Criminal discovery of Internet communications under the Stored Communications Act: it's not a level playing field.

• Author: Zwillinger, Marc J.

1. INTRODUCTION

   In the nearly twenty-one years since the Stored Communications Act (SCA) was added to Title 18 of the United States Code, online service providers of many different stripes have received tens of thousands of requests for information about their subscribers from government agencies and private parties. (1) And yet, notwithstanding the volume of requests, very few courts have had the opportunity to closely parse the meaning of the SCA's provisions related to permitted and prohibited disclosures by electronic communication service providers (ECS providers) and remote computer service providers (RCS providers) under 18 U.S.C. [section] 2702 and [section] 2703. Those courts that have examined these provisions have usually done so in the context of civil cases, as the absence of a suppression remedy for violations of the SCA virtually precludes the possibility of substantive analysis of the SCA in the context of criminal cases. (2) Because the provisions of the SCA were designed primarily to address restrictions on the government's access to documents held by third parties during criminal investigations, and are generally poorly understood, the civil cases involving the SCA often result in odd decisions, (3) made even stranger by imprudent concessions and stipulations that generally complicate and confuse matters. (4) Nevertheless, despite these odd results, and the especially high frequency of amended or withdrawn panel opinions (5) and en banc hearings, (6) several essential questions surrounding the interpretation of the SCA have been addressed, and in some cases resolved. (7)

   Oddly, however, not a single published state or federal case has considered the topic of how the SCA applies in the context of defendant-initiated criminal discovery. In the course of representing Internet service providers, web portals, and application service providers (together ISPs) the authors of this Article have witnessed firsthand how little is known about the SCA's restrictions by defense counsel, and how frequently public defender's offices, private criminal counsel, and even pro se defendants serve subpoenas unlawfully seeking to compel production of the contents of Internet communications. (8) These defendants and their counsel are invariably surprised to learn that federal law precludes the subpoenaed ISPs from disclosing, at least to them, the communications they seek.

   Although largely overlooked to date, this seeming statutory anomaly has important repercussions for criminal law. The number of cases in which criminal defendants seek access to e-mail, blog entries, photos, and other user content held by ISPs is already significant, and the ever-expanding trend to entrust the safekeeping of sensitive, personal documents and communications to third-party ISPs ensures that the demand will only increase. For example, an ISP may unwittingly possess electronic content amounting to contraband, such as trade secret documents or infringing copies, or contents of e-mail messages between the defendant and his victim that may evidence a lack of criminal intent. Although the government may seek to discover the former, only the defendant is likely to have an interest in disclosure of the latter. As it stands, the SCA permits the government, subject to certain limitations, to achieve its end by serving proper legal process on the ISP. Criminal defendants, by contrast, have no such recourse.

   This Article seeks to expose the uneven playing field created by the SCA, highlight its implications, and propose a legislative solution. In Section II, the Article first places the SCA in historical context, reviewing the broad concerns that motivated the Act, the statutory scheme by which those concerns were addressed, and the basis, if any, for the disparate treatment of the government and criminal defendants. The Article in Section III examines how the voluntary and compelled disclosure provisions of the SCA preclude ISPs from disclosing contents of Internet communications between third-parties to criminal defendants and civil litigants under any circumstances. This is true even if the ISPs are ordered to do so by the court, even though the same materials can be disclosed to the government upon presentation of proper legal process and without court involvement. Sections IV and V further explain how the same provisions of the SCA that work to deny defendants access to contents of communications allow defense counsel to obtain certain non-content records more easily than the government can obtain such material. In Section VI, the Article explores the implications of this uneven playing field, and identifies the potential legal arguments and tactics criminal defendants might pursue to force disclosure under the current SCA scheme, including whether the present imbalance is grounds for a constitutional challenge. Finally, Section VII proposes amendments to the SCA that would address these relatively obvious oversights and insulate the Act from any potential constitutional infirmity while keeping the purpose and spirit of the SCA intact.

2. ORIGINS AND HISTORY OF THE ELECTRONIC COMMUNICATIONS PRIVACY ACT

   The SCA was enacted by Congress in 1986 as part of the Electronic Communications Privacy Act (ECPA). (9) At the time, the use of the Internet for person-to-person communications was in its nascent stage, and large scale third-party data storage and processing was only an emerging business. (10) As such, the SCA was conceived at a time that pre-dated the World Wide Web, and therefore did not contemplate the ubiquitous use of web-based communications services such as Hotmail, Yahoo!, MySpace, or Gmail, and the accompanying copious, long-term storage offered by such providers. (11)

   In the context of that environment, Congress pursued passage of the SCA as a measure to protect individuals' privacy and proprietary interests. The SCA reflects Congress's judgment that users have a legitimate interest in the confidentiality of electronic communications stored on third-party servers. (12) In seeking to protect these privacy interests, however, Congress also attempted to strike a balance with the recognized need for law enforcement access to such information in appropriate cases. Indeed, the theme of balancing "legitimate" privacy interests against equally "legitimate" law enforcement needs is echoed throughout the legislative history. (13)

   As the legislative history makes clear, Congress believed that a federal statute was necessary to ensure that privacy interests were amply protected in this new medium because the applicability of well established constitutional protections was a "legal uncertainty." (14) Specifically, Congress noted that forms of communication analogous to e-mail were protected by the Fourth Amendment, by previously enacted federal law, or by some combination of the two. E-mail, by comparison, had no such established protections. (15) Moreover, the prevailing sense of constitutional scholars was that the new technology's emphasis on third party storage did not square with the Fourth Amendment's traditional limitations to protecting personal, physical spaces. (16)

   Indeed, two established lines of Fourth Amendment doctrine--the voluntary disclosure and business records cases--strongly suggested that if the Constitution was the sole source of protection for remotely-stored electronic communications, then third parties, including the government, would face no obstacle to compelling disclosure. The Fourth Amendment guarantees that "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause...." (17) "The basic purpose of this Amendment ... is to safeguard the privacy and security of individuals against arbitrary invasions by governmental officials." (18) Its reach, however, has limits. (19)

   One well-recognized limitation is the limit on protection for information voluntarily conveyed to a third party. (20) At the most fundamental level, this limitation recognizes that the government does not unlawfully invade a person's privacy when it uses information a defendant disclosed in conversation with a government informant, undercover agent, or other witness, regardless of whether that conversation took place in a "private" context. As the Supreme Court has stated, the Fourth Amendment does not "protect[] a wrongdoer's misplaced belief that a person to whom he voluntarily confides his wrongdoing will not reveal it." (21)

   The voluntary disclosure doctrine was augmented in the specific context of third party storage of documents in what are now recognized as the "business records" cases. In United States v. Miller (22) and Smith v. Maryland, (23) the Supreme Court affirmed that individuals do not maintain a reasonable expectation of privacy in information voluntarily revealed to third parties. (24) In Miller, the government subpoenaed the defendant's bank records in order to provide evidence that he was engaged in criminal activity. (25) The Court held that a depositor relinquishes any expectation of privacy in his banking information by revealing it to the bank in the ordinary course of business. (26) Similarly, in Smith, the Court held that the Fourth Amendment does not protect the numbers that telephone users dial when making a call. (27) The holdings of Miller and Smith center on the fact that the information at issue was divulged as part of the regularly transacted business between the user and the third party, and was kept as a record of such transaction. (28)

   Given this precedent, Congress questioned whether the Fourth Amendment clearly protected users' electronic communications from government reach. (29) Even if the Fourth Amendment were found to protect such communications, however, the fact that the communications resided in third-party ISP hands posed an additional threat...