Appeals Court: Stored Communications Act Privacy Protections Cover Opened And Read Emails
from the shouldn't-have-needed-to-be-said,-but-at-least-it-was-said-forcefully dept
The Fourth Circuit Court of Appeals has handed down an important decision [PDF] bolstering privacy protections for stored email. As we're painfully aware, unopened email older than 180 days is granted zero privacy protections, treated like unopened snail mail left at the post office. Opened email, on the other hand, would seem to carry an expectation of privacy, but a district court ruling came to exactly the opposite conclusion, prompting this appeal.
A lawsuit involving a pair of affairs and one party's decision to read someone else's emails surfaced a question not often posed without a government party involved. Here's the court's summary of the convoluted backstory that led to accusations of federal law violations:
From August 2011 to February 2015, [Patrick] Hately had an intimate relationship with Nicole Torrenzano (“Nicole”), with whom Hately has two children. During their relationship, Hately and Nicole shared login and password information for their email accounts—including Hately’s Blue Ridge College email account. But when, about March 2015, Nicole informed Hately that she also was involved in an intimate relationship with [Dr. David] Watts, who was her co-worker and married to Audrey Hallinan Watts (“Audrey”), Hately and Nicole separated.
Pertinent to this action, Hately did not change the password that he shared with Nicole for his Blue Ridge College email account. Watts and Nicole continued their personal relationship, and during the fall of 2015, Watts and Audrey initiated divorce proceedings. In an effort to help Watts in his divorce proceedings, Nicole told Watts that Hately and Audrey were having an affair. Nicole said she knew of emails between Hately and Audrey that Watts could obtain by using the password that she had to Hately’s Blue Ridge College email account.
This certainly doesn't make what Watts did OK, but he seemed to feel it at least made his actions legal.
Watts stated that he used the password Nicole gave him to browse through Hately’s emails but contended that he “did not open or view any email that was unopened, marked as unread, previously deleted, or in the [student email account]’s ‘trash’ folder.”
This bizarre defense of invading someone else's privacy convinced the lower court that Watts' actions were legally in the clear, even if they were clearly morally wrong. It dismissed his Stored Communications Act claims against Watts, stating that the SCA did not protect opened email. According to the lower court, the only email protected by the SCA is email still in transit. Once it's been downloaded and opened, it's apparently cool for other people to access and read, even if it's not their email account.
With this bizarre take, the lower court basically stated spam email routed directly to the trash has more privacy protections than direct communications between living, breathing persons. The appeals court points out this interpretation is off base by a long distance. A lengthy discussion of the SCA and Congressional intent -- along with a revival of Hately's state law claims -- takes up a great deal of the opinion's 55 pages.
Dr. Watts -- the email interloper -- argued the SCA did not protect these communications because the Blue Ridge College email server was not an "electronic communication service," but rather a "remote computing device." This argument hinged on the email system's construction, which used Google's services for transmitting and storing email. But the university also stored a copy of all Blue Ridge email on its own servers as a backup for users. This crucial fact restores the expectation of privacy, according to the appeals court, which points out Blue Ridge's backup server actually makes it both.
The district court's reasoning rests on the premise that, for purposes of the emails in question, Blue Ridge College's email service could not simultaneously function as both an electronic communication service and a remote computing service. But nothing in the plain language of the definitions of electronic communication service and remote computing service precludes an entity from simultaneously functioning as both.
There is no logical or technological obstacle to an entity "provid[ing] to users thereof the ability to send or receive wire or electronic communications"—i.e., functioning as an electronic communication service—while, and as part of the same service, "provi[ding] the public [with] computer storage or processing services by means of an electronic communications system"—i.e., functioning as a remote computing service. And the relevant legislative history expressly contemplates as much, stating that "remote computing services may also provide electronic communication services." S. Rep. No. 99-541, at 14; see also H.R. Rep. No. 99-647, at 64 ("[T]o the extent that a remote computing service is provided through an Electronic Communication Service, then such service is also protected [under Section 2701(a)].").
As the appeals court notes, it makes no sense to suggest email users consider opened email worthy of less protection than others they've sent directly to the trash without reading. Servers like the one used by Blue Ridge to back up the Google-based email system are the end result of users' desires. Users want to store emails for later reading or use. And Congress -- even with its horribly-outdated Stored Communications Act -- recognized the privacy inherent to these personal communications. This covers delivered and opened email, no matter where the original or its backup resides.
To read the law otherwise is to upend the personal nature of email communications, allowing almost anyone to access anyone else's email without permission and face zero consequences (at least under federal law) for doing so.
The district court’s construction of Subsection (B)—that previously delivered and opened emails stored by a web-based email service are not in “electronic storage” and therefore not actionable under Section 2701(a)(1)—would materially undermine these objectives. Potential users of web-based-email services—like Blue Ridge College’s email service—would be deterred from using such services, knowing that unauthorized individuals and entities could access many, if not most, of the users’ most sensitive emails without running afoul of federal law. Likewise, without the prospect of liability under federal law, unauthorized entities will face minimal adverse consequences for accessing, and using for their own benefit, communications to which they are not a party. The legislative history establishes that Congress did not intend such a result.
The district court’s interpretation of Subsection (B)—which would protect only unread emails stored in by web-based email service—also leads to an arbitrary and untenable “gap” in the legal protection of electronic communications.
Back the case goes to the lower court, reversed and remanded with instructions to reach a less illogical conclusion. And in doing so, the appeals court sets an important precedent that clarifies what the SCA actually covers.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th circuit, ecpa, emails, privacy, stored communications act
Reader Comments
Subscribe: RSS
View by: Time | Thread
Lesson: change your passwords when you break up.
[ link to this | view in chronology ]
Re:
Possible second lesson: ask your mail server operator to mark all email as "opened" immediately on receipt, and to not store any logs that could prove otherwise.
[ link to this | view in chronology ]
Re: Re:
In many email systems, you can create rules that do this for you. I know it works in Gmail.
[ link to this | view in chronology ]
Wow, that two-paragraph quote sounds like something straight out of a soap opera. Man 1 and Woman 1 are together. Woman 1 informs Man 1 that she's having an affair with Man 2, (who is married to Woman 2,) and they break up. Woman 1 continues her affair with Man 2, who eventually decides to break up with Woman 2, and Woman 1 helpfully provides evidence to him that Man 1 has been having an affair with Woman 2!
That's just a big mess all over...
[ link to this | view in chronology ]
Re:
"As The World Turns"
[ link to this | view in chronology ]
Re: Man1, Woman1..
Game Jam, here we come!
[ link to this | view in chronology ]
Judges, get your analogies straight!
You know, I'm actually kinda okay with ruling by analogy. But you've got to have the right analogy. They want to make the claim that unopened emails are like letters abandoned at the post office. But that's not the right comparison at all. I can't open mail that's at the post office, I can't see if I have letters lying around at the post office waiting for me, I can't see who they're from or what the title at the top of the letter is.
Unopened emails are more like the pile of unopened mail on my dinning table. Hell, what's the "bin" called where unopened mail sits in an email client: Inbox. Not POBox, not Mailbox; INBOX. Like those little trays you'd have on your desk at home or work.
[ link to this | view in chronology ]
what about CFAA?
What about use of the Computer Fraud and Abuse Act?
[ link to this | view in chronology ]
Re: what about CFAA?
The "computer" didn't commit fraud or abuse, although there was a certain amount of "schadenFRAUDE".
[ link to this | view in chronology ]