The Seventh Circuit decided an interesting Wiretap Act case today that was largely a replay of United States v. Councilman, the First Circuit case that I blogged about here a bunch of times back in 2004 to 2005. In the new case, United States v. Szymuszkiewicz (glad I don’t have to pronounce that one), the panel reached the right result. It agreed with the result of the en banc Councilman decision (if not its precise reasoning, given the curious narrowness of the Councilman decision) that it violates the Wiretap Act to go into someone else’s e-mail account and secretly program it to forward a copy of all of their e-mails to you.
After reaching the right result in this case, Judge Easterbrook then added some dicta in which he argued that other courts had misconstrued the Wiretap Act by imposing a requirement that the Wiretap Act only applies to “real-time” acqusiition and not one-time access to stored contents. Judge Easterbrook is a brilliant guy, but his dicta badly misunderstands the Wiretap Act. Fortunately, Easterbrook’s errors raise some conceptually interesting questions about what leads judges to misread statutes. In particular, I wanted to post on one aspect that is a recurring issue in statutory privacy law: Whether judges can overcome the blinders imposed by the remedial context of the case before them.
To understand the problem, let’s start with the basic structure of the statutory privacy laws. Such laws generally follow the following structure:
1) Anyone who intentionally does privacy-invading thing “X” commits a crime,
2) However, the government can do “X” if it has an appropriate court order based on a certain level of cause, and
3) Victims of “X” have a civil remedy against whoever does “X.”
Because of this structure, statutory privacy laws generally serve three distinct functions all at once: First, they impose criminal punishment for conduct that violates privacy interests (part 1 above); Second, they provide a civil remedy for victims against those who invade privacy interests (part 3 above); and Third, they enact a code of criminal procedure regulating law enforcement investigations by which the government can obtain court orders allowing them to invade privacy interests in appropriate cases (part 2 above).
This structure creates interpretive challenges for courts because judges often have very different instincts when interpreting criminal statutes, civil statutes, and codes of criminal procedure. Sound statutory interpretation requires understanding all of the remedial contexts, and how they work together: Otherwise a judge will confidently interpret the statute based on the assumptions of one remedies scheme in ways that are clearly mistaken (and create very odd result results) in the other contexts.
The civil cases interpreting the Computer Fraud and Abuse Act (18 U.S.C. 1030), which prohibits “unauthorized access” to a computer, demonstrate the problem. In civil cases, computer owners come in to court asking judges to stop people from using their computers in ways the owners don’t like: Judges are very sympathetic to the request, so they are very willing to say that conduct the owner doesn’t like is “unauthorized” and that the behavior has to stop. But the same statute is a criminal statute, too. As a result, the civil cases interpreting the law inadvertently end up criminalizing a great deal of innocent conduct. (The usual rule of interpretation is that precedents from one setting are equally applicable to another setting, so the civil cases apply in the criminal realm.)
This problem is a recurring issue when it comes to understanding how the Wiretap Act applies to the Internet. On one hand, the Wiretap Act is primarily a rule of criminal procedure: The scope of the Act is relevant to thousands of criminal investigations every year. In contrast, there are usually only about 20 criminal prosecutions for wiretapping every year. However, Congress did not include a statutory suppression remedy for violations of the Wiretap Act for computer communications. This creates a really warped dynamic that I explained in this law review article in 2004: Because there is no statutory suppression remedy, there are no cases applying the Wiretap Act in the usual context in which it arises (that of criminal investigations). Thus the scope of the Wiretap Act tends to get litigated in very unusual settings that make it unusually likely that courts will misconstrue the statute.
I think that explains Judge Easterbrook’s dicta in United States v. Szymuszkiewicz. In this part of the opinion, Easterbook has just held that assuming that that the Wiretap Act only applies to real-time monitoring — that is, acqusition contemporaneous with transmission — then the monitoring here was contemporaneous. He then adds that he thinks there is no such requirement in the statute, contrary to what several other circuits have held. Here’s the passage, with my paragraph breaks added:
Decisions articulating such a requirement are thinking football rather than the terms of the statute. There is no timing requirement in the Wiretap Act, and judges ought not add to statutory definitions.
Forget about packet switching and email for a moment, and think about 1968-vintage telephony, with an old-fashioned answering machine containing an old-fashioned tape recorder on the receiver’s end (which is how what today is called “voicemail” used to be set up). Perkins, the phone subscriber with an answering machine, could call his own number and key in a code to have his messages replayed from the tape. Suppose Smith learned the code, called Perkins’s number, and listened to all of the messages on the answering machine. That means of acquiring the contents of a phone call is as effective as placing a “tap” on the phone line outside Perkins’s house, or placing a hidden transmitter on the bottom of Perkins’s phone, and comes within the definition of “interception” in §2510(4) even though the acquisition is not contemporaneous with the message. Under the statute, any acquisition of information using a device is an interception. And if getting access to an answering machine’s contents is an interception, so is getting access to an email inbox’s contents by automated forwarding.
The Stored Communication Act imposes its own penalties for clandestinely accessing information held “in electronic storage.” 18 U.S.C. §2701(a). Playing back the messages on the answering machine would violate the Stored Communications Act—but this does not imply that the activity does not violate the Wiretap Act too. Overlapping criminal statutes are nothing new. The two statutes have different definitions, different penalties, and different provisions for civil suit; they establish different rules for when (if at all) improperly acquired information may be used in court. There is no need to invent “contemporaneity” to keep them apart.
This is all very interesting, but it’s also very wrong. If you look at the Wiretap Act and the Stored Communications Act as codes of criminal procedure — that is, you look at it from the standpoint of how the police must comply with these acts as they obtain evidence — you realize Easterbook’s error.
Let’s start with some history to put it in context. The Wiretap Act was passed in response to Berger v. New York, a Fourth Amendment case that had held that any wiretapping law had to have special privacy protections given the special privacy concerns raised by real-time wiretapping. In its initial passage in 1968, the Act applied then to phone calls — transfers of the human voice — but not computer communications. The initial statute didn’t specify a contemporaneousness requirement in the text of the definition of intercept. But beyond such a requirement it being implicit from Berger, it was explicit in 18 U.S.C. 2518, the provision that governs what the government must do to obtain a court order permitting government wiretapping. The provision is framed in terms of time: To get the order the government’s application must make “a statement of the period of time for which the interception is required to be maintained”; If granted, the court order must specify “the period of time during which such interception is authorized.” These requirements exist because interceptions, being contemporaneous, are things that are maintained over a period of time.
Court decisions recognized this pretty early. The leading early case probably was United States v. Turk, 526 F.2d 654 (5th Cir. 1976). which had facts very similar to Judge Easterbrook’s “1968-vintage telephony” hypothetical. Contra Easterbrook’s analysis, however, Turk held that the playing of a stored recording was not an interception: “Whatever the precise temporal parameters under Title III of an ‘aural acquisition’ (and thus of an interception),” the court wrote, “we conclude that no new and distinct interception occurs when the contents of a communication are revealed through the replaying of a previous recording.
Fast forward to 1986, when Congress passed the Electronic Communications Privacy Act. In the same Act, Congress did two things: It expanded the Wiretap Act to computer communications, and it enacted the Stored Communications Act. By expanding the Wiretap Act to computers, Congress made it a felony to “intercept” a computer communication in “transfer” without a Wiretap Order. Then, in the non-criminal sections of the Stored Communications Act, Congress created a very explicit set of rules for when the government could compel access to stored contents of computer communications. See 18 U.S.C. 2702-05. Congress chose much lower standards for access to the contents of stored computer communications than for the accesses to computer communications under the Wiretap Act. While the Wiretap Act requires a “super warrant” Title III order, Section 2703 permitted the government to compel contents of some e-mails (and other stored electronic communications) with a standard probable cause warrant and other e-mails and communications, such as those stored more than 180 days with a subpoena and prior notice.
Once you see the Wiretap Act and the Stored Communications Act as codes of criminal procedure, you realize the problems with Easterbrook’s effort to reconcile the two statutes. The Wiretap Act makes it a crime for the police to conduct a wiretap without a Wiretap Order. The Stored Communications Act then says that it is lawful for the police to obtain access to stored e-mails with a subpoena or a warrant, without a Wiretap order. But if the two statutes regulate the same activity — that is, if one-time access to stored e-mails is a wiretap — then the two Titles of the same statute are hopelessly in conflict. So read, one part of ECPA makes it a felony crime to do the same thing that another part of ECPA explicitly permits. The two also have conflicting notice requirements: For example, the Wiretap Act requires post-wiretapping notice while the Stored Communications Act explicitly rejects that. If the two statutes apply to the same conduct, which notice provision governs? To avoid concluding that the ECPA is at war with itself, the only plausible way to read ECPA is that the Wiretap Act and the Stored Communications Act regulate different activity: The Wiretap Act applies to contemporaneous acquisition (see Berger, Turk, and 2518) while the Stored Communications Act applies to one-time acquisition.
It doesn’t necessarily look that way if you treat the Wiretap Act as a criminal statute. As Easterbrook says, overlapping criminal statutes are common. But once you look at these statutes in their natural habitat, as codes of criminal procedure, it becomes clear that this common instinct for interpreting criminal statutes can’t apply here. (It doesn’t help that nearly every phrase in Easterbrook’s contrast between the two statutes — his remark that “the two statutes have different definitions, different penalties, and different provisions for civil suit; they establish different rules for when (if at all) improperly acquired information may be used in court” — is incorrect. But this post is long enough.)
PersonFromPorlock says:
“Chumley,” or possibly “strawn.”
September 10, 2010, 7:31 amconrad says:
But Easterbrook has a point, doesn’t he, that the statute just doesn’t have a “contemporaneous” requirement. Maybe that makes the crim pro side tougher. So what? This is what Congress wanted. And surely the conflict you identify (“one part of ECPA makes it a felony crime to do the same thing that another part of ECPA explicitly permits”) can be resolved by looking at which was the later enactment.
September 10, 2010, 7:42 amStephen Lathrop says:
What’s with:
What exactly is that supposed to signal? It doesn’t sound very friendly.
And substantively…
…seems to mean that Kerr just has a preferred outcome, and he’s willing to seize on inconsistencies created by badly drafted laws to get where he wants to go. And where he seems to want to go doesn’t sound very friendly either.
September 10, 2010, 7:44 amDavid M. Nieporent says:
Taking it from a different perspective: can anybody explain a good reason why there should be a difference between real-time interception and access to stored communications, in terms of law enforcement procedure?
September 10, 2010, 8:20 amOrin Kerr says:
David M. Nieporent:
While the Wiretap Act was pending, the U.S. Supreme Court held in Berger v. New York that the U.S. Constitution requires this special treatment in light of the special privacy problems raised by real-time wiretapping. “Few threats to liberty exist which are greater than that posed by the use of eavesdropping devices,” the Court concluded. Now, maybe the Supreme Court was wrong. But the Warren Court was understood to have taken Berger because it knew Congress was considering a wiretap statute: It was widely understood at the time that Berger was the Warren Court’s condition to letting Congress do that. (See Part II of Justice White’s dissent in Berger.)
Stephen Lathrop, after quoting my conclusion:
“FRAUD!!!!” If at some point you have an argument beyond just an unsupported claim of bad faith, do feel free to offer it.
Conrad:
No. The two parts were the two titles of the same bill, ECPA, Pub. L. 99-508, which was enacted into law on October 21, 1986. The one part of ECPA making it a felony crime to wiretap computer communications was Title I, and the second part of ECPA explicitly permitting access to e-mail with a subpoena or regular warrant was Title II. They were passed “contemporaneously,” to borrow a word.
September 10, 2010, 9:08 amSteve says:
I assume it’s like “zuh-musk-a-wits.” Not really that hard!
September 10, 2010, 10:29 amDavid M. Nieporent says:
I appreciate the info, but it’s really a descriptive answer to a normative question. I wasn’t addressing the Szymyzy case you discuss or a question of statutory interpretation; I was addressing either the policy or constitutional issue. Is accessing stored communications, particularly in the current technological era, really less intrusive, less of a threat to liberty?
It’s hard for me to see why listening to my voice mail after I receive it rather than while I receive it (or doing the same for my email) is so much less of a “threat to liberty.” It’s the same content, right? Just time shifted.
Also, while I know you’re generally reluctant to say that the Supreme Court is “wrong” since you generally disclaim broad theories of constitutional interpretation, I don’t see how that’s even a consideration here anyway. Nothing about treating stored communications the same as real-time ones would actually falsify the Berger quote you provide, nor would it constitute overturning Berger to hold that stored communications are equally constitutionally protected. So let’s postulate that the Supreme Court is right, and the SCA is wrong.
(As an aside, your statement that 18 USC 2518 contains an explicit contemporaneousness requirement seems to be a stretch of the word “explicit.” Perhaps your reading is the better reading, particularly given historical context, but it’s not explicit. The rule could be a requirement that the order must specify the time period during which stored communications could be accessed. But assuming that the ECPA actually does make the distinction explicit, that doesn’t change the rest of my questions above.)
September 10, 2010, 11:14 amBrett Turner says:
With real-time interception, the policy is simple: absent consent, interception is wrong.
With access to stored communications, there is a much greater possibility that events outside the communication itself might mean that disclosure is not wrong. In particular, if you do not treat the communication as confidential after you store it, the degree of protection is less. For instance, if you print an email out and leave it in a public place, or save it without a password on a computer to which other persons are allowed access, others may properly read it. The “without authorization” standard of the SCA better focuses attention on the facts other than the communication itself, which are more important for stored communications than for contemporaneous intercepts.
September 10, 2010, 11:35 amOrin Kerr says:
David M. Nieporent,
I didn’t realize you were asking a policy question not a legal question — my apologies.
As for the policy question, the two concerns are particularity and notice. When the government conducts a one-time search, it provides notice and the particularity of the search is a question of physical space. In contrast, real time wiretapping over time does not have the same particularity limitation: If the government can monitor for a lot of time, it is akin to monitoring for a lot of space, without notice.
Brett Turner,
I do not understand your argument. More broadly, when some asks for an explanation, just saying, “that’s simple — it’s just wrong” is just about the least helpful thing you can say.
September 10, 2010, 11:49 amgreg says:
Shi-mush-kya-vich
September 10, 2010, 11:59 amOrin Kerr says:
I should also add that the procedures for real-time wiretapping and one-time stored access are very different. The former involves installing a passive surveillance tool at a particular place and copying traffic that goes by, while the latter involves going to where a copy of the file is located and then running off a copy of it. Even if the two standards for access should be the same, it’s somewhat difficult to regulate these two different procedures with the same statute.
September 10, 2010, 12:03 pmSteve says:
More importantly, Orin, are you learning anything about pronouncing Polish names?
September 10, 2010, 12:11 pmNunzio says:
I had a friend in college who somehow got hold of his girlfriend’s answering maching code and used to retrieve her messages to see if she was cheating on him. (She was).
So it sounds like he violated the Stored Communications Act but not the Wiretap Act.
September 10, 2010, 12:16 pmOrin Kerr says:
Steve,
I’m just glad dad shortened the family name from Kierszkowski to Kerr.
September 10, 2010, 12:16 pmBrett Turner says:
Orin: So you don’t agree that with a stored communication, there is a greater possibility that the protection given by law might be lost because of facts occurring after the communication itself?
You are right that “wrong” was conclusory. But I wasn’t trying to explain or justify the whole policy behind the Wiretap Act and the SCA; I was just drawing attention one specific point, the greater relevance of post-communication conduct to a stored communication.
I admit that I work with the SCA mostly in civil cases, so I am coming at the issue from that vantage point. But the question asked was whether any reason, in any context, justifies different standards for interceptions vs. stored communications. I am arguing that the greater relevance of post-communication conduct justifies applying a different standard to stored communciations.
September 10, 2010, 12:16 pmOrin Kerr says:
Brett,
I do not understand your argument enough to comment on whether I agree with it. (That’s why I wrote, “I do not understand your argument,” instead of something like, “I disagree.”)
September 10, 2010, 12:30 pmKen Arromdee says:
But that provides a loophole where the government requires the provider to save all communications and then looks at the provider’s saved communications. It also allows the government to claim that real-time wiretapping is really a search of stored communications based on the idea that at some point the information is in temporary storage as it travels over the network. From a policy standpoint, it seems like these would be similar threats to privacy as real-time wiretapping.
September 10, 2010, 12:48 pmOrin Kerr says:
Ken,
Drawing the line between the two statutes to avoid loopholes is actually the issue in both this case and Councilman. If you google Kerr councilman amicus brief, you’ll find my effort to draw the line.
September 10, 2010, 12:53 pmBrett Turner says:
Orin: Looking at the explanations you are suggesting for the SCA using a different standard than the Wiretap Act, you are coming at this from a criminal law standpoint, while I am coming at it from a civil law standpoint, so this whole discussion is indeed a good example of the problems caused by having one statute for both civil and criminal cases.
I’m a divorce lawyer, and when I deal with Wiretap Act/SCA issues, it’s almost always in the context of emails or other computer communications as evidence of adultery or financial misconduct. The Wiretap Act says, if there is an interception without consent, the fruits are inadmissible. The SCA says, if stored communication are accessed without authorization, there is civil liability (which in practice tends to deter use of the fruits, even though there is no direct evidentiary exclusion.)
The original poster asked whether the dual standard is good policy. I think it is. My interception cases generally involve use of spyware to grab the email as it comes in, e.g., forward a copy to the installing spouse, or perhaps a key logger. These are fairly simple cases, the fruits usually don’t come in; state court judges just don’t like spyware. E.g., O’Brien v. O’Brien, 899 So.2d 1133 (Fla. 5th DCA 2005).
My SCA cases are much harder, usually involving one spouse reading stored emails. In these cases a lot depends upon where and how the email was stored. E.g, was it stored on the general family computer, was it password-protected, was the other spouse given the password, was a printout left on the kitchen table, etc., and often the emails are admitted. E.g., White v. White, 344 N.J. Super. 211, 781 A.2d 85 (Ch. Div. 2001).
So the dual standard makes sense. Wiretap Act cases depend on facts involving the transmission itself, when and how the material was transmitted. SCA cases depend mostly on how the communication was stored after transmission. “Without authorization” is a broader concept that whether or not there was an “interception,” which better focuses attention on the key factual point: how the communication was stored after it was received. So the difference in standards makes sense to me.
If you still don’t understand, I’ll give it up as the result of a slow Friday and move on.
September 10, 2010, 1:19 pmAnonymous Coward says:
“With access to stored communications, there is a much greater possibility that events outside the communication itself might mean that disclosure is not wrong. In particular, if you do not treat the communication as confidential after you store it, the degree of protection is less.”
It seems like it all comes back to the big question of whether storing your email on your email provider’s server is treating the communication as confidential. But it seems like a circular definition that way: If it would be a violation of the law for anyone to read it there then you have a pretty reasonable expectation that no one (at least no one law abiding) would read it there and it would be confidential. Conversely, if there is no law against e.g. ISP or email provider employees reading all of their customers’ emails then you obviously don’t. But is anyone seriously going to argue that the latter is better policy, or better fits with the expectations of the public?
September 10, 2010, 1:26 pmOrin Kerr says:
Brett,
Thanks for the explanation. You say:
But that is incorrect. There is no suppression remedy in the Wiretap Act for electronic communications; it only exists for wire communications and oral communications. O’Brien suppressed the evidence in state court on a (to my mind bogus) theory that the court had inherent power to say what evidence should be admitted, but that was not the Wiretap Act (or its state equivalent, in the O’Brien case).
Of course, it may be your experience that some state court judges will admit electronic evidence from one-time stored access but not from spyware. But that does not reflect any legislative decisions embodied in federal statutory privacy law, as Congress did not include a statutory suppression remedy in either case.
September 10, 2010, 1:27 pmBruce Boyden says:
This post illustrates why I think we’d be better off if the criminal and civil violations of ECPA, CFAA, etc. were in different statutes. (Or maybe 3 statutes! Hmmm.)
For purposes of setting the historical scene, were there answering machines in 1968? Were they at all prevalent? My impression is that they didn’t really exist before 1980 or so. Turk’s recording was made with a hand-held tape recorder IIRC, which themselves were not that prevalent I think. If not, then I don’t see how an interception by someone who didn’t do the original interception *could* (with some minimal degree of probability) have been non-contemporaneous in 1968.
More broadly, there was a reason why the court went the way it did in Turk, which is that otherwise the number of criminal violations possible starts to get Palsgraf-like. E.g., I video two friends having a conversation at my house (which I don’t participate in). They implicitly consent to me recording them, but they assume it’s just for my own use and don’t consent to anyone else listening to it. I then give the video to other friend X. X watches it without any advance knowledge Y and Z don’t consent to it being shared. Does X commit a felony? X intentionally aurally acquires the conversation from the recording, and the parties to the conversation don’t consent to that acquisition. X has no reason to know that, but that’s only relevant under the “use” and “disclosure” prohibitions, not the interception prohibition (which itself is further evidence that “interception” is not supposed to refer to downstream acquisitions).
September 10, 2010, 1:55 pmFub says:
Old recollection of rules of thumb from a colleague who grew up in a Polish speaking household: “wicz” becomes something closer to “vich” than to “wits”. So “Zuh-musk-a-vich” might be closer.
September 10, 2010, 1:58 pmBrett Turner says:
My error. 18 U.S.C. 2515 does indeed omit electronic communications from the federal evidentiary prohibition. My prior files were under state evidentiary prohibitions, e.g., N.C. Gen. Stat. 15A-294(g); Miss. Code Ann. 41-29-503, which do apply to electronic communications. (“Other” communications in MS, but defined to include electronic).
I agree that O’Brien is long on equity and short on law.
September 10, 2010, 2:09 pmSteve says:
My dad, who is not exactly on the cutting edge of technology, used an answering machine in his business as far back as I can remember… 1974 or so.
September 10, 2010, 3:06 pmCJColucci says:
Let’s have Orin try to pronounce the name after we all buy him a beer.
September 10, 2010, 3:09 pmBruce Boyden says:
Thanks Steve. I come from a family of late adopters, so that probably explains my impression. But I don’t recall other people having them either.
September 10, 2010, 3:52 pmOrin Kerr says:
Bruce,
It’s for this reason that I have argued that the criminal provision of the SCA, Section 2701, should be repealed: It doesn’t cover anything that 1030 doesn’t cover, and its presence just confuses judges.
September 10, 2010, 4:20 pmBrian Thomson says:
Executive agencies operate under a regime whereby classified documents are declassified after 25 years unless they qualify for exceptional treatment.
My answering machine doesn’t have 25-year-old messages on it, but it is not unusual
that the sensitivity of information is time-dependent.
But maybe a more persuasive reason exists when it was the callee who decided to record the message, as in the answering machine case. I find nothing odd in concluding that by doing so he elected to subject it to different protections, just as if he had created a written transcript and locked it in a drawer. Would you require a wiretap order to open the drawer?
September 10, 2010, 5:06 pmBruce Boyden says:
That’s interesting. How did that come about? The statutes are only 2 years apart.
The major difference that I see is that there is no threshold for damages in a civil suit under 2701, and there is a statutory damages remedy. But that could have been taken care of with (yet another) exception under 1030(g).
September 10, 2010, 5:29 pmHasdrubal says:
It seems to me that this case is more similar to wiretapping by your definition: It was an ongoing, passive, automated, clandestine monitoring of all communications going to a certain person. Does it really matter that the monitoring was conducted through computer code instead of a physical device? (Telephone “wiretaps” can be effected through software configurations as well, but I would assume they would be treated as wiretaps in the same way a physical bug would be.) The only real difference here is that it is monitoring email, which is an asynchronous communication method.
Stealing someone’s answering machine password isn’t a very good analogy, what he did was more like attaching a tape recorder to someone else’s answering machine. Though even that fails, with email the only way to “receive a call” is to let the answering machine pick it up, if you’re equating inbox to answering machine. (Would it not be considered wiretapping to only record calls that went to an answering machine, but leave calls that get picked up alone?) The only way I can see a difference between copying emails as they come into someone’s inbox and wiretapping their phone and listening to inbound calls is if email communication as a whole is not considered private.
September 12, 2010, 5:54 amOrin Kerr says:
It seems to me that this case is more similar to wiretapping by your definition.
Yes, that’s correct. That’s why I think the Court was correct to say that this violated the Wiretap Act.
September 12, 2010, 1:42 pmOrin Kerr says:
Bruce,
Sections 2701 and 1030 used to both be very narrow: 2701 was the unauthorized access statute for e-mail servers, and 1030 was the unauthorized access statute for hacking into federal government computers and certain kinds of interstate computer networks. There was little overlap initially. Over time, however, 1030 has expanded to cover every computer in the United States: 2701 is now redundant, as all e-mail servers are protected computers under the expanded version of 1030.
September 12, 2010, 1:46 pm