Posted by Orin Kerr:
The E-Mail Privacy Act of 2004:
A few weeks ago, I wrote [1]a long post about the First Circuit's
recent wiretapping decision in [2]United States v. Councilman. As I
explained in that post, Councilman is a dangerous decision for
Internet privacy; a statutory fix to correct the decision is very much
needed. The first of several bills attempting such a fix was
introduced in Congress last week. The bill is the [3]E-Mail Privacy
Act of 2004, introduced by [4]Rep. Jay Inslee. I thought I would take
a look at the bill and offer some comments. My basic take is that it
is a well-meaning bill, but not a skillful effort to fix the Wiretap
Act and solve the Councilman problem. (Warning: The rest of this post
is very technical. Instead of writing for a general audience, I'm
going to address the post to the much much smaller audience of Wiretap
Act geeks out there.)
The bill does two things. The first step is to amend the definition of
"intercept" in [5]18 U.S.C. 2510(4). Here is the current version, with
the proposed new language in bold:
"intercept" means the aural or other acquisition of the contents of
any wire, electronic, or oral communication through the use of any
electronic, mechanical, or other device, and, with respect to an
electronic communication, includes the acquisition of the contents
of the communication through the use of any electronic, mechanical,
or other device, at any point between the point of origin and the
point when it is made available to the recipient.
What the drafters are trying to do, I gather, is draft a narrow
statutory fix. After all, the surveillance tool used in Councilman was
in fact a device that acquired an electronic communication between the
point of origin and the point it was made available to its recipient.
The drafters were probably thinking that the best fix would be to
describe what happened in Councilman and just stick in the language
into the statute. In a statute as complicated as the Wiretap Act,
however, that approach doesn't work.
The main reason it doesn't work is that it introduces a new concept
to the Wiretap Act -- that of a "point of origin" of an Internet
communication and a "point when [a communication] is made available to
the recipient" -- that is quite remarkably unclear. The drafters
probably weren't worried about that lack of clarity; whatever the new
language means, it encompasses Councilman. But that doesn't help the
rest of the law, which I think would be left in a state of
considerable confusion. For example, is this "point of origin" a
physical location? Or is it a temporal concept, meaning the time when
a communication was sent? Or does the concept mix spatial and temporal
notions? Similarly, at what point is a communication made available to
its recipient? In the case of an e-mail, is the e-mail made available
when it arrives in the recipient's inbox? What if the recipient's
password has been changed, and he no longer has access to his inbox--
is the e-mail made available to the recipient at that point? And how
would this apply to Internet telephony, packets that are probably
exempted from the amendment because the packets contain bits of phone
calls and therefore wire communications, not electronic
communications?
But wait; there's more. What is the point when a communication is
made available to its recipient in the case of an Internet
communication other than an e-mail? The Councilman case happened to
involve e-mail, but the Wiretap Act applies to all "contents" of
communications sent on the Internet; such information includes
computer commands and possibly URL search terms. Who or what is the
"recipient" of these communications, and when is when are such
communications made available to that recipient? I have no idea.
Given all of these questions, I don't think that this effort to
amend 2510(4) is the way to go. There is much better language floating
about that would amend 2510(4) much more skillfully (more on that
later), and that won't create so many headaches.
The second part of the Inslee bill is designed to address the
broader issue of when ISPs can look through stored files of their
customers without violating federal law. I don't have particular views
on this proposed change, but thought I would explain it anyway.
The generally accepted view has been that the primary law that
protects the privacy of stored user files from unauthorized accesses
exempts ISPs that provide the service. That law, [6]18 U.S.C. 2701,
states that that general prohibition on unauthorized access to an ISP
does not apply "with respect to conduct authorized . . . by the person
or entity providing a wire or electronic communications service." The
idea is that the law regulating when system administrator can look
through user files stored on the ISP's server should be contract law
-- the Terms of Service that regulate the account -- rather than
federal criminal law. (A recent 9th Circuit decision arguably rejects
this view, but that's another discussion.)
Inslee's bill would amend the ISP exception from criminal liability
so that it applies only "to the extent [that] the access is a
necessary incident to the rendition of the service, the protection of
the rights or property of the provider of that service, or compliance
with [rules regulating voluntary disclosure in] section 2702." This
language is mostly copied from the Wiretap Act, and would incorporate
the standard from the provider exception of 18 U.S.C. 2511(2)(a)(i) --
read all about that standard [7]here -- from the Wiretap Act to the
Stored Communications Act.
The basic gist of the change is that ISPs would only be able to
look through user files for very good reasons relating to the
provision of service, and then only when the particular way that they
looked through the files was narrowly tailored to those service needs.
Is this a good idea? I don't know. I assume that ISPs will fight it:
they will argue that it is a bit much to have employees risk
indictment (and ISPs risk the threat of class action lawsuits) for the
particular way that their employees look through files stored on the
ISP's server. On the other hand, the change might not make much
difference; the same law allows the consent of a subscriber to exempt
the ISP from liability, and ISPs would presumably try to get at least
a partial waiver of rights in the Terms of Service if this amendment
went forward.
References
1. http://volokh.com/archives/archive_2004_07_14.shtml#1089840267
2. http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf
3. http://www.house.gov/inslee/images/email_privacy_act_2004.PDF
4. http://www.house.gov/inslee/
5. http://www4.law.cornell.edu/uscode/18/2510.html
6. http://www4.law.cornell.edu/uscode/18/2701.html
7. http://www.cybercrime.gov/s&smanual2002.htm#_IVD3c_
_______________________________________________
Volokh mailing list
[EMAIL PROTECTED]
http://highsorcery.com/cgi-bin/mailman/listinfo/volokh
