Pandora’s Inbox: email and “electronic storage” under the Stored Communications Act

When Congress passed the Stored Communications Act (“SCA”) in 1986, email systems were markedly different. Email systems from the 1970s closely mirrored what we know as instant messaging; both the sender and recipient had to be online to send and receive messages. It was only in the early ‘90s when the current ‘store and forward’ technique became utilized.

Moreover, web-based email (i.e., Gmail and Hotmail) didn’t exist. Instead, email was handled on an intranet, usually within a business, and users would download email messages from a server. The server would typically not backup the message (disk storage space was a luxury back then), and the only copy existed on the user’s computer. Today, we receive emails on our computers, phones, and watches (often simultaneously), and rely on that server to keep those emails in perpetuity.

“Electronic Storage”

The SCA prohibits unauthorized access to email, among other communications, but only if the communication is defined as being in “electronic storage.” See 18 U.S.C. § 2701. The SCA defined “electronic storage” as follows:

(17) “electronic storage” means—

(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and 

(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;

18 U.S.C. § 2510(17).

The act also specifies the legal process the government must use to compel disclosure of messages in “electronic storage.” See 18 U.S.C. § 2703. When it was passed, Congress presumed that any emails left on an email server longer than 180 days were “abandoned,” and thus could be obtained by law enforcement without requiring a warrant (or giving notice to the user).

Courts have agreed that unopened emails residing on a server are protected by SCA; the fiction is that an unopened email is considered to be in “temporary, intermediate storage” pending delivery. See Cruz Lopez v. Pena (N.D. Tex. Mar. 5, 2013) (“§ 2510(17) has been clearly established to protect unopened emails.”); Lazette v. Kulmatycki, (N.D. Ohio 2013) (“[P]laintiff cannot prevail to the extent that she seeks to recover based on a claim that [defendant] violated the SCA when he accessed e-mails which she had opened but not deleted.”).

Emails Stored Online & Downloaded to a Personal Device 

In Theofel v. Farey-Jones, the Ninth Circuit held that emails received, read, and left on a server fit within the Act’s definition of being “for purposes of backup protection”:

 [a]n obvious purpose for storing a message on an [internet service provider’s (“ISP”)] server after delivery [from the server to the user] is to provide a second copy of the message in the event that the user needs to download it again–if, for example, the message is accidentally erased from the user’s own computer.

At first glance, the definition seems quite broad, allowing for any email to be protected. Parsing through the opinion (which offers little in information on email configuration) it seems clear that Chief Justice Kozinski relied upon the assumption that the users downloaded the emails to their personal computers, noting that if “remote computing service might be the only place a user stores his messages; in that case, the messages are not stored for backup purposes.” Id. at 1077. Other courts have aligned with the similar view concerning email both downloaded and on a server. See, e.g., Shefts v. Petrakis, (C.D. Ill. Nov. 29, 2011) (finding email copies were protected by SCA when plaintiff downloaded them to Outlook); Cornerstone Consultants Inc. v. Prod. Input Solutions LLC, (N.D. Iowa 2011) (same).

Noted scholar Orin Kerr believes the Ninth Circuit incorrectly interpreted the provision in the context of the user, and argues that “the ‘backup’ language is about backups created by the ISP for the ISP’s purposes.” Kerr also criticized Kozinski’s rationale in an earlier paper, noting that “the apparent test is whether the user or employees of the service provider have reason to believe that they may need to access an additional copy of the file in the future.”

Users v. Servers

In Jennings v. Jennings, the Supreme Court of South Carolina granted cert on a case involving a wife who figured out her husband’s Yahoo! email password, and accessed his account (she was looking for evidence of an affair). When the husband sued under the SCA, the court decided to take a crack at interpreting the statute. Unsurprisingly, the court returned with a 2-2-1 plurality decision:

• Justice Hearn, joined by Justice Kittredge— based on the meaning of the word “backup” according to a Merriam-Webster Dictionary, a substitute copy has to exist for the email to be a “backup.” Since the only copy of the email was read and stored on Yahoo!’s servers, it follows that the emails are not protected under the SCA.

• Chief Justice Toal, joined by Justice Beatty—the justices believed section (A) and (B) were conjunctive. Unread email on Yahoo!’s server is in “transmission” and “backup” until the user reads them, thus protected by the SCA as “electronic storage.” However, once an email is read, it has reached its destination, and is no longer stored under the definition of the SCA.

• Justice Pleicones—while mostly agreeing with Chief Justice Toal, Pleicones believed that the statute was disjunctive, but still failed to find the email satisfied either provision.

Rejecting the reasoning in Theofel, these three decisions all took the approach that the SCA protects emails from the perspective of Yahoo!, not the user. They also assumed the husband never downloaded his Yahoo! mail onto a computer or other device.

Received v. Sent Emails

The Eighth Circuit provided a proper circuit split in Anzaldua v. Northeast Ambulance & Fire Protection District. Here, A jilted ex-girlfriend logged on to the plaintiff’s Gmail account and forwarded two emails to the plaintiff’s superior. The plaintiff was later fired due to “inflammatory” remarks found in his emails. The issue on appeal was whether the two emails (one was in the sent folder, the other in the drafts) were considered protected under SCA. The court held neither email were protected.

The argument centered on whether the user sent or received the email. One of emails forwarded was sent earlier to another person. The second email was still in the draft folder. According to the Eighth Circuit, since neither email was received, neither are within the ambit of the SPA. In rejecting Theofel, it noted “[i]f Theofel has any application here, it would be to protect a copy of the email stored with Holland’s email service, not Anzaldua’s.”

Concerning the sent email, the Eighth Circuit argued that the plaintiff had no reason to access a backup copy of the email because the message had been successfully delivered, “[w]e hold that once Anzaldua successfully sent the email to Holland, as he alleged he did, the copy Gmail retained on its server as a sent message did not perform a backup function.”

As for the email in the draft folder, “because the email had not been sent, its storage on the Gmail server was not ‘temporary, intermediate,’ and ‘incidental to the electronic transmission thereof.’”

Again, the court made no mention if the plaintiff had downloaded those emails onto a separate device. Rather, it mentions n passing that “web-based email users may still download emails to their computers through email client programs, which complicates the picture.”

Looking Forward

Epic.org has proved this helpful table as to what type of law enforcement access is required to read your email:

EPIC Email Guide

You have to wonder how we got here. It would seem judicial opinion goes backwards, creating splits along the way, while technology continues to forge on. It is likely necessary to jettison this act and replace it with something that will properly suit modern technology.

In a somewhat fitting analogy, judicial review and legislative amendments of the SCA is akin to what is known in software development as the “Code and Fix” methodology. Here, a developer writes code and then quickly releases the application without testing it. When a user reports a bug, the developer writes some code to patch it up, then releases it again—this cycle continues, the software becomes bloated, and every subsequent bug takes longer to fix. Suffice it say, the methodology is heavily frowned upon. Sometimes, it’s simply prudent to scrap something and start fresh.