Computers, Privacy & the Constitution
-- SarahRogers - 15 May 2008

Email Privacy After Councilman: Addressing the ISP Liability Loophole

Enacted in 1986, the Electronic Communications Privacy Act (ECPA) has remained the preeminent and often exclusive statutory constraint on unauthorized surveillance of email by private parties. One of the major recent cases to interpret the ECPA, U.S. v. Councilman demonstrates the severe failure of this twenty-year-old regime to account for privacy threats posed by current technologies.

The ECPA is divided into two parts: the Wiretap Act, 18 U.S.C. §§ 2510-2522 and the Stored Communications Act (SCA), 18 U.S.C. §§ 2510-2522 [[http://www.usdoj.gov/criminal/cybercrime/usc2701.htm] [18 U.S.C. § 2701-2711]]. The Wiretap Act addresses the “interception” of communications during transmission, while the SCA protects a message “while it is in electronic storage,” i.e., prior to dispatch or following receipt. Because the statutes vary in other important ways, the degree of privacy afforded a communication depends substantially on whether it is being transmitted or being stored at the time that unauthorized access occurs.

The defendant in Councilman was the the Vice President of Interloc, Inc., an Internet portal for retailers of rare and out-of-print books. Interloc located customers interested in purchasing its subscribers’ titles, brokered the ensuing transactions, and also provided booksellers with an email service. An action was filed after customers discovered that Interloc had modified its email server code to intercept and copy any incoming communication which originated competitor Amazon.com. The government charged Councilman with violating the Wiretap Act. However, the First Circuit in Councilman I determined that because the email communications were obtained after they had momentarily come to rest on the recipient server (albeit before registering in the designated inboxes), the messages were “in electronic storage” and, thus, could not have been “intercepted” within the meaning of the Wiretap Act.

Upon a rehearing en banc (Councilman II), the court reversed this ruling and set a productive precedent: the Wiretap Act, it decided, covered communications transiently stored as an incident to the transmission process. Under this interpretation, the “store-and-forward” dynamic by which emails are conveyed across the Internet no longer subjects content to arbitrary, intermittent, varying degrees of protection depending upon the precise moment of capture. While the Councilman II decision therefore represents a step forward for online privacy, it also highlighted a number of gaps that continue to plague the ECPA regime.

First, the Wiretap Act definition of “intercept” should be amended to reflect the First Circuit’s reasoning. This was attempted twice in the Email Privacy Acts of 2004-2005, and enjoyed the rare consensus support of the DOJ, civil libertarians, and privacy advocates alike. However, presumably owing to a dearth of political will, the Wiretap Act remains as it was ambiguously phrased more than two decades ago. The troubling consequence is that the ECPA may colorably countenance any interception of packets that happen to be momentarily at rest. Moreover, even if Councilman II were enacted into law, another major inconsistency would remain.

If it was ambiguous whether the communications in Councilman were “intercepted” or “stored,” then why couldn’t the government simply bring an action under the SCA? The answer that the SCA affords blanket immunity to any conduct authorized “by the person or entity providing a wire or electronic communications service.” [[http://www.law.cornell.edu/uscode/18/usc_sec_18_00002511----000-.html] [2701(c)]]. Councilman subverted his subscribers’ trust in order to gain an anticompetitive commercial advantage—his behavior blatantly offended public policy. Nonetheless, under the SCA, Interloc’s ISP status offered a comprehensive shield. If the First Circuit had not extended the prevailing construction of the Wiretap Act, then Councilman’s actions would not have triggered any federal penalty at all. Moreover, if an ISP wanted to substantively replicate Interloc’s conduct but avoid liability even following Councilman II, it would need only ensure that emails were not intercepted until each “hop” in the transmission process was complete.

One solution that has been proposed would be to modify the SCA ISP liability loophole to create a safe harbor coextensive with the narrower allowance afforded by the Wiretap Act. The Wiretap Act only exempts interceptions which occur in the normal course of business and as a necessary incident to rendering service. [[http://www.law.cornell.edu/uscode/18/usc_sec_18_00002511----000-.html] [§ 2511(2)(a)(i)]]. This would have clearly barred Councilman’s conduct, but it is unclear that such an amendment would go far enough. An ISP faced with the new restriction could simply stress in its Terms and Conditions that the “service” being provided included, for example, the delivery of contextual advertising, or of free bandwidth, content or other resources whose delivery depended inextricably on the ISP’s ability to mine transmitted data for its commercial benefit. The popularity of Gmail indicates that people are happy to bargain away email privacy in exchange for various benefits that the synergistic leveraging of customer data by a provider allegedly affords. The amendment might go further and stress that certain uses of intercepted data—those which were contrary to public policy, for example—would give rise to a lucrative private cause of action for data “abuse.” This would at least impact the risk-return incentive for ISPs, and might cause the public to be more attentive to the erosion of its privacy interests. It would also have the effect of creating a standard that would be difficult for ISPs to circumnavigate contractually. Of course, the approach would also create a number of disadvantages: innovation might be stymied for fear of lawsuits; and, gratuitous, parasitic claims might dog the system, as has occurred under some securities laws.

The fate of the Email Privacy Act also demonstrates that interest group politics do not favor such enactments. Perhaps the judiciary, then, would be a better venue to push for this type of change. The ECPA permits courts to award damages “as appropriate,” and a judge would also have the latitude to dismiss an ISP’s contract argument due to its public policy implications. One thing that is certain is that under the present framework, many ISPs have both the commercial incentive and the legal ability to tamper deleteriously with customer transmissions.

word count: 990

Navigation

Webs Webs

r2 - 23 Jan 2009 - 16:02:39 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM