October 16, 2018

Your Private Posts are Less Private Then You Think

Imagine that instead of driving in the newest and latest automobile, you are driving a Model-T on the beltway during non-rush hour.  Instead of zipping along at 70 mph, never mind that the speed limit is 55, you have the pedal pushed to the floor and you are doing 30 mph in the third lane.  If you can imagine the absurdity of that situation then you can imagine the state of the law regarding Internet privacy issues.  In fact, Congress has not passed a single major law addressing the protection of privacy on the Internet since 1986 when it passed the Stored Communications Act (SCA) as part of the Electronic Communications Privacy Act (ECPA) that is intended to restrict disclosure of privacy communications by providers of electronic communications services.  At the time, Congress enacted the SCA, most of what we take for granted about the Internet was not even imaginable.  There was no world wide web, the creators of Google had not even entered college and the founder of Facebook was barely out of diapers.

Nowhere in this area do the problems become more obvious than when a party seeks discovery from a non-party service provider through the issuance of a standard third party subpoena.  Whether and to what extent the subpoena must be complied with may depend on whether the service provider can be classified as an remote computing service, “RCS,” or an electronic computing service, “ECS,” and on whether the information is public or private, distinctions that perhaps only law professors can appreciate.

At the time Congress passed the SCA in 1986, there were generally two types of service providers: (1) those that had the capability to send or receive wire or electronic communications and which, Congress called an “electronic communication service” (ECS) and, (2) those that provided computer storage or processing by means of an electronic communications system and were defined as a “remote computing service” (RCS).  The SCA prohibits ECS providers from knowingly divulging the contents of a communication while in “electronic storage” by that service, which includes those messages that are in storage pending transmission, and any communications stored for purposes of back-up protection

In contrast, RCS providers are prohibited from divulging the content of any electronic communication carried or maintained on its service solely for the purpose of providing storage or computer processing services.  For a number of years the distinction between and ECS and a RCS was largely academic because an ECS generally did not offer the services of a RCS and vice-versa.

However, the distinction between an ECS and a RCS has become blurred.  In particular, social media websites offer traditional ECS services such as email and RCS services such as computer storage.  In other words, a social media website may be both an ECS and an RCS depending on the services provided.  To put it simply, there is no good reason why the degree of protection for information should turn on whether the service provider may be classified as an ECS or a RCS.

For example, in a recent case, defendants issued subpoenas to two non-party social networking service providers, Facebook and MySpace, Inc., and to a non-party Web hosting company that provides webmail services.  The subpoenas sought disclosure of plaintiff’s private e-mail and social networking messages, as well as plaintiff’s MySpace comments and Facebook wall postings.  Plaintiff moved to quash the subpoenas, asserting that they were protected under the SCA.

The Court first found that plaintiff has standing to contest the issuance of the subpoena stating that “an individual has a personal right in information in his or her profile and inbox on a social networking site and his or her webmail inbox in the same way that an individual has a personal right in employment and bank records.  As with bank and employment records, this personal right is sufficient to confer standing to move to quash a subpoena seeking such information.” Crispin v. Christian Audiger, 717 F.Supp.2d 965, 975 (C.D.Cal. 2010).

Next, the court determined the Web hosting company is a ECS provider because it provides webmail, a service that users can access remotely to send and receive e-mail messages.  More importantly, the court also held that Facebook and MySpace are also ECS providers in connection with Facebook’s “wall posting” and MySpace’s “comment posting” services.  The court compared the activities in that regard to private electronic bulletin board services (“BBS”).

The Court’s analysis did not end there.  The court then examined the more difficult question whether the postings constitute electronic storage within the meaning of the statute which necessitates determining whether the providers also act as RCS providers with respect to certain stored communications.  On that point, the court determined that when providers allow users to retain opened messages, the providers become RCS providers.  According to the court, after the message has been delivered, the service is no longer electronic communication, but rather data storage.  Thus, while the court quashed the subpoena with regard to wall postings that were clearly marked private, it remanded the matter to the magistrate judge to develop a fuller record regarding plaintiff’s privacy settings and the extent of access allowed to his Facebook and MySpace comments.

Congress has let far too much time lapse since the passage of the SCA.  Technology has simply bypassed the law, “until Congress brings the laws in line with modern technology, protection of the Internet and websites such as [these] will remain [at best] a confusing and uncertain area of the law.”  Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 874 (9th Cir. 2002).