A few weeks ago, I wrote a long post about the First Circuit’s recent wiretapping decision in United States v. Councilman. As I explained in that post, Councilman is a dangerous decision for Internet privacy; a statutory fix to correct the decision is very much needed. The first of several bills attempting such a fix was introduced in Congress last week. The bill is the E-Mail Privacy Act of 2004, introduced by Rep. Jay Inslee. I thought I would take a look at the bill and offer some comments. My basic take is that it is a well-meaning bill, but not a skillful effort to fix the Wiretap Act and solve the Councilman problem. (Warning: The rest of this post is very technical. Instead of writing for a general audience, I’m going to address the post to the much much smaller audience of Wiretap Act geeks out there.)
The bill does two things. The first step is to amend the definition of “intercept” in 18 U.S.C. 2510(4). Here is the current version, with the proposed new language in bold:
“intercept” means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device, and, with respect to an electronic communication, includes the acquisition of the contents of the communication through the use of any electronic, mechanical, or other device, at any point between the point of origin and the point when it is made available to the recipient.
What the drafters are trying to do, I gather, is draft a narrow statutory fix. After all, the surveillance tool used in Councilman was in fact a device that acquired an electronic communication between the point of origin and the point it was made available to its recipient. The drafters were probably thinking that the best fix would be to describe what happened in Councilman and just stick in the language into the statute. In a statute as complicated as the Wiretap Act, however, that approach doesn’t work.
The main reason it doesn’t work is that it introduces a new concept to the Wiretap Act — that of a “point of origin” of an Internet communication and a “point when [a communication] is made available to the recipient” — that is quite unclear. I think it would leave the law in a state of considerable confusion. For example, is this “point of origin” a physical location? Or is it a temporal concept, meaning the time when a communication was sent? Or does the concept mix spatial and temporal notions? Similarly, at what point is a communication made available to its recipient? In the case of an e-mail, is the e-mail made available when it arrives in the recipient’s inbox? What if the recipient’s password has been changed, and he no longer has access to his inbox– is the e-mail made available to the recipient at that point? And how would this apply to Internet telephony, packets that are probably exempted from the amendment because the packets contain bits of phone calls and therefore are wire communications, not electronic communications? Would Councilman continue to apply to VOIP, and if so, why?
But wait; there’s more. What is the point when a communication is made available to its recipient in the case of an Internet communication other than an e-mail? The Councilman case happened to involve e-mail, but the Wiretap Act applies to all “contents” of communications sent on the Internet. Although the precise scope of “contents” is unclear, it almost certainly includes computer commands and quite possibly includes URL search terms. Who or what is the “recipient” of these communications, and when are such communications made available to that recipient? In the case of a person-to-person communication, there is a human sender and receiver that presumably provides the point of reference for the point of origin and availability on receipt. But how to these notions apply to human-to-computer and even computer-to-computer communications? I have no idea.
In light of these questions, I don’t think that this effort to amend 2510(4) is the way to go. There is much better language floating about that would amend 2510(4) much more skillfully (more on that later), and that won’t create so many headaches.
The second part of the Inslee bill is designed to address the broader issue of when ISPs can look through stored files of their customers without violating federal law. This isn’t exactly a Councilman problem from the standpoint of the law, and I don’t have particular views on this part of the bill. At the same time, the proposed amendment is related to the facts of the Councilman case, and is interesting from the standpoint of the privacy rights of Internet users vis-a-vis their ISPs.
The generally accepted view has been that the primary law that protects the privacy of stored user files from unauthorized accesses exempts ISPs that provide the service. That law, 18 U.S.C. 2701, states that that general prohibition on unauthorized access to an ISP does not apply “with respect to conduct authorized . . . by the person or entity providing a wire or electronic communications service.” The idea is that the law regulating when system administrator can look through user files stored on the ISP’s server should be contract law — the Terms of Service that regulate the account — rather than federal criminal law. (A recent 9th Circuit decision arguably rejects this view, but that’s another discussion.)
Inslee’s bill would amend the ISP exception from criminal liability so that it applies only “to the extent [that] the access is a necessary incident to the rendition of the service, the protection of the rights or property of the provider of that service, or compliance with [rules regulating voluntary disclosure in] section 2702.” This language is mostly copied from the Wiretap Act, and would incorporate the standard from the provider exception of 18 U.S.C. 2511(2)(a)(i) — read all about that standard here — from the Wiretap Act to the Stored Communications Act.
The basic gist of the change is that ISPs would only be able to look through user files for legitimate reasons relating to the provision of service, and then only when the particular way that they looked through the files was narrowly tailored to those service needs. Is this a good idea? I don’t know. I assume that ISPs will fight it: they will argue that it is a bit much to have employees risk indictment (and ISPs risk the threat of class action lawsuits) for the particular way that their employees look through files stored on the ISP’s server. On the other hand, the change might not make much difference; the same law allows the consent of a subscriber to exempt the ISP from liability, and ISPs would presumably try to get at least a partial waiver of rights in the Terms of Service if this amendment went forward.
Comments are closed.