Appeals Court: Stored Communications Act Privacy Protections Cover Opened And Read Emails

from the shouldn't-have-needed-to-be-said,-but-at-least-it-was-said-forcefully dept

The Fourth Circuit Court of Appeals has handed down an important decision [PDF] bolstering privacy protections for stored email. As we're painfully aware, unopened email older than 180 days is granted zero privacy protections, treated like unopened snail mail left at the post office. Opened email, on the other hand, would seem to carry an expectation of privacy, but a district court ruling came to exactly the opposite conclusion, prompting this appeal.

A lawsuit involving a pair of affairs and one party's decision to read someone else's emails surfaced a question not often posed without a government party involved. Here's the court's summary of the convoluted backstory that led to accusations of federal law violations:

From August 2011 to February 2015, [Patrick] Hately had an intimate relationship with Nicole Torrenzano (“Nicole”), with whom Hately has two children. During their relationship, Hately and Nicole shared login and password information for their email accounts—including Hately’s Blue Ridge College email account. But when, about March 2015, Nicole informed Hately that she also was involved in an intimate relationship with [Dr. David] Watts, who was her co-worker and married to Audrey Hallinan Watts (“Audrey”), Hately and Nicole separated.

Pertinent to this action, Hately did not change the password that he shared with Nicole for his Blue Ridge College email account. Watts and Nicole continued their personal relationship, and during the fall of 2015, Watts and Audrey initiated divorce proceedings. In an effort to help Watts in his divorce proceedings, Nicole told Watts that Hately and Audrey were having an affair. Nicole said she knew of emails between Hately and Audrey that Watts could obtain by using the password that she had to Hately’s Blue Ridge College email account.

This certainly doesn't make what Watts did OK, but he seemed to feel it at least made his actions legal.

Watts stated that he used the password Nicole gave him to browse through Hately’s emails but contended that he “did not open or view any email that was unopened, marked as unread, previously deleted, or in the [student email account]’s ‘trash’ folder.”

This bizarre defense of invading someone else's privacy convinced the lower court that Watts' actions were legally in the clear, even if they were clearly morally wrong. It dismissed his Stored Communications Act claims against Watts, stating that the SCA did not protect opened email. According to the lower court, the only email protected by the SCA is email still in transit. Once it's been downloaded and opened, it's apparently cool for other people to access and read, even if it's not their email account.

With this bizarre take, the lower court basically stated spam email routed directly to the trash has more privacy protections than direct communications between living, breathing persons. The appeals court points out this interpretation is off base by a long distance. A lengthy discussion of the SCA and Congressional intent -- along with a revival of Hately's state law claims -- takes up a great deal of the opinion's 55 pages.

Dr. Watts -- the email interloper -- argued the SCA did not protect these communications because the Blue Ridge College email server was not an "electronic communication service," but rather a "remote computing device." This argument hinged on the email system's construction, which used Google's services for transmitting and storing email. But the university also stored a copy of all Blue Ridge email on its own servers as a backup for users. This crucial fact restores the expectation of privacy, according to the appeals court, which points out Blue Ridge's backup server actually makes it both.

The district court's reasoning rests on the premise that, for purposes of the emails in question, Blue Ridge College's email service could not simultaneously function as both an electronic communication service and a remote computing service. But nothing in the plain language of the definitions of electronic communication service and remote computing service precludes an entity from simultaneously functioning as both.

There is no logical or technological obstacle to an entity "provid[ing] to users thereof the ability to send or receive wire or electronic communications"—i.e., functioning as an electronic communication service—while, and as part of the same service, "provi[ding] the public [with] computer storage or processing services by means of an electronic communications system"—i.e., functioning as a remote computing service. And the relevant legislative history expressly contemplates as much, stating that "remote computing services may also provide electronic communication services." S. Rep. No. 99-541, at 14; see also H.R. Rep. No. 99-647, at 64 ("[T]o the extent that a remote computing service is provided through an Electronic Communication Service, then such service is also protected [under Section 2701(a)].").

As the appeals court notes, it makes no sense to suggest email users consider opened email worthy of less protection than others they've sent directly to the trash without reading. Servers like the one used by Blue Ridge to back up the Google-based email system are the end result of users' desires. Users want to store emails for later reading or use. And Congress -- even with its horribly-outdated Stored Communications Act -- recognized the privacy inherent to these personal communications. This covers delivered and opened email, no matter where the original or its backup resides.

To read the law otherwise is to upend the personal nature of email communications, allowing almost anyone to access anyone else's email without permission and face zero consequences (at least under federal law) for doing so.

The district court’s construction of Subsection (B)—that previously delivered and opened emails stored by a web-based email service are not in “electronic storage” and therefore not actionable under Section 2701(a)(1)—would materially undermine these objectives. Potential users of web-based-email services—like Blue Ridge College’s email service—would be deterred from using such services, knowing that unauthorized individuals and entities could access many, if not most, of the users’ most sensitive emails without running afoul of federal law. Likewise, without the prospect of liability under federal law, unauthorized entities will face minimal adverse consequences for accessing, and using for their own benefit, communications to which they are not a party. The legislative history establishes that Congress did not intend such a result.

The district court’s interpretation of Subsection (B)—which would protect only unread emails stored in by web-based email service—also leads to an arbitrary and untenable “gap” in the legal protection of electronic communications.

Back the case goes to the lower court, reversed and remanded with instructions to reach a less illogical conclusion. And in doing so, the appeals court sets an important precedent that clarifies what the SCA actually covers.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 4th circuit, ecpa, emails, privacy, stored communications act

Reader Comments

Subscribe: RSS

View by: Thread

  • identicon
    Anonymous Coward, 15 Mar 2019 @ 11:07am

    Lesson: change your passwords when you break up.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Mar 2019 @ 11:20am


      Possible second lesson: ask your mail server operator to mark all email as "opened" immediately on receipt, and to not store any logs that could prove otherwise.

      reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 15 Mar 2019 @ 11:21am

    Wow, that two-paragraph quote sounds like something straight out of a soap opera. Man 1 and Woman 1 are together. Woman 1 informs Man 1 that she's having an affair with Man 2, (who is married to Woman 2,) and they break up. Woman 1 continues her affair with Man 2, who eventually decides to break up with Woman 2, and Woman 1 helpfully provides evidence to him that Man 1 has been having an affair with Woman 2!

    That's just a big mess all over...

    reply to this | link to this | view in chronology ]

  • icon
    Shufflepants (profile), 15 Mar 2019 @ 11:49am

    Judges, get your analogies straight!

    You know, I'm actually kinda okay with ruling by analogy. But you've got to have the right analogy. They want to make the claim that unopened emails are like letters abandoned at the post office. But that's not the right comparison at all. I can't open mail that's at the post office, I can't see if I have letters lying around at the post office waiting for me, I can't see who they're from or what the title at the top of the letter is.

    Unopened emails are more like the pile of unopened mail on my dinning table. Hell, what's the "bin" called where unopened mail sits in an email client: Inbox. Not POBox, not Mailbox; INBOX. Like those little trays you'd have on your desk at home or work.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Mar 2019 @ 4:07pm

    what about CFAA?

    What about use of the Computer Fraud and Abuse Act?

    reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)


Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.