Privacy Lawyer & Attorney : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

The SCA, passed in 1986 as an amendment to the Electronic Communications Privacy Act, contains various provisions regarding “stored wire and electronic communications and transactional records” impacting ISPs’ subscribers’ records and communications. The specific provisions of the SCA at issue in Warshak were sections 2703(b) and (d) and 2705(a). Sections 2703(b) and 2705(a), in pertinent part, allow a governmental entity to obtain the contents of electronic communications that have been stored by an ISP for more than 180 days without notice to the subscriber if obtained by a warrant (which is subject to the usual probable cause standard) and with delayed notice to the subscriber if the governmental entity obtains a court order and the court finds there may be an adverse result from providing notice. Section 2703(d) allows the issuance of court orders when the government has “reasonable grounds to believe” that the communications are pertinent to an active criminal investigation, a less rigorous standard then probable cause. 

In Warshak, the U.S. Government directed its order to Plaintiff Steven Warshak’s ISPs to obtain, among other things, his stored e-mail communications in support of its criminal investigation of wire and mail fraud. The Government did not seek e-mails in electronic storage less than 180 days old (which can only be obtained with a warrant). The court order approved delayed notice. After the Government provided the delayed notice, Warshak filed a complaint seeking a preliminary injunction and alleging that the disclosure of his emails without a warrant or notice violated the Fourth Amendment and the SCA. The U.S. District Court for the Southern District of Ohio held that individuals sending emails have an expectation of privacy, and preliminarily enjoined the seizure of emails from an ISP account when an account holder was not given notice and a hearing. The government appealed the district court’s decision.  

On appeal, the Government argued that an SCA court order is akin to a subpoena and therefore  probable cause is unnecessary. The Sixth Circuit acknowledged that, for a subpoena to issue, the Government must meet only the lower “reasonableness standard.” However, in reviewing the case law, the court concluded that individuals may challenge a third party subpoena before disclosure is compelled if they have a “legitimate expectation of privacy” regarding the records at issue. The Warshak court therefore reasoned that, where an email user has an expectation of privacy regarding the email content, the government must meet the more rigorous “probable cause” standard. The court found an expectation of privacy in e-mail communications by analogizing the emails to the surveillance of telephone conversations at issue in Katz v. United States, 389 U.S. 347 (1967). In Katz, the Supreme Court of the United States held that the government interception of telephone conversations was a search for Fourth Amendment purposes, and that individuals have a legitimate expectation of privacy regarding the conversations.   

The Sixth Circuit made only one modification to the district court’s injunction, adding that, “if the government can show, based on specific facts, that an e-mail account holder has waived his expectation of privacy via-a-vis the ISP, compelled disclosure of e-mails through notice to the ISP alone would be appropriate.” The Court explained such a waiver requires more than the ISP having some level of monitoring policies in place. For example, an ISP’s terms of use reserving a right of access to e-mail communications for specific, limited purposes or its use of technological monitoring of e-mails to identify child pornography, would not constitute a waiver by the subscriber. Rather, for a subscriber to waive his expectation of privacy in e-mail communications, the ISP would have to have clear terms of service apparent to the user allowing it to regularly audit, inspect, or monitor subscriber e-mails. The Court analogized the recent Ninth Circuit decision in United States v. Heckenkamp, Nos. 05-10322, 10323, 2007 U.S. App. LEXIS 7806 (9th Cir. Apr. 5, 2007), where a student who connected his computer to the university’s network was held to have a legitimate expectation of privacy regarding his computer files because the university’s monitoring policy was limited in scope. See our discussion of Heckenkamp here. The Court distinguished workplace privacy where an employer explicitly notifies employees of its right to monitor and access e-mail.              

The Sixth Circuit’s decision does not effect other provisions of the SCA, including the government’s ability to obtain, without notice, e-mail communications with a warrant and subscriber account information with a warrant, court order or subpoena.

New data retention requirements would likely impose major burdens on ISPs. Industry interests argue such requirements are unnecessary as ISPs already cooperate with the Government to combat online child predators and to provide customer identification when required by law. Currently, in many instances, law enforcement obtains user IP addresses from website operators when they suspect illegal behavior. Usually, law enforcement then issues a subpoena to the ISP associated with the IP address to obtain the identity of the user associated with that IP address. Because IP addresses are scarce, they are not permanently assigned to one customer. Instead they are dynamic – reassigned to different users for different on-line sessions. Data retention policies among ISPs differ, but they usually dispose of IP logs when there is no longer a business reason to keep the records. The Electronic Communications Privacy Act ("ECPA") already requires ISPs to preserve records for 90 days upon receipt of a government request, to allow the Government time to obtain a court order.

If the Internet SAFETY Act or similar legislation becomes law, the Attorney General could impose a relatively lengthy record retention requirement. The Department of Justice met with a group of ISPs on February 28, 2007, and discussed a two year record retention timeframe. Such a timeframe would result in significant new costs for ISPs not only to store data but to keep it in a searchable format. Some speculate that Congress could amend the SAFETY Act or introduce similar legislation that would reimburse ISPs for compliance costs, that might remove some of the Industry’s objections to such legislation. In addition, ISPs are also considering the possibility that new rules could expand the records that must be retained to include web browsing logs, contents of communications, such as emails and instant messages and even records of customers’ online keystrokes.

Privacy advocates fear the effects of such a law on personal privacy. In this age of large scale hacking, exemplified by such incidents at Cardsystems Solutions, BJ’s Wholesale Club, DSW, TJ Maxx and others, businesses and privacy advocates alike are coming to understand that destroying data that no longer has a business purpose is one of the best ways to protect consumers’ personal information. Government-mandated data retention increases the likelihood of wrongful access and misuse of ISP records. In addition, such mandates also substantially increase the likelihood of lawful access to ISP records by non-government persons. The larger pool of ISP data creates more information to be accessed by civil litigants using subpoenas in divorce, employment, or intellectual property lawsuits.

The Internet SAFETY Act contains various other provisions, some of which extend beyond just ISPs. For example, there are provisions that:

 

• Require most website operators to have a label on any website page with sexually explicit material and to prevent the first accessible page from having sexually explicit material;

   

• Prohibit web hosts or email service providers from knowingly facilitating access to child pornography;

   

• Prohibit conducting a financial transaction knowing it will facilitate access to child pornography;

   

• Increase fines for communications providers who knowingly fail to report child pornography crimes to the National Center for Missing and Exploited Children; and

   

• Increase penalties for crimes related to the sexual exploitation of children and child pornography.

Although it was Republican lawmakers who introduced the Internet SAFETY Act, the principle of ISP data retention requirements enjoys bipartisan support. ISPs and privacy advocates will likely be lobbying to defeat, or at least impose some limitations on, the Internet SAFETY ACT or similar legislation.