While many cases focus on electronic evidence available on employee laptops and behind corporate firewalls, massive volumes of electronic evidence can be found on the servers of companies that provide electronic processing and storage, including email services such as Gmail, Yahoo Mail and Hotmail (aka Outlook.com); websites such as Facebook, LinkedIn and Twitter; and cell phone service providers that store text messages, including Verizon, AT&T, Apple’s iMessenger and Blackberry’s Messenger.

These companies are subject to the Stored Communications Act[1], and the data they store is protected from disclosure by the SCA. Any attorney who is seeking the discovery of electronic evidence stored on these online, cloud-based services needs to understand some of the key elements of the SCA, and how they have been interpreted by the courts.

The Scope of the SCA

As explained by the Ninth Circuit in the landmark case Quon v. Arch Wireless:

Congress passed the Stored Communications Act in 1986 as part of the Electronic Communications Privacy Act. The SCA was enacted because the advent of the Internet presented a host of potential privacy breaches that the Fourth Amendment does not address. See Orin S. Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72 Geo. Wash. L. Rev. 1208, 1209-13 (2004). Generally, the SCA prevents "providers" of communication services from divulging private communications to certain entities and/or individuals.[2]

The SCA distinguishes between two types of providers: an electronic communication service (ECS) provider and a remote computing service (RCS) provider. “The SCA defines an ECS provider as ‘any service which provides to users thereof the ability to send or receive wire or electronic communications.’ 18 U.S.C. § 2510(15). With certain enumerated exceptions, it prohibits an ECS provider from ‘knowingly divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service.’ Id., §§ 2702(a)(1), (b).”[3]

RCS providers are defined as those who provide to the public “computer storage and processing services by means of electronic communications systems.”[4] The SCA “in turn defines an electronic communications system (as opposed to an electronic communication service) as ‘[…] any computer facilities or related electronic equipment for the electronic storage of such communications,’ id., § 2510(14). The SCA prohibits an RCS provider from “knowingly divulg[ing] to any person or entity the contents of any communication which is carried or maintained on that service.’ Id., § 2702(a)(2).”[5]

In the practical sense, email, text messages and instant messages go through ECS providers, while RCS providers offer storage and processing services. While there might have been a greater distinction in 1986, all ECS providers are now essentially RCS providers as well. Yet there are some pure RCS providers, such as Dropbox and Amazon Web Services.

In the civil discovery context, a key consequence of this classification is that “[a]n RCS provider may divulge the contents of a communication with consent of the ‘subscriber,’ while an ECS provider may divulge the contents with the lawful consent of an addressee or intended recipient of such communication. 18 U.S.C. § 2702(b)(3).”[6]

The Contents of a Communication

For both ECS and RCS providers, “the contents of any communication” are protected. The question of what exactly constitutes the contents of a protected communication under the SCA was recently addressed in the matter of Optiver Australia Pty. Ltd. & Anor. v. Tibra Trading Pty. Ltd. & Ors, where the district court rejected the plaintiff’s request to order Google to run search terms against the body of emails belonging to the defendant and stored in Google’s Gmail service.[7]

The court similarly rejected the plaintiff’s request for an order to have Google provide a list of the email subject lines for the emails, concluding the subject lines of the emails were likewise substantive communications protected by the SCA. The court did, however, proceed to order Google to provide what it called “noncontent metadata” from the defendant’s emails, which included “‘the recipient(s), sender, date sent, date received, date read and date deleted of emails, email attachments, or Google Talk messages sent or received between Nov. 3, 2005, to Dec. 31, 2009, that were sent to or from’ the email addresses listed.”[8]

Server-Side v. Client-Side Discovery

Where information exists both online and on a personal device, information technologists use the terms “server-side” to refer to the online copy, and “local” or “client-side” to refer to the copy existing on a personal computer, smartphone, tablet or other device. As discussed above, the SCA prohibits a civil litigant from obtaining the server-side copy of the “contents of any communication” from an ECS or RCS provider. But the local or client side copy remains subject to direct discovery under standard civil discovery rules.

So while the SCA prohibits the courts from ordering Google or other service providers to produce anything substantive from emails or text messages for the purpose of civil discovery, courts have concluded that the scope of the SCA does not extend to local copies of electronic evidence. “‘Electronic storage’ as defined by § 2510(17) encompasses only that information that has been stored by an electronic communication service provider. This conclusion is evident from the plain language of subsection (B) and from the legislative history of subsection (A).”[9]

As such, courts have found that information stored not by “an electronic communication service provider," and instead stored on personal devices, such as personal computers, does not fall within the scope of the SCA.[10]

The same reasoning has been extended to personal cell phones. In the matter of Garcia v. City of Laredo out of the Fifth Circuit, the plaintiff, a former police dispatcher, brought action against the city, its police chief and other city officials after being terminated when the wife of the police officer removed the plaintiff’s cell phone from an unlocked locker and located text messages and images on the phone that were maintained in violation of the department’s rules and regulations.[11]

The plaintiff asserted that the search of her personal cell phone was in violation of the SCA. However, the U.S. Court of Appeals for the Fifth Circuit concluded that the plaintiff’s cell phone did not constitute “electronic storage” within the meaning of the SCA, and as such, the SCA was not applicable.[12]

Social Media and the SCA

The SCA was enacted in 1986, well before the proliferation of the World Wide Web and the advent of modern social media. We now have a world where communications sent through and stored on ECS or RCS providers may be viewable openly to the public at large, to a limited group, or just to one person in particular.

Many social media providers permit both public and private communications through their sites, such as Facebook’s private messages versus timeline postings (formerly known as “wall” postings), or Twitter’s direct messaging versus standard tweets. There may be content that is publicly accessible, while other content is subject to restricted access.

With that, a line of jurisprudence has developed in which the fundamental question lies as to whom the communication was directed, and was that communication made with the intent of keeping it private or restricted to intended recipients. Congress made it clear that publicly viewable communications were outside the scope of the SCA,[13] and courts have found that protection of a communication posted online requires the intent of the posting party to limit the recipients.[14]

In Crispin v. Christian Audigier Inc., the defendant served subpoenas to third-party social networking companies requesting user content. In assessing the enforceability of such requests, the court addressed whether private messaging services constituted electronic communication services and were protected under the SCA.[15]

The court in Crispin relied on “voluminous case law” establishing that companies providing email services are prohibited from sharing user content under the SCA. Social media private messaging services are akin to email, and the court concluded that Facebook, et al, are ECS providers.

The court further held that private messages were communications in electronic storage and fell under statutory protection. Thus, the SCA prohibits social media companies from disseminating the user content of private messages in civil litigation. In Crispin, however, a lack of evidentiary support left open the question of whether a user’s wall posting content is equally protected under the statute.

Server-Side Discovery Through Direct Subpoena

While the SCA may bar the enforcement of a subpoena issued — for example, as discussed above — to Google for the contents of a Gmail account, the SCA does not prohibit the enforcement of a subpoena issued directly to the owner of that same Gmail account, even if the email has never been downloaded to a local or client-side computer.

Once we move outside the realm of the protections afforded by the SCA to service providers, the recipient of a Federal Rule 34 request or a Federal Rule 45 subpoena has a duty to preserve and produce electronic documents in its “possession, custody or control.”[16] Accordingly, those who store their documents online but do not fall within the definition of an ECS or RCS provider are still required to comply with a valid discovery request and either download and produce the requested relevant documents, or provide the requesting party with access to inspect the responsive materials.[17]

Conclusion

Electronic evidence may be readily available in the vast online world and should not be ignored. But litigators must appropriately consider the limitations imposed on obtaining such information directly from online providers under the Stored Communications Act.

Law360 - July 11, 2013

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] The Stored Communications Act is codified at 18 U.S.C. §§ 2701-2712 (2012).

[2] Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 900 (9th Cir. 2008) rev'd and remanded sub nom. City of Ontario, Cal. v. Quon, 130 S. Ct. 2619, 177 L. Ed. 2d 216 (U.S. 2010).

[3] Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965, 972 (C.D. Cal. 2010) (internal citations removed, emphasis added)

[4] 18 U.S.C. § 2711(2)

[5] Crispin, 717 F. Supp. 2d at 973 (emphasis added)

[6] Id. at FN.17.

[7] Optiver Australia Pty. Ltd. & Anor. v. Tibra Trading Pty. Ltd. & Ors, No. C 12-80242, 2013 WL 256771 (N.D. Cal. Jan. 23, 2013)

[8] Id.

[9] Freedom Banc Mortgage Servs., Inc. v. O’Harra, No. 2:11-cv-01073, 2012 WL 3862209 at *8 (S.D. Ohio Sept. 5, 2012).

[10] Id.; see also, Hilderman v. Enea TekSci, Inc., 551 F. Supp. 2d 1183, 1204 (S.D. Cal. 2008); Council on American–Islamic Relations Action Network, Inc. v. Gaubatz, 793 F. Supp. 2d 311, 335 (D.D.C. 2011) (“the statute is clearly not triggered when a defendant merely accesses a physical client-side computer and limits his access to documents stored on the computer’s local hard drive or other physical media”)

[11] Garcia v. City of Laredo, 702 F.3d 788, 790 (5th Cir. 2012).

[12] Id.

[13] See, S. Rep. No. 99–541, at 36, 1986 U.S.C.C.A.N. 3555, 3590 (“The bill does not for example hinder the development or use of ‘electronic bulletin boards' or other similar services where the availability of information about the service, and the readily accessible nature of the service are widely known and the service does not require any special access code or warning to indicate that the information is private. To access a communication in such a public system is not a violation of the Act, since the general public has been ‘authorized’ to do so by the facility provider”)

[14] See, e.g., Snow v. DirecTV, Inc., 450 F.3d 1314, 1321 (11th Cir. 2006) (“Thus, the requirement that the electronic communication not be readily accessible by the general public is material and essential to recovery under the SCA.”); Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 875 (9th Cir. 2002) (“The legislative history of the ECPA [which encompasses the SCA] suggests that Congress wanted to protect electronic communications that are configured to be private, such as email and private electronic bulletin boards.”)

[15] Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010); see also Tompkins v. Detroit Metro. Airport, 278 F.R.D. 387 (E.D. Mich. 2012).

[16] Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 217-18 (S.D.N.Y. 2003).

[17] See, e.g., In re White Tail Oilfield Servs., L.L.C., No. 11-0009, 2012 WL 4857777 (E.D. La. Oct. 11, 2012) (Petitioner obtains order compelling Defendant/Claimant to produce information from his Facebook page).