§ 8.03 Stored Communications Act (SCA)

• Jurisdiction: United States
• Publication year: 2020

§ 8.03 Stored Communications Act (SCA)

[1] Introduction

Prior to 1986, the United States Code provided no protection for stored communications in remote computing operations and large data banks that stored e-mails.²⁵³ "In response, Congress passed the SCA as part of Title II the Electronic Communications Privacy Act ('ECPA') to protect potential intrusions on individual privacy that the Fourth Amendment did not address."²⁵⁴ In general, and it was designed to protect facilities storing electronic communications²⁵⁵ and to address an increase in attempts to access stored electronic communications without authority.²⁵⁶ Specifically, the threat involved computer hackers "deliberately gaining access to, and sometimes tampering with, electronic or wire communications"²⁵⁷ by means of electronic trespass.

When Congress enacted the SCA, it stated that one of the Act's primary purposes was to protect e-mail communication, noting that a primary example of an ECS was an e-mail service in which "messages are typed into a computer terminal, and then transmitted . . . to a recipient computer operated by [e-mail]."²⁵⁸ The SCA is not a "catch-all" designed to protect the privacy of all Internet communications, rather it is narrowly tailored to provide a Fourth Amendment like protections for computer networks. It is generally intended to protect private communication and prevent invasions of privacy, which constitutes the statute's primary purpose.²⁵⁹ The SCA primarily focuses on protecting e-mail and voicemail from unauthorized access.²⁶⁰

The SCA criminalizes unauthorized access to electronic communications under certain circumstances.²⁶¹ In particular, Section 2701(a) prohibits the improper and intentional access of facilities in which electronic or wire communications are stored.²⁶² This section only applies to providers of electronic communication services, and not to remote communication service providers, which are covered by § 2702. In addition, the SCA prohibits Internet service providers from "knowingly divulg[ing] to any person or entity the contents of a communication."²⁶³

In addition to imposing criminal liability, 18 U.S.C. § 2707(a) creates a cause of action for any person aggrieved by a violation of the SCA. Section 2703(e) provides immunity to a service provider when it makes a disclosure in accordance with a provision of the SCA,²⁶⁴ and § 2707(e) provides complete defense to service providers who rely in good faith on "a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization. . . ."

[2] Key Terms

[a] Electronic Communication

An "electronic communication" is defined as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system . . . but does not include any wire or oral communication."²⁶⁵ E-mail constitutes an electronic communication within the meaning of statute.²⁶⁶

[b] Intentionally Access Without Authorization

The term "intentional" in this context is narrower than the "dictionary definition of 'intentional.' 'Intentional' means more than that one voluntarily engaged in conduct or caused a result. Such conduct or the causing of the result must have been the person's conscious objective."²⁶⁷ "Exceeding authorized access" occurs "when a party accesses information that the party has no authority to see."²⁶⁸ Thus, in general, under the SCA, a defendant acts intentionally if his conduct or its result is a product of his conscious objective, inadvertent access will not suffice.²⁶⁹

However, two diverging approaches to the meaning of "access with authorization" or "exceeding authorization to access" in the context of the SCA have emerged. For example, courts in the Eastern District of Pennsylvania have interpreted the language to prohibit unauthorized access of stored communications, but not unauthorized use of the communications.²⁷⁰ Under this approach, the SCA prohibits "unauthorized access not 'the disclosure or use of information gained without authorization.'"²⁷¹ In other words, the violation consists of illegally gaining access to information that the trespasser "is not entitled to see, not when the trespasser uses the information in an unauthorized way."²⁷² Therefore, an employee, for example, who is authorized to access an employer's server is not liable under the SCA for accessing it even for unauthorized or illegitimate purposes. This approach is consistent with the legislative history of the SCA.²⁷³

On the other hand, other courts have interpreted the language more broadly and held that an employee exceeds his authorization to access an employer's server when he accesses it for non-business purposes.²⁷⁴

Finally, though there is more discussion in the case law about the definition of exceeding authorized access in the CFAA, courts have indicated that this term in the SCA should follow its definition in the CFAA.²⁷⁵ In TEC Serve, LLC, for example, the court reached this conclusion, after approving the interpretation of this term in United States v. Rodriguez.²⁷⁶

[c] Facility

In order to violate Section 2701, a defendant must access "a facility." This term is not defined in the SCA; however, courts have consistently held that the facility in question must be separate and apart from the defendant's own servers.²⁷⁷ In other words, courts interpreting the meaning of "facility" have found that the term applies to systems operated by an Internet Service Provider or e-mail service provider.²⁷⁸ The SCA does not apply to communications stored on personal devices.²⁷⁹ Thus, courts have dismissed plaintiff's Section 2701(a) claims after concluding that the iPhones allegedly accessed by the defendants were not "facilities" within the meaning of the statute.²⁸⁰ Conversely, the Eleventh Circuit has unequivocally stated that Microsoft 365, a cloud-based service, through which e-mails are sent and received, and which was the system Plaintiff used, "is a facility through which an electronic communication service is provided," for the purposes of the SCA.²⁸¹ According to a district court, "a database which stores records for domain names . . . [and] enables internet navigation by storing signals that provide for such navigation . . . falls within the ambit of the Stored Communications Act."²⁸²

[d] Electronic Communication Service (ECS)

The term "electronic communication service" (ECS) is defined as "any service which provides to users thereof the ability to send or receive wire or electronic communications."²⁸³ According to the SCA's legislative history, telephone companies and electronic mail companies provide electronic communication services.²⁸⁴ Courts have also found that ISPs, e-mail service providers, and telecommunication companies provide electronic communication services. Any company or government entity that provides others with the means to communicate electronically can be a "provider of electronic communication service" regardless of the entity's primary business or function.²⁸⁵ In short, websites and services that permit users to communicate directly with one another are considered ECS providers.²⁸⁶

When determining whether an entity provides electronic communication services, courts generally focus on whether the entity is in the business of providing electronic communication services.²⁸⁷ As explained by the court in In re JetBlue Airways Corp. Privacy Litigation:²⁸⁸

"Although JetBlue operates a website that receives and transmits data to and from its customers, it is undisputed that it is not the provider of the electronic communication service that allows such data to be transmitted over the Internet. Rather, JetBlue is more appropriately characterized as a provider of air travel services and a consumer of electronic communication services. The website that it operates, like a telephone, enables the company to communicate with its customers in the regular course of business. Mere operation of the website, however, does not transform JetBlue into a provider of internet access, just as the use of a telephone to accept telephone reservations does not transform the company into a provider of telephone service. Thus, a company such as JetBlue does not become an "electronic communication service" provider simply because it maintains a website that allows for the transmission of electronic communications between itself and its customers."²⁸⁹

In contrast, other courts, however, have held that no such requirement exists.²⁹⁰ However, an ECS does not include the storage of e-mails on home or office computers.²⁹¹

"[T]he electronic communication in question must have been stored by the electronic communication service itself, as opposed to the user of the service."²⁹² According to one court, "an individual's personal computer does not provide an electronic communication service simply by virtue of enabling use of electronic communication services."²⁹³ The Ninth Circuit has held that defendant did not qualify as an ECS because it did "not permit users to communicate directly with each other. The documents and accompanying comments do not travel directly from the sender to the recipient; instead, the recipient of any message would have to retrieve it by downloading it from [defendant's] server. Because Plaintiffs do not allege that any direct communication takes place, the district court correctly determined that Plaintiffs fail to plead that [defendant] constitutes an ECS provider."²⁹⁴

[e] Electronic Storage

Finally, Section 2701 also requires the government or a plaintiff to establish that the defendant accessed an electronic communication while it was in electronic storage. Under § 2510(17) the term "electronic storage" means "(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communications...