20121015

Reading someone's Gmail doesn't violate federal statute, court finds

SC court says Gmail not "electronic storage" by Stored Communications Act.

by Cyrus Farivar

In a case decided on Wednesday, the South Carolina Supreme Court ruled that accessing someone’s online e-mail without their permission doesn’t violate the 1986-era Stored Communications Act (SCA). Though they differed in their reasoning, the justices were unanimous in ruling that e-mail stored in the cloud (like Gmail or Yahoo Mail) does not meet the definition of electronic storage as written in the statute.

This new decision creates a split with existing case law (Theofel v. Farey-Jones) as decided in a 2004 case decided by the Ninth Circuit Court of Appeals. That decision found that an e-mail message that was received, read, and left on a server (rather than being deleted) did constitute storage "for purposes of backup protection," and therefore was also defined as being kept in "electronic storage."

Legal scholars point to this judicial split as yet another reason why the Supreme Court (and/or Congress) should take up the issue of the Stored Communications Act.

"This [South Carolina] decision is more evidence of how intractable and inconsistent our statutory electronic surveillance regime has become," Woodrow Hartzog, a professor at the Cumberland School of Law at Samford University, told Ars.

"All of the discussions regarding backups, temporary copies, and the read/unread distinction seem to have very little to do with the way that most people perceive their use of e-mail. Ultimately, this problem is likely best resolved by the legislature, but the specifics of a politically palatable update to the SCA have yet to be fully agreed upon."

Hertzog pointed out though, that in a case like this, there could still be federal liability under the Computer Fraud and Abuse Act.

Under the SCA, cops can go after anyone’s e-mail so long as its deemed to be "relevant to an investigation," which is a low legal threshold. The logic, at the time, was that prior to webmail with large amounts of online storage, everyone had to download their e-mail—so, if you hadn’t bothered to actually download your e-mail, it was deemed to have been effectively abandoned.

A tale of love, gone awry

The case here, known as Jennings v. Jennings (PDF), involves a woman (Gail Jennings) who suspected her husband (Lee Jennings) was cheating on her. The wife’s daughter-in-law (Holly Broome) managed to access Lee’s e-mail by correctly guessing his security questions, and got a hold of messages between him and his paramour. Broome shared those messages with Gail’s divorce attorney, and her private investigator that she had hired for the purpose of advancing her own divorce case.

Lee Jennings sued his wife, her attorney, and her investigator, under several laws, including the Stored Communications Act, which only allows for a civil suit if the e-mails that were accessed without authorization were in "electronic storage."

The district court granted summary judgment in favor of the defendants on all claims—a decision that was then overturned on appeal. The Supreme Court of South Carolina has now reversed that decision, albeit for varying reasons.

What exactly is "electronic storage" ?

The United States Code defines "electronic storage" under the SCA as:

"(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for the purposes of backup protection of such communication."

Because the definition of "electronic storage" has two components, the storage clause (A), and a purpose clause (B), Justices Hearn and Kittredge found that because Jennings had no other copies of his e-mail (they only existed through the Yahoo e-mail online interface), they could not have possibly been a backup.

"We decline to hold that retaining an opened e-mail constitutes storing it for backup protection under the Act," the two judges wrote.

"The ordinary meaning of the word ‘backup’ is ‘one that serves as a substitute or support.’ Thus, Congress's use of ‘backup’ necessarily presupposes the existence of another copy to which this e-mail would serve as a substitute or support. We see no reason to deviate from the plain, everyday meaning of the word "backup," and conclude that as the single copy of the communication, Jennings' e-mails could not have been stored for backup protection.”

Chief Justice Jean Hoefer Toal, with Justice Donald Beatty concurring, ruled that the e-mails here are not a backup, because they were not created by the ISP for the purpose of actually creating a duplicate file.

"In my view, electronic storage refers only to temporary storage, made in the course of transmission, by an ECS provider, and to backups of such intermediate communications," Justice Toal wrote. "Under this interpretation, if an e-mail has been received by a recipient's service provider but has not yet been opened by the recipient, it is in electronic storage."

The fifth justice, Costa Pleicones, agreed in his opinion. However, he articulated a distinct definition between the relationships of the two clauses in question here.

"I view these two types of storage as necessarily distinct from one another: one is temporary and incidental to transmission; the other is a secondary copy created for backup purposes by the service provider," he wrote.

"Therefore, an e-mail is protected if it falls under the definition of either subsection (A) or (B). It does not end the inquiry to find that the e-mails at issue were not in temporary storage during the course of transmission (subsection (A)). Accordingly, because the e-mails in this case were also not copies made by Jennings’s service provider for purposes of backup (subsection (B)), they were not protected by the SCA. I therefore concur in result."

No clear judicial standard

While this case deals with a fairly narrow subsection of the SCA—what constitutes electronic storage—it’s yet another example that the Stored Communications Act needs more judicial review at the very least, and possibly an entire overhaul.

"This is an issue that really calls out for US Supreme Court review," writes Orin Kerr, a privacy expert and professor of law at George Washington University.

"Internet providers often have a national customer base. A provider in one state or circuit can have millions of customers in any other state or circuit. Given the national customer base, any disagreement among lower courts causes major headaches: ISPs don’t know which rule to follow. Making matters even more worrisome, it’s not at all clear whether the legal standard should be based on where the litigation arises or where the ISP is located. United States v. Weaver, 636 F. Supp. 2d 768 (C.D. Ill. 2009), nicely raised the problem: If the rights concerning records held by an ISP in California are litigated in Illinois, Weaver held, the Illinois court is not bound by the interpretation of the Ninth Circuit. Under that approach, the privacy protection varies based on where the litigation arises, which can be almost anywhere. That kind of dynamic creates a strong need for a uniform reading of the statute."

No comments: