Neither a customer nor a subscriber be: regulating the release of user information on the World Wide Web.

• Author: Gleicher, Nathaniel

INTRODUCTION

The Stored Communications Act (SCA) was passed in 1986 to regulate information release on the developing Internet. (1) Twenty years later, while the quantity and quality of information collected online has grown, the amount that is regulated by the SCA is increasingly uncertain. Although the SCA was not intended to be "a catch-all statute designed to protect the privacy of stored Internet communications," (2) it has been pressed into this role. Without the SCA to balance the interests of users, law enforcement, and private industry, communications will be subjected to a tug-of-war between the private companies that transmit them and the government agencies that seek to access them. Internet users will find themselves with little protection.

The flaws of the SCA's regulation of electronic communications today have been discussed and analyzed at length, but one danger in particular has received little attention. The SCA largely regulates information "pertaining to a subscriber to or customer of" a covered information service. (3) Although two decades ago virtually all user-service relationships fit within this model, today it may leave many Internet relationships uncovered. For example, search engines gather vast troves of information about their users--users who do not pay for, and often do not subscribe to, their services. (4)

This Comment briefly summarizes the history and structure of the SCA. It then examines the statutory meaning of "subscriber to or customer of," and the dangers posed by the Act's continued reliance on this terminology. It both identifies a specific, concrete weakness in the Act's structure and illustrates the danger of applying a statute written for 1986 technology to the modern Internet. Finally, it proposes a legislative solution. Whether the Act is overhauled or simply amended, it should be broadened to regulate all "user" information held by covered services. This will help ensure that the SCA remains an appropriate balance of interests on the Internet today.

1. THE HISTORY AND STRUCTURE OF THE STORED COMMUNICATIONS ACT

   The Electronic Communications Privacy Act of 1986 (ECPA) (5) contains two parts: Title I, the Wiretap Act, which covers wire, oral, and electronic communications in transit; (6) and Title II, the Stored Communications Act (SCA), which covers communications in electronic storage. (7) Because electronic communications are stored in, and travel across, the computers of third parties, their protection under the Fourth Amendment is at best uncertain. (8) ECPA sought to address this uncertainty and to ensure protection for the privacy rights of Internet users. (9)

   The existing literature has already analyzed the structure of the SCA in detail. (10) The Act centers on a series of distinctions developed in response to 1986 technology. It distinguishes between content and noncontent information, (11) voluntary and compelled data release, (12) and two kinds of Internet services: electronic communications services (ECS) and remote computing services (RCS). (13) A communication's classification determines how the SCA constrains its release. Recent academic analysis of the SCA has been increasingly critical, questioning how appropriate these distinctions are on the modern Internet. (14)

   A fourth distinction that the SCA makes that has received little academic or judicial consideration is that, in most cases, the Act only regulates information pertaining to customers or subscribers of covered information services. (15) This distinction likely had little impact in 1986, when many, if not all, users of information services were also customers or subscribers. Today, however, a wide range of increasingly casual relationships between users and services may fall outside this designation.

2. TWENTY-FIRST CENTURY USER-SERVICE RELATIONSHIPS

   When the SCA was first passed, the Internet was still relatively small, (16) and the most common remote services--e-mail and data processing--required users to explicitly connect and log in. (17) This limited the number of services that each user connected to and ensured clearly delineated relationships between users and services.

   In 1992, the public release of the World Wide Web, with its graphical interface and ease of access, enabled a flood of new Internet services and users. (18) Instead of directly connecting and logging in to each remote service, Web users travel between sites at the click of a mouse, visiting hundreds in a single session. On the Web, the relationships between users and services have become increasingly difficult to fit into the SCA's customer-subscriber framework. Advertising-supported or free services such as search engines and blogs often require no registration or payment from their users. (19) Embedded services, such as video and advertising, allow a user to interact with a service without even browsing to that service's home page, and to interact with many services at once. (20) Invisible third-party services, such as edge caching (21) and visitor tracking, (22) run on thousands of websites, often without visitors' knowledge. For each of these types of services, it is difficult to classify users as customers or subscribers. Thus, it is unclear whether these relationships fall under the SCA's current framework. (23)

   In addition to empowering new relationships between users and services, the Web has also increased the quantity and quality of information that is stored about Internet users. Browsing logs provide detailed views of users' interests and desires. (24) Search engines routinely gather records of users' search queries. (25) Many services, such as advertisers, track their users across networks of websites, gathering a bird's-eye view of their interests and concerns. (26)

   Finally, the modern Internet makes gathering and aggregating data extremely valuable to both companies and law enforcement. Much of the Internet economy is based on targeted advertising. To ensure that targeted ads are effective, services need to store...