Sunday, February 26, 2012

Stored Communications Act

In our discussion on data stored in the cloud we need to understand the laws and regulations governing our data. Unfortunately this area of privacy with federal, state and industry regulations is not unified under one encompassing umbrella. In fact it is a broken mosaic with federal and state laws competing against each other. In this blog post I will look at the Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA) and how it relates to our Fourth Amendment rights.

A federal statue known as Stored Communications Act governs the privacy of stored Internet communications. The SCA was enacted in 1986 as part of the Electronic Communications Privacy Act.

We need to start with the Fourth Amendment and see why the architecture of the Internet raises puzzling issues for the scope of Fourth Amendment protection. The Fourth Amendment offers strong privacy protections for our homes; it reads, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

The Fourth Amendment protection is extended to luggage, briefcases, backpacks, purses, opaque bags, and lockers. The important point here is these are all physical objects.

The privacy protection given above is not extended to the Internet. The Internet does not give us a physical “home”, nor really any private space at all. Although we may think of the storage on the Internet space as a “virtual home”, in fact our “virtual home” is just a block of ones and zeroes stored somewhere on somebody else’s computer.

The reasons why privacy protections do not apply to our “virtual homes” in cyberspace are three fold.

  1. The Supreme Court has held that Fourth Amendment does not protect information revealed to third parties.  This is important we in IT do not view http/tcp traffic as being revealed to third parties, however the courts have upheld this belief in more than one case. This is the biggest obstacle for applying Fourth Amendment rights to the Internet.
  2. Fourth Amendment governing grand jury subpoenas offer a second reason why Fourth Amendment has weak privacy protection online.
  3. The third reason is the Fourth Amendment generally offers weak privacy protection online is that most ISPs are private actors.
The SCA tries to fix these issues to help provide privacy. But we need to understand some basic provisions that are in the SCA. The SCA adopts two distinctions of computer services providers. However these distinctions today are not vital in understanding the SCA. Most computer service providers have blurred the lines between the two distinctions by providing cross over services.

The first thing we need to understand is the SCA does not provide any privacy protection for “basic subscriber information” (session logs, IP addresses, etc).

The second thing is privacy of content. This is very frustrating to learn at first but it is the current law. With SCA our takeaways need to be the following.

  • Unretrieved/Unopened communications, including email and voice mail (in electronic storage 180 days or less) the provider is allowed to voluntary disclosed to law enforcement or government.
  • Opened communications, including email and voice mail (in electronic storage more than 180 days) the provider is allowed to voluntary disclosed to law enforcement or government.
  • Other content (including database records, images, music files, etc.) being stored or processed the provider is allowed to voluntary disclosed to law enforcement or government. 

No comments:

Post a Comment