Posted by Orin Kerr:
The E-Mail Privacy Act of 2004:

   A few weeks ago, I wrote [1]a long post about the First Circuit's
   recent wiretapping decision in [2]United States v. Councilman. As I
   explained in that post, Councilman is a dangerous decision for
   Internet privacy; a statutory fix to correct the decision is very much
   needed. The first of several bills attempting such a fix was
   introduced in Congress last week. The bill is the [3]E-Mail Privacy
   Act of 2004, introduced by [4]Rep. Jay Inslee. I thought I would take
   a look at the bill and offer some comments. My basic take is that it
   is a well-meaning bill, but not a skillful effort to fix the Wiretap
   Act and solve the Councilman problem. (Warning: The rest of this post
   is very technical. Instead of writing for a general audience, I'm
   going to address the post to the much much smaller audience of Wiretap
   Act geeks out there.)

   The bill does two things. The first step is to amend the definition of
   "intercept" in [5]18 U.S.C. 2510(4). Here is the current version, with
   the proposed new language in bold:

     "intercept" means the aural or other acquisition of the contents of
     any wire, electronic, or oral communication through the use of any
     electronic, mechanical, or other device, and, with respect to an
     electronic communication, includes the acquisition of the contents
     of the communication through the use of any electronic, mechanical,
     or other device, at any point between the point of origin and the
     point when it is made available to the recipient.

      What the drafters are trying to do, I gather, is draft a narrow
   statutory fix. After all, the surveillance tool used in Councilman was
   in fact a device that acquired an electronic communication between the
   point of origin and the point it was made available to its recipient.
   The drafters were probably thinking that the best fix would be to
   describe what happened in Councilman and just stick in the language
   into the statute. In a statute as complicated as the Wiretap Act,
   however, that approach doesn't work.
      The main reason it doesn't work is that it introduces a new concept
   to the Wiretap Act -- that of a "point of origin" of an Internet
   communication and a "point when [a communication] is made available to
   the recipient" -- that is quite remarkably unclear. The drafters
   probably weren't worried about that lack of clarity; whatever the new
   language means, it encompasses Councilman. But that doesn't help the
   rest of the law, which I think would be left in a state of
   considerable confusion. For example, is this "point of origin" a
   physical location? Or is it a temporal concept, meaning the time when
   a communication was sent? Or does the concept mix spatial and temporal
   notions? Similarly, at what point is a communication made available to
   its recipient? In the case of an e-mail, is the e-mail made available
   when it arrives in the recipient's inbox? What if the recipient's
   password has been changed, and he no longer has access to his inbox--
   is the e-mail made available to the recipient at that point? And how
   would this apply to Internet telephony, packets that are probably
   exempted from the amendment because the packets contain bits of phone
   calls and therefore wire communications, not electronic
      But wait; there's more. What is the point when a communication is
   made available to its recipient in the case of an Internet
   communication other than an e-mail? The Councilman case happened to
   involve e-mail, but the Wiretap Act applies to all "contents" of
   communications sent on the Internet; such information includes
   computer commands and possibly URL search terms. Who or what is the
   "recipient" of these communications, and when is when are such
   communications made available to that recipient? I have no idea.
      Given all of these questions, I don't think that this effort to
   amend 2510(4) is the way to go. There is much better language floating
   about that would amend 2510(4) much more skillfully (more on that
   later), and that won't create so many headaches.
      The second part of the Inslee bill is designed to address the
   broader issue of when ISPs can look through stored files of their
   customers without violating federal law. I don't have particular views
   on this proposed change, but thought I would explain it anyway.
      The generally accepted view has been that the primary law that
   protects the privacy of stored user files from unauthorized accesses
   exempts ISPs that provide the service. That law, [6]18 U.S.C. 2701,
   states that that general prohibition on unauthorized access to an ISP
   does not apply "with respect to conduct authorized . . . by the person
   or entity providing a wire or electronic communications service." The
   idea is that the law regulating when system administrator can look
   through user files stored on the ISP's server should be contract law
   -- the Terms of Service that regulate the account -- rather than
   federal criminal law. (A recent 9th Circuit decision arguably rejects
   this view, but that's another discussion.)
      Inslee's bill would amend the ISP exception from criminal liability
   so that it applies only "to the extent [that] the access is a
   necessary incident to the rendition of the service, the protection of
   the rights or property of the provider of that service, or compliance
   with [rules regulating voluntary disclosure in] section 2702." This
   language is mostly copied from the Wiretap Act, and would incorporate
   the standard from the provider exception of 18 U.S.C. 2511(2)(a)(i) --
   read all about that standard [7]here -- from the Wiretap Act to the
   Stored Communications Act.
      The basic gist of the change is that ISPs would only be able to
   look through user files for very good reasons relating to the
   provision of service, and then only when the particular way that they
   looked through the files was narrowly tailored to those service needs.
   Is this a good idea? I don't know. I assume that ISPs will fight it:
   they will argue that it is a bit much to have employees risk
   indictment (and ISPs risk the threat of class action lawsuits) for the
   particular way that their employees look through files stored on the
   ISP's server. On the other hand, the change might not make much
   difference; the same law allows the consent of a subscriber to exempt
   the ISP from liability, and ISPs would presumably try to get at least
   a partial waiver of rights in the Terms of Service if this amendment
   went forward.



Volokh mailing list

Reply via email to