A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology
(1) Federal Appeals Court Reaffirms E-Mail Privacy Protections
(2) Narrow Decision Leaves Key Questions Unanswered
(3) Larger Privacy Questions Looming
Last week, on August 11, a federal appeals court reaffirmed the privacy protections accorded email by reversing a troubling ruling that would have prevented law enforcers from prosecuting an email service provider that allegedly intercepted its customers' email messages. In United States v. Councilman, the full First Circuit Court of Appeals overturned an earlier decision by a three judge panel that had held, unexpectedly, that an ISP could read and use its customer's emails if they were intercepted when the email was in intermediate storage before it had reached the customer's mailbox. The original Councilman decision, while relatively narrow and arguably not of great significance given industry and Justice Department practice, highlighted the now-outdated distinctions that the Electronic Communications Privacy Act (ECPA) draws between communications in transit and those in storage, between opened and unopened email, and between relatively new and older email.
The ruling is a small, but not inconsequential victory for privacy. It reaffirms that e-mail is subject to protection, both against government wiretapping without a warrant and against misuse by service providers, but it failed to answer some key questions and it left in place increasingly outdated aspects of the surveillance laws that are inadequate to protect privacy. Those issues will need to be resolved by Congress.
The case involved a small online bookseller that also offered its customers an email service. Without customer consent, and on an ongoing basis, the company copied emails to its customers from Amazon.com, read the contents, and used them for its own competitive purpose. The copying occurred just before the emails were placed into the recipients' mailboxes on the provider's server. The Justice Department prosecuted a senior official of the company (Mr. Councilman) for illegal interception of communications under the federal Wiretap Act, which both authorizes interception with a court order and criminalizes interception without such approval.
Last year, a three judge panel of the Court of Appeals ruled 2-1 that because the company was copying the email messages when they were very briefly stored (literally for a fraction of a second) on the company's computer before going into the recipients' mailboxes, Councilman did not violate the Wiretap Act's prohibition on intercepting email while it is "in transit." Since most digital transmissions are stored in RAM or on hard drives at each step along their path while computers process them and send them on their way, this view would have meant that all email could be accessed while in "storage," and most acquisitions of email would fall outside the strict rules of the Wiretap Act. This could have had significant privacy ramifications with regard to both law enforcement and ISP access to Internet communications, although, as a matter of policy, mainstream ISPs do not read and use the emails of their customers without permission and the DOJ took the view that access to communications while in intermediary storage of the kind at issue in the case was "interception."
Last week, a larger panel of the Court of Appeals, sitting "en banc," overturned the initial decision. The court held that the term "electronic communication" includes email in transient electronic storage that is intrinsic to the communication process, and hence that interception of an e-mail message in such storage is an offense under the Wiretap Act.
CDT and other privacy groups sided with the Justice Department in arguing that the first panel had misread the meaning of "intercept" and "storage" in the federal Wiretap Act and the Electronic Communications Privacy Act of 1986. Orin Kerr, a leading scholar on electronic surveillance issues and a former lawyer in the DOJ's computer crime section, wrote a friend of the court brief for CDT and other privacy groups urging reversal. Two other leading experts, Patricia Bellia and Peter Swire, filed a brief urging reversal on behalf of Sen. Patrick J. Leahy, a prime author of ECPA. The Electronic Privacy Information Center wrote a third brief. On the first page of its opinion, the en banc panel said, "We acknowledge with gratitude the assistance of amici curiae."
In many ways, the case is quite narrow. Much of its statutory interpretation turned on a provision that was repealed after Councilman was indicted.
Moreover, the decision left some crucial issues unanswered. Surveillance statutes draw a distinction between real-time interception (covered by the Wiretap Act) and access to communications in storage (covered by the Stored Communications Act provisions of ECPA), offering lower protection to the latter. (Both real-time interception and access to relatively new unopened email require a court order based on the Fourth Amendment standard of probable cause, but interception under the Wiretap Act carries additional limits and protections.)
In essence, the Court held that there is an overlap between the Wiretap Act and the Stored Communications Act (p. 33). While the latter covers electronic communications in "electronic storage," and while "electronic storage" is defined as "any temporary, intermediate storage...incidental to... electronic transmission," the court held that communications in certain kinds of electronic storage are also covered by the Wiretap Act, making it possible to indict someone under the Wiretap Act for accessing communications that are in temporary, intermediate storage (and, by implication, requiring a Wiretap Act order to access such communications).
While the new Appeals Court decision makes it clear that an email is covered by the more stringent procedures of the Wiretap Act for the entire period before it comes to rest on the computer of the service provider -- and holds that Councilman was "intercepting" the email before it reached such a point -- it does not actually decide when a communication ceases to be covered by the Wiretap Act. The Court expressly noted that it was not deciding "whether the term "intercept" applies only to acquisitions that occur contemporaneously with the transmission of a message from sender to recipient or, instead, extends to an event that occurs after a message has crossed the finish line of transmission (whatever that point may be)" (p. 28). Among the unanswered questions: Does the distinction turn on whether there is a definable "in-box" on the service provider's computer? How does the transition to Web-based email affect this? Clearly, an opened (i.e., "read") email is no longer covered by the Wiretap Act. Does the act of logging onto an email website move those emails out from the coverage of the Wiretap Act and solely under the Stored Communications Act? Or does that happen at an earlier period? The view of the Justice Department is almost certainly that the transition occurs at an earlier stage, but where and when it occurs is not entirely clear.
Reversal opinion: http://www.ca1.uscourts.gov/pdf.opinions/03-1383EB-01A.pdf
CDT amicus brief: (Sept 2004) http://www.cdt.org/wiretap/20040902cdt.pdf
The decision in essence restores the law to what most had assumed it meant: unauthorized access to email before it arrives in the customer's in-box is an interception covered by the Wiretap Act. The facts of the case itself were quite unusual, and probably unique. CDT has found no other instance of a service provider reading and using its customers' email without their permission.
However, the decision leaves the gap in the law that allows ISPs to read and use (but not disclose) their customers' emails *after* they have reached the customers' mailbox. Again, no ISP is known to engage in this conduct and most expressly disavow it. Nevertheless, CDT believes that ECPA should be amended to reflect this norm and preclude any outlying activity. In our view, ISPs should only be allowed to read and use their customers' email when necessary to protect the ISPs' rights or enforce the terms of service, or with prior informed consent, which is the rule that has always been applicable to voice communications.
Most importantly, however, the decision also leaves in place much larger issues with ECPA. For example, in terms of government surveillance, the law gives greater protection to email in transit (however that is defined) than it does to the email once it comes to rest in a user's in-box at a service provider. Councilman did not change this (although it did muddy the distinction). Nor did Councilman address the fact that, under ECPA, the protection accorded email gets even weaker the longer it stays in the user's in-box: email more than 180 days old is more easily accessible to the government than newer email, something most users are unaware of.
The importance of these issues is heightened by the emergence of Voice over Internet Protocol (VoIP), which will make it easier and much more common to store voice communications. To complicate matters, the DOJ contends that even new email loses protection when it is opened (i.e., read). The Councilman decision referenced a Ninth Circuit opinion (in the Theofel case) rejecting the DOJ position and holding that opened and unopened email is entitled to the same higher level of protection, but the First Circuit did not address the issue one way or the other. CDT believes ECPA should be amended to eliminate these now outdated distinctions and require at least a warrant based on probable cause for access to all stored email, regardless of how old it is and regardless of whether it is opened or not.