Are Changes in Store for the Stored Communications Act?

by Latham & Watkins LLP
Contact

Last week saw action on two fronts regarding the Stored Communications Act (SCA) – the US federal statute regulating government searches of online accounts in criminal investigations. In Congress, a proposal to reform the SCA advanced in the House; and in the courts, Microsoft sued to challenge a provision of the SCA as unconstitutional. Although the reform bill has been portrayed as a major piece of privacy legislation, the version now under consideration is quite modest and would not substantially change how the SCA is applied in practice. However, the Microsoft lawsuit, if successful, could significantly reshape and restrict how the SCA is used by law enforcement.

What is the Stored Communications Act?

The SCA sets forth the procedures by which US law enforcement authorities can compel electronic communications service providers to disclose the contents of (and other records pertaining to) user accounts. While the SCA is applied most often in the context of email accounts, it applies equally to social-networking accounts, cloud-storage accounts, web-hosting accounts, and any other type of account where a user may store electronic communications. Like everyone else, criminals are increasingly communicating over the Internet, and as a result the SCA is now routinely used by law enforcement to obtain the contents of online accounts used by criminal suspects to communicate and do business.

Email Privacy Act

On April 13, 2016, a bill to reform the SCA, titled the Email Privacy Act, H.R. 699, was unanimously voted out of the House Judiciary Committee. The bill was originally introduced in December 2013 and again last year, but, despite having widespread support, never previously garnered a hearing. With last week’s vote, it is now headed for full consideration by the House.

The Email Privacy Act would amend the SCA so as to always require law enforcement to obtain a search warrant in order to compel a provider to disclose the contents of an online account. By contrast, the SCA in its current form requires a warrant only in limited circumstances – where law enforcement seeks content that (a) has been stored with the provider for less than 180 days and (b) has not yet been “received” by the user (e.g., unopened emails). All other content, i.e., any messages that are older than 180 days or that have already been opened by the user, may be obtained under the SCA with a mere subpoena – which, unlike a warrant, may be issued by the government without prior judicial approval and without probable cause.

What’s the rationale for the lines drawn by the statute? They may seem arbitrary now, but when the SCA was originally enacted in 1986, users typically downloaded emails onto their local machines after opening them, rather than storing them indefinitely with third-party providers. Thus, at the time, Congress viewed emails that a user chose to store with a provider as “back-up copies,” akin to business records placed in storage. For that reason, it did not consider them entitled to the same level of Fourth Amendment protection as unopened emails held for a shorter time period, which Congress analogized to letters still in transit.

On its face, the extension of the SCA’s warrant requirement to all stored electronic content would seem to be a momentous change, but in actuality it would simply track current practice. Ever since the Sixth Circuit’s 2010 decision in United States v. Warshak, which held that email accounts maintained by third-party service providers are protected by the Fourth Amendment, Department of Justice policy has been for federal law enforcement authorities to obtain a warrant before seeking any email content from service providers – even in situations where the SCA would allow the content to be obtained only with a subpoena. By the same token, the Warshak decision prompted many service providers to refuse to provide email content absent a search warrant, and state and local officials have typically respected this stance rather than attempting to compel production based on a subpoena. So, as a practical matter, the Email Privacy Act would not substantially increase email privacy; it would essentially codify, rather than modify, the status quo.

Notably, the initial version of the Email Privacy Act included a more consequential – and controversial – provision, which would have required law enforcement to notify users when they were subjected to search under the SCA. Specifically, the provision would have required law enforcement to the notify the holder of an online account within 10 business days after obtaining the account contents pursuant to an SCA warrant. That requirement would have significantly departed from the SCA as it currently stands, which specifically states that the government need not provide such notice to an affected user. However, the proposed notice provision was dropped from the version of the bill voted out of the House Judiciary Committee last week, as part of a compromise struck between the bill’s sponsor and the committee chairman.

Microsoft Lawsuit

Enter the Microsoft lawsuit, which seeks to expand user notification under the SCA in a different way. Not only does the SCA currently permit law enforcement to obtain the contents of an account without notifying the user, it also authorizes law enforcement to get a judicial order barring the provider from notifying the user. The SCA requires a judge to issue such a non-disclosure order whenever there is “reason to believe” that notifying the user would result in destruction of evidence, flight from prosecution, or other consequences that would seriously jeopardize the underlying investigation.

On April 14, 2016, Microsoft sued the Department of Justice in federal district court in Seattle, challenging the SCA’s non-disclosure provision as facially unconstitutional, on both Fourth Amendment and First Amendment grounds. The essence of Microsoft’s argument is that the user of an online account is entitled to know when the government has obtained its contents just as much as a homeowner is entitled to know when the government has searched their house. “People do not give up their rights when they move their private information from physical storage to the cloud,” Microsoft asserts; and any deviation from the right to be notified if one’s information is searched, the argument continues, must be narrowly tailored to serve compelling interests.  Microsoft’s complaint contends that the SCA’s non-disclosure provision is overly broad in two respects: first, nothing in the provision requires the requisite “reason to believe” to be grounded in specific facts of the investigation (as opposed to generalized law enforcement concerns); and second, the provision contains no time limit and is being used to obtain orders of lengthy or indefinite duration.

Microsoft’s broad attack on the SCA’s non-disclosure provision, if successful, could force considerable changes in the way that law enforcement uses electronic search warrants in criminal investigations. The SCA’s non-disclosure provision currently enables law enforcement to use SCA warrants as covert investigative tools, to gather information about investigative targets without tipping them off to the fact that they are under investigation. Indeed, as Microsoft alleges in its complaint, law enforcement agencies routinely seek non-disclosure orders when they obtain SCA warrants, and those orders often last for lengthy periods of time while the investigation continues. In this respect, SCA warrants differ from physical search warrants, which are almost always used as overt investigative tools. When law enforcement searches a target’s home, for example, it is not done in secret; the occupant of the property must be promptly notified. So-called “sneak and peak” searches, executed without notice, are the rare exception. For this reason, physical search warrants are often reserved for the late stages of an investigation when the target of the search is already aware of the investigation or when the arrest of the target can be executed simultaneously with the search.

If prompt notification to targets becomes the norm for SCA warrants just as it is in the context of physical search warrants, law enforcement authorities are likely to scale back their reliance on SCA warrants, reserving them, like physical search warrants, for situations where an investigation is overt rather than covert. That, of course, would be a welcome development for service providers seeking to limit government access to their data and to provide greater transparency to their customers. But expect the Department of Justice to argue that law enforcement cannot follow digital trails effectively if it has to knock and announce every step of the way.

In any event, the Microsoft lawsuit will test just how far the courts will go in analogizing electronic searches to physical searches, and how far they will extend to online accounts the same protections that apply to the home. The case could have potentially far-reaching implications for law enforcement agencies and online service providers alike.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP
Contact
more
less

Latham & Watkins LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.