Why Regulations Aimed At Technology Almost Always Suck: Or Why Reading Someone's Gmail Isn't Reading 'Stored Communications'
from the don't-let-them-near-technology dept
There have been a couple of stories covering the fact that the South Carolina Supreme Court has ruled that reading someone's Gmail does not violate the Stored Communications Act, a part of ECPA -- a law we've written about a number of times for being completely out-of-date. Orin Kerr has a good breakdown of the details, if you want to read them. What struck me most, however, is how this case is a near perfect example of the kind of mess we get into when politicians try to regulate technology. Technology changes much, much, much faster than the law, and because of that, you get very silly results. The key issue here is that the Stored Communications Act is now found in 18 U.S.C. 2701 -- and it defines the offense as occurring when someone "obtains, alters or prevents" access to communication "while it is in electronic storage." Now, for the purpose of the law, "electronic storage" is defined over in 18 U.S.C. 2510, with the relevant definition noting:“electronic storage” means--Got that? It must have seemed reasonable at the time it was written, but it makes little sense these days, and is apparently so misaligned with reality today that this one single case interprets that definition in three different ways, and exactly none of those ways agree with a 9th Circuit ruling in Theofel v. Farey-Jones. There's disagreement over the meaning of "backup" in part (B) in particular. Is that backup for the user? Or for the service provider? And then, how do you figure out what is or what is not backup? If a person reads his or her Gmail account, then the message was copied to his or her local machine inside the browser. Thus, it seems reasonable to argue that the copy that remains on the server is a backup copy. But two of the judges in this case argued that because the recipient had not "downloaded" any other copies of the message to store, then the ones on the server were not "backups." This makes little sense because copies were downloaded, but many non-technical people don't understand how browsers really work.
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;
Other judges focus on whether or not your webmail account is really "backup" for the ISP. Either way, the end conclusions: webmail is not considered "electronic storage" under the law for the purpose of the Stored Communications Act. While accessing someone's email can (and likely does) still violate other laws, the very law that most people would probably think most directly applies, almost certainly does not.
The reality is that, when it was passed, back in 1986, it probably seemed to make sense that "stored communications" would only be done for backup. While there were networked client/server type setups at the time, it's doubtful that the folks who wrote the law could have fathomed something like webmail or other online forms of communication. If we're talking about "stored communications" today, it seems ridiculous to have it not cover web-based mail systems or social networks. But the law doesn't seem to support that view -- because the law is incredibly out-of-date. But, of course, the problem with fixing the law is that lawmakers will, again, have trouble figuring out where we'll be just a few years out, and the law may either fail to cover what it thinks it covers or (perhaps worse) cover stuff that should be perfectly legal.
And this, of course, is what we fear when it comes to politicians meddling in technology. Even when they have the best of intentions, technology changes rapidly -- and old and obsolete definitions get left in the law and can create problems or situations that make very little sense. If Congress were able to clean those up quickly, perhaps there wouldn't be a problem, but Congress isn't known for fixing real problems quickly. We've been hearing talk of fixing ECPA for years, and it seems unlikely to happen for a while.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: email, regulations, stored communications, technology
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
When it comes to technology, laws cannot be too rigid as they need some wiggle room to allow for future developments so that you do not have to rewrite whole laws every 6 months.
[ link to this | view in chronology ]
Re:
While it's not that simple to answer those questions most of the time it is true our legislators don't even try.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
If mail is protected, then all mail, including any form of electronic, holographic, brain to brain transmissions when we learn to do it, etc. should be covered without all this quibbling.
Many more examples...
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Funny, I think one can draw almost precisely the opposite conclusion from ECPA. The law was drafted 27 years ago - when the online world for most of your readers (who were alive) consisted of 300 baud modems connecting BBSes. The technology has changed dramatically, so it actually is surprising just how resilient, and how applicable to new technologies, ECPA has turned out to be.
ECPA basically provides heightened statutory protections for communications in transit. For communications and other data that have come to rest - they've already been delivered to their recipient, and are now being store din the cloud for convenience - it provides somewhat less protection, but still more than if you stored the same things on paper with a storage company. Is it difficult to fit things like Gmail into ECPA's framework? Not really. It's possible to draw bright line rules with all sorts of "new" technologies (even though today's cloud computing looks a heck of a lot like the client-server model circa 1986). The difficulty is agreeing on where we should draw those bright line rules. That's illustrated by the divergent court interpretations of ECPA in the context of these "new" technologies, but it doesn't necessarily seem to be the fault of ECPA's language or the 1986 Congress.
And it seems to me that your critique of ECPA isn't so much that ECPA's language is so outdated that it can't be applied to new technologiesm, but rather you don't like the distinctions ECPA draws (between in transit data and stored data).
Does ECPA need updating? Might we (collectively, as TD readers or as a country) want to draw the lines a little differently, to provide higher statutory protections for data stored in the cloud? Sure. Or at least maybe. But compare ECPA to other tech-related laws from the 80s (like anything regarding television) and by comparison ECPA seems like a paragon of forward-looking technology-neutral lawmaking.
[ link to this | view in chronology ]
Re:
But you see, there is literally no difference between "in transit" and "stored" when it comes to these types of systems. That's what's changed. The law assumes that there is a difference, and that the difference can be easily ascertained. That's what makes the law out of date.
[ link to this | view in chronology ]
Re: Re:
Courts could conclude that communications intended for a particular recipient are "in transit" until that recipient has actually received and read/viewed/listened to that message. Or they could conclude that a message is in transit until the recipient has had an opportunity to read (or delete) the message, without needing to determine whether the message actually has been read or understood. (The analogy would be to situations in corporation or contract law where a perosn is deemed to have constructive knowledge of a fact even if it's possible they were not actually aware of the fact.)
The point is that the dichotomy between in-transit and stored information isn't a fundamental flaw with ECPA. Mike seems more concerned that (a) judges have differing views about how this standard ought to apply to novel fact patterns, and (b) more fundamentally, this framework doesn't provide enough privacy protection for data deemed to be no longer in transit. But "a" is going to be a problem with pretty much any law that gets applied to novel technologies by judges of varying familiarty with them. And if "b" is the problem, then it's not a problem inherent in ECPA because of its structure or age - it's a result of Mike being generally more keen on strong privacy protections than Congress or the courts. (Not that that's a bad thing, Mike. I'm just sayin'...)
[ link to this | view in chronology ]
Re: Re: Re:
On that level of abstraction, the difference is entirely imaginary. We make it up. Therefore, it's an artifice. Your paragraph on the various things that the courts could conclude pretty much demonstrates this.
That courts need to invent a difference just to make it possible to apply existing law, then that tells me that the existing law is not really appropriate for this circumstance.
I'm not saying that the ECPA is flawed. I'm saying that it is not appropriate to this variant of technology. It is obsolete in this context.
[ link to this | view in chronology ]
Re:
Exactly. When the line drawn isn't the one he wants, it's the stupid-old-outdated-law-and-the-corrupt-imbeciles-in-Congress's fault. Those idiots are never right--except when they do get something right, but then, that's usually just a mistake.
All I know is that this country sucks and I hate everything about it and I'm going to complain about every little thing ever! Oh wait, that's not me. That's Techdirt.
[ link to this | view in chronology ]
Re: Re:
...PFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFT.
[ link to this | view in chronology ]
Re: Re:
This is my main problem with you AJ. You make asinine assumptions that you insist must be true and then you simply refuse to consider any possible alternative explanation. It's maddening.
The truth is I love this country and think it's great, but making some bad decisions that will harm its competitiveness going forward, as well as its ability to innovate and grow, while encouraging the kind of creativity we need to see.
What you falsely judge as "hate" and "complaints" are, instead, concerns and pushing for improvements on where things are going off base.
And yet, you seem to not comprehend these basic facts. Instead, you come here and you attack (and whatever happened to your bullshit promise not to post here until next year?!?) and you vandalize the comments.
It's sad.
[ link to this | view in chronology ]
Re: Re: Re:
By having an opposing opinion? For expressing it?
What happened to free speech? Is it more "Freedom of speech, just watch what you say"?
[ link to this | view in chronology ]
Re: Re: Re: Re:
In the end you are the ones making fools of yourselves which is just pitiful.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
And it seems to me that your critique of ECPA isn't so much that ECPA's language is so outdated that it can't be applied to new technologiesm, but rather you don't like the distinctions ECPA draws (between in transit data and stored data).
Exactly. When the line drawn isn't the one he wants, it's the stupid-old-outdated-law-and-the-corrupt-imbeciles-in-Congress's fault. Those idiots are never right--except when they do get something right, but then, that's usually just a mistake.
All I know is that this country sucks and I hate everything about it and I'm going to complain about every little thing ever! Oh wait, that's not me. That's Techdirt.
[ link to this | view in chronology ]
Re: Re: Re:
This comment has been flagged by the community. Click to re-hide it.
Now don't be shy, click it, you'll see some nice magic!
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Actually, you don't really download to your browser, because your browser creates at best a cache copy of the email, but doesn't actually really retain it. If you downloaded the email to a mail program that actively downloaded the full email, headers and all, using smtp, and then instructs the server to delete the stored message from the server because it's received, then it is in fact downloaded.
Otherwise, the message isn't downloaded, it's only viewed. For those users who surf with "delete cache when I close the browser" or who do not use page caching at all, you would create a standard which they would not live up to. A browser is a viewing software, not something that specifically downloads content.
Put another way: If you lose your connection to the internet after closing your browser (and having it automatically clear the cache) would you have a copy of the email? Nope. So you didn't download it. You viewed it in an interactive session.
The technology is really simple, unless you try really hard to play word games with it.
[ link to this | view in chronology ]
Re:
...and for those who don't? It suddenly becomes more complicated when a simple browser setting can change the legality of an action. Especially when most browsers have plugins that are specifically made to store webmail sessions offline.
"The technology is really simple, unless you try really hard to play word games with it."
What do you think the lawyers are paid to do?
[ link to this | view in chronology ]
Re: Re:
Gmail in a browser is possibly the best example: you never download messages, they stay on the gmail server, and you access them via an interactive session. You never instruct gmail to actually remove the message from the server (it just sits there read) and as such, it isn't a backup, it's the original.
Even if you get your gmail on your smartphone (android), you are at best making a copy of the messages, because you never instruct gmail to delete them to rely solely on your own device storage.
"What do you think the lawyers are paid to do?"
File motions and create delays.
[ link to this | view in chronology ]
Re: Re: Re:
Sorry, but if you request and receive a file, whether it happens to contain an email message for you or not, then you downloaded it.
[ link to this | view in chronology ]
Re: Re: Re:
The copy on your smartphone usually remains for a while and is accessible without any connection. Maybe the attachments aren't downloaded upon opening the message (and it's dependent on the app you are using).
Yes you can instruct gmail to delete the e-mail upon downloading it. In a sense if you are using a specific software to download the messages permanently to your computer you can instruct Gmail to keep the messages as backup. Also, if you are using imapi, your gmail account will act as a shadow copy of what you do in your hard drive. If you delete a message it will delete a message on the server, if you tag it in your computer it will tag on the server.
You do not know how browsers function. Nor I fully understand how they work but I certainly know the basics better than you.
As you can see, it's much more complex than you seem to grasp.
[ link to this | view in chronology ]
Re: Re: Re:
The creator of the message has the original. You were sent, and the server is storing, a copy.
Take a look in "Sent Mail." Who has the original, you or the recipient?
[ link to this | view in chronology ]
Re: Re: Re:
In breaking news, pirates everywhere rejoice, crying out "I've never downloaded ANYTHING!" =P
[ link to this | view in chronology ]
Re:
There is nothing about retention. But a cache copy is downloaded just as well. So... my original statement stands.
Put another way: If you lose your connection to the internet after closing your browser (and having it automatically clear the cache) would you have a copy of the email? Nope. So you didn't download it. You viewed it in an interactive session.
You still downloaded it. What happens after is of no concern to the question of whether or not it was downloaded.
The technology is really simple, unless you try really hard to play word games with it.
Funny, then, that you don't seem to understand it.
[ link to this | view in chronology ]
Re:
* are retained in your computers memroy for programs to function
* are saved into a cache, whether deleted after the fact or retained for prosperity
* are transferred into a program so that you can read the pretty letters on your screen.
In other words under your strangely worded Act anything transferred AT ALL is downloaded.
It doesn't matter if it is deleted after you have read it automagically or not. The actual act of initiating the transfer to your machine for ANY reason is the instance of the download in question under this act.
The technology of what you are doing might be simple but sadly the Act does NOT talk about the technology and is absolutely NOT simple.
[ link to this | view in chronology ]
Actually Yahoo mail
[ link to this | view in chronology ]
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;
this is a perfectly valid and legalised definition and is clearly able to be applied to be exactly what it reads.
an email sitting on a POP server is not a backup of another email, it IS THE email, it is in the process of electronic communications.
even if you have that information 'stored' my your email ISP, does not take away from the fact that it is 'in communardio', the emails stored on your server are the originals, in constant transit, in electronic communications, if you wish to make a backup of those files you would have to copy those files (from the originals)..
ie, the originals are not, and cannot be, by definition (legal or otherwise) be the backups also.
the legal definition used by the court seems to understand that technology quite well.. the author of this article not so much.
Laws dont have to change with technology advancement, laws in generally in place for things involving people and property and money, human rights, and so on.
When the transistor was invented do you think the politicians rushed in lots of new laws ?? what kind of laws.
This case, does not revolve around technology, it is a case where someone wants to read someone else documents (mail in this case).. it's about people, not technology.
what if the next time you log onto your hotmail or gmail account you find that your inbox is empty, your deleted mails folder is empty..
you ring up your isp or email provider and say "can you recover those files from your backup ?? "
they will probably say, "what is in your inbox is what you have".. your inbox is not a backup.. if that filespace is wiped clean they are gone..
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Occam's Razor
Think of the terrorists!
--Bob.
[ link to this | view in chronology ]
I think this could have implications far beyond E-mail. How long now until someone attempts to break in and steal the text of TPP and CETA. The way I see it, this ruling also makes it open season on that. I would imagine the the people running the computers that have the TPP and CETA texts have probably figured that out, and are likely taking steps to beef up security on those machines.
You watch, there will be attempts to access and leak TPP and CETA texts, as a result of this runing. This ruling effectively declares "open season" on the purloining of data from any computer, as long as you do not attempt to alter or destroy it.
I would not be surprised if the next Congress, in January, puts some kind of badly-written and misguided bill regarding this, on the fast track to passage.
You watch, there will be either a CISPA 2.0 or SOPA 2.0 that attempts to address this issue, draconian, and very badly written.
[ link to this | view in chronology ]
A Little OT
So...an internet outage is illegal?
If I am reading my Gmail and all of the sudden my internet goes out, my ISP is preventing me from accessing communications on Google's server. The communication exists in intermediate storage on Google's server until I decide what to do with it, and while this storage time can be indefinite (as long as Google keeps the service running) it can still be defined as intermediate as I can remove it at any time. This means that my ISP is in violation of the law as it is written.
[ link to this | view in chronology ]
>recipient had not "downloaded" any other copies of the
>message to store, then the ones on the server were not
>"backups."
I do in fact download my gmail to store it. I figure a lot of other people who don't trust that gmail is forever and some bug won't eat their account do this too (it happened to my hotmail). Clearly the judges are ... not thinking clearly.
[ link to this | view in chronology ]
Just a thought
If you could update the laws and make them relevant to the 21st century and the new digital age, how would you go about doing it?
We've lost 4th Amendment protections thanks to the Drug War and free speech is somewhat limited in the US.
What do you think could change the laws for technology given how quickly the laws have to be changed?
[ link to this | view in chronology ]
But haven't laws always involved some sort of technology?
Seems if you want to avoid writing regulations because you might stumble upon changing technology, you'd banish all regulations. I realize that some people want that, but when you have an unregulated stock market, unregulated banking system, or unregulated health care system (I'm thinking of people who have died recently from meningitis after treatments from supplies from a barely regulated pharmacy) sometimes things get out of hand.
Look at the history of asbestos. People were dying from asbestos-related cancer for decades before something was finally done about it.
[ link to this | view in chronology ]
Re: But haven't laws always involved some sort of technology?
1. Have set limits, say, 5 years, for a tech focused law to be in effect. At the end of the term, it can be extended, but has to go through all the same processes as the original bill went through(with several additions), allowing it to be 'updated' to compensate for changes in technology.
As a part of this process there would be a required study(or preferably more than one, from neutral sources) conducted to go over and assess the effects, both positive and negative, that the bill caused while it was active, as well as seeing how effective it was at achieving the specific goals that was set for it.
If it doesn't make it through the process again, then it automatically is phased out and is no longer a law.
2. Have laws/bills aimed more at the generalities than the specifics.
So in a case like this, instead of having a bill stating that the authorities aren't allowed to use methods A, B, and C to break into, and read an individual's personal correspondence without a warrant, just have it say that they are not allowed to do it using any method without a warrant.
[ link to this | view in chronology ]
Re: But haven't laws always involved some sort of technology?
That's not entirely the point here, I don't think. I wouldn't read it as saying "we shouldn't regulate new technology", but rather "technology changes at a rapid rate and the regulations need to keep pace".
That is, it's the speed at which congress reacts to change that's the problem, not the fact that the regulations exist to begin with. Of course, there's likely to be other types of unintended consequences if the rate of change was too fast, but clearly the current situation needs work.
[ link to this | view in chronology ]
Re: Re: But haven't laws always involved some sort of technology?
There's a paper by economist Paul Romer that addresses this. Here's a bit of a summary and you can find a link to the paper itself.
Romer on rules - NYU Stern Economics: "Rules aren’t 'one and done.' As the world changes, the rules need to change with it. Advances in technology and globalization have made this more difficult in two ways. One is that the pace of innovation requires more rapid change. The other is that the scale is so large that traditional social mechanisms for controlling behavior don’t work as well — and changing more formal systems is harder to do. ...
"Principle-based systems work better in some settings. His example is the FAA, which 'approaches its task of ensuring flight safety with rules that specify required outcomes but that are not overly precise about the methods by which these outcomes are to be achieved,' … Examiners have 'a large measure of flexibility' but 'are held responsible for their decisions.'"
[ link to this | view in chronology ]