The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
The Stored Communications Act, a federal law governing e-mail privacy, is notoriously difficult to understand. The greatest confusion has been how the law treats privacy rights in opened e-mails. The Fourth Circuit recently deepened the disagreement and added an additional new theory in a published decision, Hately v. Watts. Hately holds that the civil cause of action for unauthorized access to e-mails found in 18 U.S.C. 2701 also extends to accessing opened web-based e-mails.
This is an issue that has been puzzling courts since at least the 1990s, and I thought I would explain the new decision and why it matters. I'll start by explaining the basic debate over opened e-mail. I'll then discuss the facts and reasoning of Hately. I'll conclude with my thoughts on why I think the court is wrong, why the issue is hard, and why I hope the Supreme Court will review the case.
A. The Statutory Context
In 1986, Congress enacted the Stored Communications Act (SCA) to regulate the privacy of electronic messages sent over computer networks. Congress looked at the Internet of 1986 and saw a need for two kinds of privacy protections in stored communicatins. The first need was to protect the privacy of stored e-mails in the course of delivery. The second need was to protect the privacy of contents stored by remote computing services, what today we would think of, more or less, as cloud providers. In the 1986 statute, Congress decided that the privacy of e-mails in the course of delivery merited greater statutory privacy protections than contents held by cloud providers.
That greater privacy protection was expressed in two main ways. First, in a criminal investigation, investigators need a warrant to access e-mails in the course of delivery but do not need a warrant to access contents held by cloud providers under 18 U.S.C. 2703. Second, in 18 U.S.C. 2701, Congress made it both a crime and the basis of a civil action to commit an unauthorized access to obtain another person's private e-mails stored in the course of delivery—but not to commit an unauthorized access to obtain the contents held by cloud providers. (These are rough descriptions of the two statutory categories which give you the basic idea of them. I'll pass on the details of the language for purposes of this post to keep it a readable length, but note that I'm providing a simplified version. See here for more.)
The question that confuses everyone is what to do with opened e-mails. Here's the problem. Courts have long agreed that when an e-mail is sitting in a person's inbox, as of yet undelivered to the user, it is still stored the course of delivery. It gets the greater level of protection. See, e.g., Vista Marketing, LLC v. Burkett, 812 F.3d 954 (11th Cir. 2016). But let's say a user logs into his e-mail account, reads an e-mail, and then keeps the e-mail on the server—something that today's e-mail providers ordinarily do by default. If someone else comes along and obtains a copy of the opened e-mail without the account owner's permission, is that accessing an e-mail in the course of delivery? Or is that accessing contents held by a cloud provider?
This question used to be extraordinarily important in an era before the Fourth Amendment was understood to apply broadly require warrants for the government to access e-mails. Before United States v. Warshak, the SCA was understood as the limit on government access to e-mails. The statutory classification of opened e-mails determined whether a warrant was required for them. The modern understanding that the Fourth Amendment ordinarily requires a warrant for government access to e-mail has changed the picture somewhat, but only somewhat: Regardless of Fourth Amendment law, the statutory civil action for unauthorized access still only applies to accessing e-mails stored in the course of delivery and not to accessing contents held by remote computing services.
So how should the law classify opened e-mails? The key statutory definition of e-mails stored in the course of delivery, given the confusingly-broad term "electronic storage," has two parts. Such e-mails, the statute says, cover communications held in:
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;
18 U.S.C. 2510(17).
It is generally pretty clear, from the statutory context and legislative history, what (A) means. That language refers to unopened e-mails, that is, e-mails stored that are not yet delivered. They're being stored temporarily as a part of the process of delivering them.
The maddening confusion is what (B) means. There are two basic theories.
The first theory is that e-mails stored for "purpose of backup protection" refers to backups of unopened e-mails that the e-mail provider made of its server. In the research and hearings that led to the enactment of the 1986 law, it was widely noted that e-mail providers made back-ups of their servers in case there was a network problem. Under the first theory, the definition in (B) just makes clear that backup copies of unopened e-mails don't lose their strong privacy protection. After all, if a provider makes a backup copy of the server, and the backup includes copies of unopened e-mails, those copies are no longer temporary or intermediate. They are now permanent, or as permanent as the provider wants them to be. Without the added language of (B), the thinking goes, the government could just wait until the provider makes a backup and then swoop in and demand the backup without a warrant. Part (B) ensures that the user's copy and the provider's backup get the same strong privacy protection.
That's the first theory. The second theory is that e-mails stored "for purpose of backup protection" refers to e-mails that the user intends to keep as the user's backup. The idea is that users keep their files in the cloud for lots of reasons, including as a storage place that they can use to come back and get copies of information that they need later on. On this thinking, the definition in (B) substantially expands the category of more protected e-mails. In particular, it confers the higher leval of privacy protection to opened e-mail: After a user opens an e-mail, the opened e-mail is protected by (B) just like the unopened e-mail is protected by (A) because the opened e-mail is a "backup" of the unopened e-mail. On this view, the relevant "purpose" of backup protection is the individual user's purpose, not the provider's purpose. The user's act of opening the e-mail and not deleting it reflects a "purpose" to keep it around as a "backup." Opened and unopened e-mails get the same protection.
B. The Preexisting Division in Authority
Courts have been all over the map on which interpretation is correct. As the Eleventh Circuit recently noted, "considerable disagreement exists over whether, and if so, under what conditions, opened email transmissions may qualify as being held in 'electronic storage," the term defined by statute in 18 U.S.C. 2510(17). Vista Marketing, LLC v. Burkett, 812 F.3d 954, 976 (11th Cir. 2016). As a result, "the law with regard to this issue is far from settled." Id.
Some courts have adopted the first theory, that opened e-mails are not covered under the civil action in Section 2701 because they are not stored "for purposes of backup protection" by the provider. See, e.g., Jennings v. Jennings, 736 S.E.2d 242 (S.C. 2012). This is also the position of the United States Department of Justice. See United States Dep't of Justice, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations 125 (3d ed. 2009).
Other courts have adopted the second theory. See, e.g., Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004) (Kozinski, J.). Still other courts have tried a hybrid theory, by which they accept the basic idea that the user's backup intent matters but then adopt narrow rules for when an e-mail was kept as a backup by the user. See, e.g., Anzaldua v. Northeast Ambulance and Fire Protection, 793 F.3d 822 (8th Cir. 2015) (concluding that sent e-mails stored in the outbox are not stored for purposes of backup protection).
The widely-noted confusion has led to the occasional request for Supreme Court review—here's a 2013 cert petition filed by Neal Katyal of Hogan Lovells—but the Supreme Court has not yet agreed to resolve the uncertainty.
C. The Facts and Holding of the Fourth Circuit's New Decision
That brings us to the new ruling in Hately v. Watts. The case involves access to an e-mail account provided to students and alumni of a Virginia community college. The college provided e-mail to students and alumni that was hosted by Google and available via a web client like a typical gmail account. Hately, an alumnus of the college, used a college-provided account. Hately ended up sharing the account password with someone who later provided access to the account to Watts; Watts then looked in Hately's e-mail account and looked at opened e-mails in Hately's account.
Hately sued Watts under Section 2701. The district court granted summary judgment in favor of Watts on the first theory described above: Because Watts had only looked at opened e-mails, the e-mails were not in "electronic storage" under 18 U.S.C. 2510(17) and thus the access was outside the scope of Section 2701.
The Fourth Circuit reversed. According to the Fourth Circuit, the opened e-mails were in "electronic storage" under the backup provision of 18 U.S.C. 2510(17)(B). The court's reasoning is not exactly easy to summarize. But a key idea seems to be that webmail is based on a kind of redundancy, an idea offered to the court in an amicus brief (see page 22). Companies like Google make many copies of a particular e-mail, the amicus brief noted. Therefore, the court concludes, in the case of webmail, any one copy, opened or closed, can be theorized as a kind of "backup" of other copies that exist for the provider:
[E]ven assuming Watts and the district court are correct that the term "backup protection" encompasses only copies that are "made for the service provider's own administrative purposes," Hately's emails in question would fall within the meaning of "backup protection." "Administrative" means "relating to the running of a business, organization, etc." Administrative, Merriam-Webster.com (last visited Feb. 26, 2019). As explained above, web-based email services—including Google, which hosted Hately's College email account—create numerous copies of emails for their own administrative purposes, such as decreasing email downtime, protecting against loss of data in the event a particular server fails, CDT Br. at 22, and for their own commercial purposes, such as to more effectively target advertisements. Accordingly, the copies of Hately's emails at issue were created for Blue Ridge College email service's "administrative purposes" under the common meaning of that term.
. . . .Additionally, even if an addressee's email service did receive an "original," in the context of "redundant" web-based email services—like Blue Ridge College's email service hosted by Google—even the "original" serves as a "backup." See CDT Br. at 22. In particular, each of the numerous copies of the messages created and stored on the service's server acts as a "substitute" or "support" for every other copy stored on the service's servers. See id. Accordingly, even if one of those numerous copies was an "original," that "original" would still serve as a "backup" for all the other copies stored by the service
The court then offers an alternative rationale that expressly adopts the second theory described above, from the Ninth Circuit's Theofel decision, that a backup can be for the user's purposes rather than the company's purposes. Under this rationale, keeping an opened e-mail is presumably leaving it as a backup:
Equally important, "nothing in the [Stored Communications Act] requires that the backup protection be for the benefit of the [electronic communication service] rather than the user." Theofel, 359 F.3d at 1075. On the contrary, the statute's legislative history expressly contemplates that the requisite backup protection may be for the benefit of the user. H.R. No. 99-647, at 68 ("Back up protection preserves the integrity of the electronic communication system and to some extent preserves the property of the users of such a system." (emphasis added)).
The court then makes an extended argument based on the broad purposes of Congress in enacting the SCA. According to the court, construing opened e-mail as outside the scope of Section 2701 would be inconsistent with the objectives of Congress to protect privacy. Indeed, distinguishing between opened and unopened e-mails would be absurd, the court argues, and surely Congress would not enact a statute so arbitrary and absurd. From the opinion:
Our conclusion that previously delivered and opened emails fall within the meaning of Subsection (B) also accords with Congress's purpose in enacting the Stored Communications Act. Congress sought to fill in a "gap" in then-existing law as to the "protect[ion of] the privacy and security of communications transmitted by new noncommon carrier communications services or new forms of telecommunications and computer technology," including email. S. Rep. No. 99-541, at 5; H.R. Rep. No. 99-647, at 17 (noting that statutory framework that existed prior to enactment of the Stored Communications Act "appear[ed] to leave unprotected an important sector of the new communications technologies," including email); id. at 18 (noting "[t]he statutory deficiency . . . with respect to non-voice communications"). As noted above, Congress expressed concern that the absence of such protection "unnecessarily discourage[s] potential customers from using innovative communications systems" and "encourages unauthorized users to obtain access to communications to which they are not a party." S. Rep. No. 99-541, at 5; H.R. Rep. No. 99-647, at 19.
The district court's construction of Subsection (B)—that previously delivered and opened emails stored by a web-based email service are not in "electronic storage" and therefore not actionable under Section 2701(a)(1)—would materially undermine these objectives. Potential users of web-based-email services—like Blue Ridge College's email service—would be deterred from using such services, knowing that unauthorized individuals and entities could access many, if not most, of the users' most sensitive emails without running afoul of federal law. Likewise, without the prospect of liability under federal law, unauthorized entities will face minimal adverse consequences for accessing, and using for their own benefit, communications to which they are not a party. The legislative history establishes that Congress did not intend such a result. T
The district court's interpretation of Subsection (B)—which would protect only unread emails stored in by web-based email service—also leads to an arbitrary and untenable "gap" in the legal protection of electronic communications. S. Rep. No. 99- 541, at 5. Under the district court's reading, the Stored Communications Act renders unlawful unauthorized access of unopened messages stored by web-based email services, whereas unauthorized access of opened and saved messages stored by such services would not violate the Stored Communications Act. See Hately, 309 F. Supp. 3d at 410. But the messages a user of a web-based email service chooses not to delete—the messages the district court's construction of Subsection (B) leaves unprotected—are likely precisely the types of messages Congress sought to protect. By choosing to save such messages after reading them, the user indicates that the messages have sufficient personal, commercial, or other significance that they want to be able to access them again in the future. It defies logic that the unopened junk and spam email messages that a user leaves in his or her inbox or designated folder without opening would be entitled to more protection than those messages the user chooses to open and retain. We do not believe Congress intended such an absurd result when it enacted a statute intended to fill in the gaps in the then-existing privacy protections for electronic communications and therefore spur adoption of new communication technologies, like email.
D. My Thoughts, and Why the Supreme Court Should Take This Case
I have strong priors on this particular legal question: I think the statute adopts the opened-unopened e-mail distinction, and that the Fourth Circuit was wrong to reject it. Indeed, the district court in Hately relied in part on my discussion of this issue from my 2004 article on the SCA. I go into detail in my article on this, but the basic idea is that you need to go back to what "backup protection" meant in 1986 when the statute was enacted. The meaning of the term in 1986 was pretty clear but also pretty narrow, which you can see in particular from Section 2704's rules for "backup" copies and discussions in the legislative history of the statute. Although we might have thoughts about what backups mean to us today, I think the text of the statute and the understanding of the terms in 1986 point in a different direction.
And that's related to what makes the legal issue so difficult: There's a big gap between the law Congress actually enacted in 1986 and today's sensibilities. The statute Congress enacted in 1986 was premised on a key distinction between the high privacy protection afforded to e-mails in transit and low privacy protections afforded to contents held by users in the cloud. Thirty-three years later, Congress's 1986 viewpoint seems bizarre. Today we see both of those as equally private.
Indeed, as the Fourth Circuit suggests, today we might see contents stored in the cloud as more private than e-mails in transit. The stuff we store in the cloud is the stuff we want to keep, while a lot of today's e-mail is just junk and spam e-mail. The modern world of 2019 makes it hard to fathom the judgment Congress made in 1986. The result is a strong pressure to stretch terms to avoid what in 2019 seems like an absurd result.
In any event, I hope this isn't the end of the road. Hately seems to leave the law a big mess. It has several different rationales, some of which match some other courts (such as the Ninth Circuit's view that backups can be for the user's benefit); others which are new (such as that every e-mail can be theorized as a sort of backup given how modern e-mail works); and others of which conflict with other courts (such as the Jennings case, itself a splintered decision).
When I have taught this topic in recent years, I have mostly thrown up my hands and just explained the different views and told students courts are divided and there is no clear answer. Hately only adds to the uncertainty. Given that, I hope the Supreme Court will take up the case and finally answer what to do with opened e-mail under the Stored Communications Act.