Kristopher Nelson
April 22, 2007
In Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 875 (9th Cir. 2002), the Ninth Circuit wrote, "The legislative history of the ECPA suggests that Congress wanted to protect electronic communications that are configured to be private, such as email and private electronic bulletin boards."
In general, the status of "electronic communication services"--such as providers of electronic mail where the data stays on the server for only a limited amount of time--is more defined that that of "remote computing services." Although the advent of Google and other Web-based application providers has made remote computing services into key players today, they occupied a relatively minor role since the passage of ECPA. In addition, it appears that Congress did not envision customers leaving sensitive data in storage--either with electronic communication services or with remote computing services--for any length of time, and therefore did not think to extend much legal protection to such stored communications.
[T]he term "remote computing service" is defined in the ECPA as "the provision to the public of computer storage or processing services by means of an electronic communication system." 18 U.S.C. S 2711(2). The statute's legislative history explains that such services exist to provide sophisticated and convenient data processing services to subscribers and customers, such as hospitals and banks, from remote facilities. See S. Rep. No. 99-541 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3564. By supplying the necessary equipment, remote computing services alleviate the need for users of computer technology to process data in-house. Id. Customers or subscribers may enter into time-sharing arrangements with the remote computing service, or data processing may be accomplished by the service provider on the basis of information supplied by the subscriber or customer.
An electronic bulletin board is an example of a "remote computing service" under 18 U.S.C. S 2711(2). Steve Jackson Games v. United States Secret Serv., 816 F. Supp. 432, 443 (W. Dist. Tex. 1993).
To be protected as a "remote computing service," the provider must be open to the "public," and not, for example, restricted to employees of a particular corporation. See 18 U.S.C. S 2711(2). See also Andersen Consulting LLP v. UOP, 991 F. Supp. 1041, 1043 (N.D. Ill. 1998) (interpreting "providing . . . to the public" under 18 U.S.C. S 2702 to exclude a corporate e-mail system that was made available to employees and a contractor but not to "any member of the community at large").
Electronic bulletin boards also fall within the realm of "electronic communication services." See Kaufman v. Nest Seekers, LLC, 2006 U.S. Dist. LEXIS 71104, 16 (S.D.N.Y. 2006) ("An electronic bulletin board fits within the definition of an electronic communication service provider").
18 U.S.C. S 2510(14) defines "electronic communications system" to mean "any wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission of wire or electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications."
One trial court noted that the term "electronic communication service" applied to ISPs and telecommunication companies which provide the means upon which Internet communications travel. In re Doubleclick Privacy Litig., 154 F. Supp. 2d 497, 508, 511 n. 20 (S.D.N.Y. 2001).
One key difference between "remote computing services" and "electronic communication services" is the difference in protection for data stored with the provider. Only data either temporarily passing through an electronic communication service or held as a backup by an electronic communication service can be in "electronic storage" according to 18 U.S.C. S 2510(17): "(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication." See also Quon v Arch Wireless Operating Co., 309 F. Supp. 2d 1204 (C.D. Cal. 2004). Other key differences emerge when looking at 18 U.S.C. SS 2701, 2702, and 2703.
A plain-meaning interpretation of 18 U.S.C. S 2701 ("Unlawful access to stored communications") suggests that it applies only to "electronic communication services" and not to "remote computing services," since the offense is defined with the following elements: 1. intentional, 2. access, 3. without authorization, 4. to a facility through which an electronic communication service is provided (emphasis mine). Alternate grounds for the offense are to 1. intentionally, 2. exceed authorization, 3. to access, 4. a facility through which an electronic communication service is provided, 5. thereby obtaining, altering, or preventing authorized access to a wire or electronic communication, 6. while it is in electronic storage (emphasis mine). Since, as noted above, "electronic storage" applies only to "electronic communication services," these alternate grounds also exclude "remote computing services" as well. See 18 U.S.C. S 2510(17).
As there appears to be no equivalent statute for remote computing services, these criminal sanctions appear not to be applicable to those who access data stored at remote computing services without authorization.
In contrast to Section 2701, Section 2702 does clearly include prohibitions on disclosure of the "contents" of a "communication" held by both electronic communications services and remote computing services. 18 U.S.C. S 2702(a)(1) and (a)(2). Exceptions on voluntary disclosure--such as in cases of emergency, statutory authorization, and some other situations--apply equally to electronic communication services and remote computing services. 18 U.S.C. S 2707 contains the provisions for civil actions against those who violate 18 U.S.C. S 2702.
As in 18 U.S.C. S 2702, both electronic communication services and remote computing services are explicitly addressed in parts (a) and (b), respectively. Part (a) provides the greatest level of protection against governmental access, as it requires "a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the offense under investigation or equivalent State warrant." 18 U.S.C. S 2703(a). However, the statute provides that access to contents of a communication stored at a provider for more than 180 days falls under the more lenient standards that apply equally to access to contents of communications housed at a remote computing service. Id.
Under part (b), data held at remote computing services--and, as noted, communications stored for more than 180 days with an electronic communication service--allow more lenient government access. With a full warrant, the government can access the contents of a communication without notifying the subscriber or customer. 18 U.S.C. S 2703(b)(1)(A). With prior notice, an administrative subpoena or a court order is sufficient (see 18 U.S.C. S 2703(d) for the requirements for the court order) for government access to the contents of the communications.
Freedman v. Am. Online, Inc., 303 F. Supp. 2d 121 (Conn. 2004), deals with violations of Section 2703 by a town police department, who used an invalid warrant to solicit subscriber information. The court stated that "in soliciting and obtaining . . . personal information about the Plaintiff from AOL" the government failed to comply with the ECPA's requirements that it either (1) had a valid warrant or (2) gave the plaintiff prior notice and sought a subpoena or court order. In addition, the court found it "unlikely" that the government would prevail in its argument that 18 U.S.C. S 2703(c)(1)(B) "puts the obligation on the online service provider to withhold information from the government, and not vice versa." In soliciting the information from AOL, "the government knew, or should have known, that by turning over the information without a warrant, AOL was breaking the law."
Interestingly, "remote computing services" are not mentioned in this section. Instead, only "wire or electronic communication service provider[s]" must provide "subscriber information and toll billing records information, or electronic communication transaction records" upon proper certification by the Federal Bureau of Investigation.