Title III).

Contents can be further divided into three subcategories: contents stored "in electronic storage" by providers of electronic communication service; contents stored by providers of remote computing services; and contents held by neither. The distinctions among these types of content are discussed in Part B, supra.