A Briefing On Public Policy Issues Affecting Civil Liberties Online
from
The Center For Democracy and Technology
(1) Email Privacy Protection Called into Question by Federal Appeals Court Decision
(2) Loophole for Law Enforcement Access to Internet Communications
(3) ISPs Can Access Email in Transit Without Violating Wiretap Act
(4) Legislative Fixes Being Considered
A recent court decision has revealed a significant gap in email privacy protection. The U.S. Court of Appeals for the First Circuit ruled in United States v. Councilman that an email provider does not violate federal wiretap laws when it opens emails to its customers and uses them for its own competitive business purposes. Although the decision applies only in a few New England states, its interpretation of Internet privacy laws if more broadly accepted would weaken protections for real-time communications over the Internet.
Current law provides different legal standards for access to communications while they are in transit and while they are in storage. Real-time access to communications in transit is subject to the strict procedures of the federal Wiretap Act (also called "Title III"). The Stored Communications Act provides less stringent standards for obtaining access to stored emails. Councilman essentially moved Internet communications from the more stringent requirements of Title III to the less stringent protection of the Stored Communications Act.
In Councilman, the email provider was copying customer emails on an ongoing basis just before they were placed into the recipients' mailboxes on the provider's server. The court found that because the email messages were very briefly stored (literally for milliseconds) on the ISP's computer before going into the recipients' mailboxes, the ISP did not violate the Wiretap Act's prohibition on intercepting email while it is in transit.
Since digital transmissions are stored in RAM or on hard drives at each step along their path while computers process them and send them on their way, all email could be accessed while in "storage," and most acquisitions of email would fall outside the strict rules of Title III. This has significant privacy ramifications with regard to both law enforcement and ISP access to Internet communications.
The First Circuit's interpretation creates a potential loophole for law enforcement agents to intercept email or other Internet-based communications in real time without abiding by the strict requirements of Title III. Because ongoing interception of communications is uniquely intrusive, Title III prohibits real-time interception of voice or email communications in transit without a wiretap order and other procedural safeguards. The Councilman decision undermines that requirement. Instead, access to email that is essentially real-time would be subject to the lower standards of the Stored Communications Act, which sometimes require a search warrant for government access and sometimes permit government access with a mere subpoena - meaning there is no court approval at all.
With a search warrant or subpoena, the government is only supposed to get whatever the service provider has in storage at the time the order is executed. Even the Department of Justice has always assumed that ongoing access to Internet communications requires a wiretap order under Title III. The Councilman decision calls that interpretation into question.
In addition to the question of government access, the Councilman decision has highlighted a weakness in the privacy duties of ISPs. Councilman did not change the law in this regard, but it pointed out that while email is in storage with an ISP, an ISP can read and use that email, without notice or consent, for its own business purposes. ISPs have legitimate reasons for reviewing email, such as protecting the security of their networks, but the law also allows an ISP to use a customer's email for its own purposes unrelated to providing Internet service and without notifying the customer.
This is clearly inconsistent with the spirit and intent of the electronic privacy laws, clearly incompatible with the expectations of users, and clearly at odds with industry norms as reflected in the privacy policies of major ISPs. In the Electronic Communications Privacy Act of 1986, which amended Title III and created the Stored Communications Act, Congress intended to provide privacy protection to email that is roughly comparable to that afforded telephone calls and postal mail.
It is now clear that there is an unintended loophole in the law. ISPs should only be allowed to read and use their customers' email when necessary to protect the ISPs' rights or enforce the terms of service, or with prior informed consent. Councilman did not significantly change the rules for ISPs, but it highlighted a major loophole in our privacy laws, which essentially permit ISPs to access and use, and in some cases even disclose to others, their customers' stored email.
Congressional action to address both aspects of the Councilman decision has already begun. A bipartisan group of Members of Congress introduced a House bill, the E-mail Privacy Act of 2004 (H.R. 4956), which would amend both Title III and the Stored Communications Act. The bill, sponsored by Rep. Jay Inslee (D-WA) and cosponsored by Rep. Jeff Flake (R-AZ), Rep. Roscoe Bartlett (R-MD), and Rep. William Delahunt (D-MA), would both ensure that law enforcement officials have to obtain a wiretap order in order to engage in real-time acquisition of Internet communications, and that ISPs cannot read and use their customers' email except where necessary to provide service or with consent. A second bill, H.R. 4977, sponsored by Rep. Jerrold Nadler (D-NY), addresses the same issues.
Detailed information about online civil liberties issues may be found at http://www.cdt.org/.
This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_10.13.shtml.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 10.13 Copyright 2004 Center for Democracy and Technology
