A Hurdle To Obtaining Electronic Evidence

by Zelle LLP
Contact

While many cases focus on electronic evidence available on employee laptops and behind corporate firewalls, massive volumes of electronic evidence can be found on the servers of companies that provide electronic processing and storage, including email services such as Gmail, Yahoo Mail and Hotmail (aka Outlook.com); websites such as Facebook, LinkedIn and Twitter; and cell phone service providers that store text messages, including Verizon, AT&T, Apple’s iMessenger and Blackberry’s Messenger.

These companies are subject to the Stored Communications Act[1], and the data they store is protected from disclosure by the SCA. Any attorney who is seeking the discovery of electronic evidence stored on these online, cloud-based services needs to understand some of the key elements of the SCA, and how they have been interpreted by the courts.

The Scope of the SCA

As explained by the Ninth Circuit in the landmark case Quon v. Arch Wireless:

Congress passed the Stored Communications Act in 1986 as part of the Electronic Communications Privacy Act. The SCA was enacted because the advent of the Internet presented a host of potential privacy breaches that the Fourth Amendment does not address. See Orin S. Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72 Geo. Wash. L. Rev. 1208, 1209-13 (2004). Generally, the SCA prevents "providers" of communication services from divulging private communications to certain entities and/or individuals.[2]

The SCA distinguishes between two types of providers: an electronic communication service (ECS) provider and a remote computing service (RCS) provider. “The SCA defines an ECS provider as ‘any service which provides to users thereof the ability to send or receive wire or electronic communications.’ 18 U.S.C. § 2510(15). With certain enumerated exceptions, it prohibits an ECS provider from ‘knowingly divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service.’ Id., §§ 2702(a)(1), (b).”[3]

RCS providers are defined as those who provide to the public “computer storage and processing services by means of electronic communications systems.”[4] The SCA “in turn defines an electronic communications system (as opposed to an electronic communication service) as ‘[…] any computer facilities or related electronic equipment for the electronic storage of such communications,’ id., § 2510(14). The SCA prohibits an RCS provider from “knowingly divulg[ing] to any person or entity the contents of any communication which is carried or maintained on that service.’ Id., § 2702(a)(2).”[5]

In the practical sense, email, text messages and instant messages go through ECS providers, while RCS providers offer storage and processing services. While there might have been a greater distinction in 1986, all ECS providers are now essentially RCS providers as well. Yet there are some pure RCS providers, such as Dropbox and Amazon Web Services.

In the civil discovery context, a key consequence of this classification is that “[a]n RCS provider may divulge the contents of a communication with consent of the ‘subscriber,’ while an ECS provider may divulge the contents with the lawful consent of an addressee or intended recipient of such communication. 18 U.S.C. § 2702(b)(3).”[6]

The Contents of a Communication

For both ECS and RCS providers, “the contents of any communication” are protected. The question of what exactly constitutes the contents of a protected communication under the SCA was recently addressed in the matter of Optiver Australia Pty. Ltd. & Anor. v. Tibra Trading Pty. Ltd. & Ors, where the district court rejected the plaintiff’s request to order Google to run search terms against the body of emails belonging to the defendant and stored in Google’s Gmail service.[7]

The court similarly rejected the plaintiff’s request for an order to have Google provide a list of the email subject lines for the emails, concluding the subject lines of the emails were likewise substantive communications protected by the SCA. The court did, however, proceed to order Google to provide what it called “noncontent metadata” from the defendant’s emails, which included “‘the recipient(s), sender, date sent, date received, date read and date deleted of emails, email attachments, or Google Talk messages sent or received between Nov. 3, 2005, to Dec. 31, 2009, that were sent to or from’ the email addresses listed.”[8]

Server-Side v. Client-Side Discovery

Where information exists both online and on a personal device, information technologists use the terms “server-side” to refer to the online copy, and “local” or “client-side” to refer to the copy existing on a personal computer, smartphone, tablet or other device. As discussed above, the SCA prohibits a civil litigant from obtaining the server-side copy of the “contents of any communication” from an ECS or RCS provider. But the local or client side copy remains subject to direct discovery under standard civil discovery rules.

So while the SCA prohibits the courts from ordering Google or other service providers to produce anything substantive from emails or text messages for the purpose of civil discovery, courts have concluded that the scope of the SCA does not extend to local copies of electronic evidence. “‘Electronic storage’ as defined by § 2510(17) encompasses only that information that has been stored by an electronic communication service provider. This conclusion is evident from the plain language of subsection (B) and from the legislative history of subsection (A).”[9]

As such, courts have found that information stored not by “an electronic communication service provider," and instead stored on personal devices, such as personal computers, does not fall within the scope of the SCA.[10]

The same reasoning has been extended to personal cell phones. In the matter of Garcia v. City of Laredo out of the Fifth Circuit, the plaintiff, a former police dispatcher, brought action against the city, its police chief and other city officials after being terminated when the wife of the police officer removed the plaintiff’s cell phone from an unlocked locker and located text messages and images on the phone that were maintained in violation of the department’s rules and regulations.[11]

The plaintiff asserted that the search of her personal cell phone was in violation of the SCA. However, the U.S. Court of Appeals for the Fifth Circuit concluded that the plaintiff’s cell phone did not constitute “electronic storage” within the meaning of the SCA, and as such, the SCA was not applicable.[12]

Social Media and the SCA

The SCA was enacted in 1986, well before the proliferation of the World Wide Web and the advent of modern social media. We now have a world where communications sent through and stored on ECS or RCS providers may be viewable openly to the public at large, to a limited group, or just to one person in particular.

Many social media providers permit both public and private communications through their sites, such as Facebook’s private messages versus timeline postings (formerly known as “wall” postings), or Twitter’s direct messaging versus standard tweets. There may be content that is publicly accessible, while other content is subject to restricted access.

With that, a line of jurisprudence has developed in which the fundamental question lies as to whom the communication was directed, and was that communication made with the intent of keeping it private or restricted to intended recipients. Congress made it clear that publicly viewable communications were outside the scope of the SCA,[13] and courts have found that protection of a communication posted online requires the intent of the posting party to limit the recipients.[14]

In Crispin v. Christian Audigier Inc., the defendant served subpoenas to third-party social networking companies requesting user content. In assessing the enforceability of such requests, the court addressed whether private messaging services constituted electronic communication services and were protected under the SCA.[15]

The court in Crispin relied on “voluminous case law” establishing that companies providing email services are prohibited from sharing user content under the SCA. Social media private messaging services are akin to email, and the court concluded that Facebook, et al, are ECS providers.

The court further held that private messages were communications in electronic storage and fell under statutory protection. Thus, the SCA prohibits social media companies from disseminating the user content of private messages in civil litigation. In Crispin, however, a lack of evidentiary support left open the question of whether a user’s wall posting content is equally protected under the statute.

Server-Side Discovery Through Direct Subpoena

While the SCA may bar the enforcement of a subpoena issued — for example, as discussed above — to Google for the contents of a Gmail account, the SCA does not prohibit the enforcement of a subpoena issued directly to the owner of that same Gmail account, even if the email has never been downloaded to a local or client-side computer.

Once we move outside the realm of the protections afforded by the SCA to service providers, the recipient of a Federal Rule 34 request or a Federal Rule 45 subpoena has a duty to preserve and produce electronic documents in its “possession, custody or control.”[16] Accordingly, those who store their documents online but do not fall within the definition of an ECS or RCS provider are still required to comply with a valid discovery request and either download and produce the requested relevant documents, or provide the requesting party with access to inspect the responsive materials.[17]

Conclusion

Electronic evidence may be readily available in the vast online world and should not be ignored. But litigators must appropriately consider the limitations imposed on obtaining such information directly from online providers under the Stored Communications Act.

Law360 - July 11, 2013

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] The Stored Communications Act is codified at 18 U.S.C. §§ 2701-2712 (2012).

[2] Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 900 (9th Cir. 2008) rev'd and remanded sub nom. City of Ontario, Cal. v. Quon, 130 S. Ct. 2619, 177 L. Ed. 2d 216 (U.S. 2010).

[3] Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965, 972 (C.D. Cal. 2010) (internal citations removed, emphasis added)

[4] 18 U.S.C. § 2711(2)

[5] Crispin, 717 F. Supp. 2d at 973 (emphasis added)

[6] Id. at FN.17.

[7] Optiver Australia Pty. Ltd. & Anor. v. Tibra Trading Pty. Ltd. & Ors, No. C 12-80242, 2013 WL 256771 (N.D. Cal. Jan. 23, 2013)

[8] Id.

[9] Freedom Banc Mortgage Servs., Inc. v. O’Harra, No. 2:11-cv-01073, 2012 WL 3862209 at *8 (S.D. Ohio Sept. 5, 2012).

[10] Id.; see also, Hilderman v. Enea TekSci, Inc., 551 F. Supp. 2d 1183, 1204 (S.D. Cal. 2008); Council on American–Islamic Relations Action Network, Inc. v. Gaubatz, 793 F. Supp. 2d 311, 335 (D.D.C. 2011) (“the statute is clearly not triggered when a defendant merely accesses a physical client-side computer and limits his access to documents stored on the computer’s local hard drive or other physical media”)

[11] Garcia v. City of Laredo, 702 F.3d 788, 790 (5th Cir. 2012).

[12] Id.

[13] See, S. Rep. No. 99–541, at 36, 1986 U.S.C.C.A.N. 3555, 3590 (“The bill does not for example hinder the development or use of ‘electronic bulletin boards' or other similar services where the availability of information about the service, and the readily accessible nature of the service are widely known and the service does not require any special access code or warning to indicate that the information is private. To access a communication in such a public system is not a violation of the Act, since the general public has been ‘authorized’ to do so by the facility provider”)

[14] See, e.g., Snow v. DirecTV, Inc., 450 F.3d 1314, 1321 (11th Cir. 2006) (“Thus, the requirement that the electronic communication not be readily accessible by the general public is material and essential to recovery under the SCA.”); Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 875 (9th Cir. 2002) (“The legislative history of the ECPA [which encompasses the SCA] suggests that Congress wanted to protect electronic communications that are configured to be private, such as email and private electronic bulletin boards.”)

[15] Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010); see also Tompkins v. Detroit Metro. Airport, 278 F.R.D. 387 (E.D. Mich. 2012).

[16] Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 217-18 (S.D.N.Y. 2003).

[17] See, e.g., In re White Tail Oilfield Servs., L.L.C., No. 11-0009, 2012 WL 4857777 (E.D. La. Oct. 11, 2012) (Petitioner obtains order compelling Defendant/Claimant to produce information from his Facebook page).

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Zelle LLP | Attorney Advertising

Written by:

Zelle  LLP
Contact
more
less

Zelle LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!