Appeals Court: Stored Communications Act Privacy Protections Cover Opened And Read Emails

Email

from the shouldn't-have-needed-to-be-said,-but-at-least-it-was-said-forcefully dept

The Fourth Circuit Court of Appeals has handed down an important decision [PDF] bolstering privacy protections for stored email. As we’re painfully aware, unopened email older than 180 days is granted zero privacy protections, treated like unopened snail mail left at the post office. Opened email, on the other hand, would seem to carry an expectation of privacy, but a district court ruling came to exactly the opposite conclusion, prompting this appeal.

A lawsuit involving a pair of affairs and one party’s decision to read someone else’s emails surfaced a question not often posed without a government party involved. Here’s the court’s summary of the convoluted backstory that led to accusations of federal law violations:

From August 2011 to February 2015, [Patrick] Hately had an intimate relationship with Nicole Torrenzano (“Nicole”), with whom Hately has two children. During their relationship, Hately and Nicole shared login and password information for their email accounts—including Hately’s Blue Ridge College email account. But when, about March 2015, Nicole informed Hately that she also was involved in an intimate relationship with [Dr. David] Watts, who was her co-worker and married to Audrey Hallinan Watts (“Audrey”), Hately and Nicole separated.

Pertinent to this action, Hately did not change the password that he shared with Nicole for his Blue Ridge College email account. Watts and Nicole continued their personal relationship, and during the fall of 2015, Watts and Audrey initiated divorce proceedings. In an effort to help Watts in his divorce proceedings, Nicole told Watts that Hately and Audrey were having an affair. Nicole said she knew of emails between Hately and Audrey that Watts could obtain by using the password that she had to Hately’s Blue Ridge College email account.

This certainly doesn’t make what Watts did OK, but he seemed to feel it at least made his actions legal.

Watts stated that he used the password Nicole gave him to browse through Hately’s emails but contended that he “did not open or view any email that was unopened, marked as unread, previously deleted, or in the [student email account]’s ‘trash’ folder.”

This bizarre defense of invading someone else’s privacy convinced the lower court that Watts’ actions were legally in the clear, even if they were clearly morally wrong. It dismissed his Stored Communications Act claims against Watts, stating that the SCA did not protect opened email. According to the lower court, the only email protected by the SCA is email still in transit. Once it’s been downloaded and opened, it’s apparently cool for other people to access and read, even if it’s not their email account.

With this bizarre take, the lower court basically stated spam email routed directly to the trash has more privacy protections than direct communications between living, breathing persons. The appeals court points out this interpretation is off base by a long distance. A lengthy discussion of the SCA and Congressional intent — along with a revival of Hately’s state law claims — takes up a great deal of the opinion’s 55 pages.

Dr. Watts — the email interloper — argued the SCA did not protect these communications because the Blue Ridge College email server was not an “electronic communication service,” but rather a “remote computing device.” This argument hinged on the email system’s construction, which used Google’s services for transmitting and storing email. But the university also stored a copy of all Blue Ridge email on its own servers as a backup for users. This crucial fact restores the expectation of privacy, according to the appeals court, which points out Blue Ridge’s backup server actually makes it both.

The district court’s reasoning rests on the premise that, for purposes of the emails in question, Blue Ridge College’s email service could not simultaneously function as both an electronic communication service and a remote computing service. But nothing in the plain language of the definitions of electronic communication service and remote computing service precludes an entity from simultaneously functioning as both.

There is no logical or technological obstacle to an entity “provid[ing] to users thereof the ability to send or receive wire or electronic communications”—i.e., functioning as an electronic communication service—while, and as part of the same service, “provi[ding] the public [with] computer storage or processing services by means of an electronic communications system”—i.e., functioning as a remote computing service. And the relevant legislative history expressly contemplates as much, stating that “remote computing services may also provide electronic communication services.” S. Rep. No. 99-541, at 14; see also H.R. Rep. No. 99-647, at 64 (“[T]o the extent that a remote computing service is provided through an Electronic Communication Service, then such service is also protected [under Section 2701(a)].”).

As the appeals court notes, it makes no sense to suggest email users consider opened email worthy of less protection than others they’ve sent directly to the trash without reading. Servers like the one used by Blue Ridge to back up the Google-based email system are the end result of users’ desires. Users want to store emails for later reading or use. And Congress — even with its horribly-outdated Stored Communications Act — recognized the privacy inherent to these personal communications. This covers delivered and opened email, no matter where the original or its backup resides.

To read the law otherwise is to upend the personal nature of email communications, allowing almost anyone to access anyone else’s email without permission and face zero consequences (at least under federal law) for doing so.

The district court’s construction of Subsection (B)—that previously delivered and opened emails stored by a web-based email service are not in “electronic storage” and therefore not actionable under Section 2701(a)(1)—would materially undermine these objectives. Potential users of web-based-email services—like Blue Ridge College’s email service—would be deterred from using such services, knowing that unauthorized individuals and entities could access many, if not most, of the users’ most sensitive emails without running afoul of federal law. Likewise, without the prospect of liability under federal law, unauthorized entities will face minimal adverse consequences for accessing, and using for their own benefit, communications to which they are not a party. The legislative history establishes that Congress did not intend such a result.

The district court’s interpretation of Subsection (B)—which would protect only unread emails stored in by web-based email service—also leads to an arbitrary and untenable “gap” in the legal protection of electronic communications.

Back the case goes to the lower court, reversed and remanded with instructions to reach a less illogical conclusion. And in doing so, the appeals court sets an important precedent that clarifies what the SCA actually covers.

Filed Under: 4th circuit, ecpa, emails, privacy, stored communications act