E-mail Privacy: Does Your E-mail Take a Pit Stop?
September 2004
According to a recent federal appeals court,
if your e-mail takes a temporary "pit stop" enroute to its recipient, then it
may be intercepted by your Internet service provider without violating the Wiretap
Act.
by Mark J. Becker, Esq.,
edited by Gary E. Clayton
www.privacycg.com
The case of United States v Councilman, 373
F3d 197 (1st Cir 2004), involved Interloc, Inc., an online service for rare
and out-of-print book dealers, which also provided certain subscribers with
an e-mail address and served as an Internet service provider (ISP). At the direction
of former Interloc Vice President Bradford Councilman, an employee wrote computer
code to intercept, copy, and store all incoming e-mails from Amazon.com prior
to the e-mails reaching their intended recipients. Councilman and other employees
read these e-mails to gain intelligence on its competitor. Consequently, Councilman
was charged with violating the federal Wiretap Act.1
Communications "in Transit" versus Communications "in Storage"
The Wiretap Act, which protects the privacy of wire, oral, and electronic
communications from unauthorized interception, was amended in 1986 to include
"electronic communications," such as the Internet and e-mail, with the same
protections from unlawful interception enjoyed by wire and oral communications.
The amendments created separate legal standards for communications intercepted
while "in transit" and electronic communications obtained while "in storage."
Traditionally, communications that are intercepted while in transit, such
as telephone phone calls, are provided with a great deal of legal protection
due to their intrusiveness and vulnerability for abuse. However, stored electronic
communications, which include stored e-mails, financial transactions, medical
records, and pager messages, have less legal protections. For instance, a private
ISP may access and read a subscriber's e-mail messages that are stored in the
user's mailbox, although it may not disclose such contents.
The government does not need to follow the procedures to obtain a wiretap
order from a court, and needs only a warrant to gain access to communications
in storage for the past 180 days and may use only a subpoena (no court approval
needed) for data stored more than 180 days. Unlike communications intercepted
in transit, the target of the investigation is not required to be notified that
the government obtained his/her stored electronic communication.2
Privacy Implications
The 2–1 decision by the U.S. Court for the First Circuit concluded that because
Councilman intercepted his subscribers' e-mail messages while they were in the
company's temporary storage, awaiting to
be delivered to their intended recipients, such conduct was not a violation
of the Wiretap Act since the communication was "in storage" at the time it was
intercepted. The lone dissenter, Judge Lipez, in a 36-page opinion, agreed with
the government that any interception of a message between the time the sender
of an e-mail presses "send" until it reaches the recipient's mailbox, even though
it is temporarily stored along its journey, is subject to the Wiretap Act. This
interpretation, according to the dissent, is consistent with the Congressional
intent of the law and the realities of the digital age.3
The reality is that once an e-mail is sent, it is broken into different "packets,"
then stored for nanoseconds among a variety of computers, while the message
is read and the e-mail is appropriately routed. In addition to the packets,
entire e-mail messages, at certain points along the route, are also placed in
temporary storage as well. These "packetized" transmissions, simultaneously
"in transit" and "in storage" is a fundamental characteristic of most digital
communications, and commonly referred to as "store and forward."4
Accordingly, since most digital transmissions are temporarily stored as they
find their way through the network, other interceptions of digital communications,
not just e-mail, will fall outside the purview of the Wiretap Act and thus receive
a reduced level of privacy protection under the Councilman decision. Judge Lipez aptly notes that the "[g]overnment could install taps
at telephone company switching stations to monitor phone conversations that
are temporarily ‘stored' in electronic routers during transmission," without
complying with the rigorous legal procedures that accompany electronic communications
subject to the Wiretap Act.5
The court's potentially far-reaching interpretation has, not surprisingly,
caused a great deal of concern among privacy advocates, public interest groups,
and the Congress. In fact, a recent New York
Times editorial analogized the logic behind the Councilman decision to permitting a postal worker
to read your letters once they are in your mailbox.6
Congressional Action
Congress has already introduced two bills to address the problems raised
by this decision, the "E-mail Privacy Act of 2004" (H.R. 4956) and the "E-mail
Privacy Protection Act of 2004" (H.R. 4977). Both bills would subject "real-time"
interceptions of electronic communications to the procedures and protections
of the Wiretap Act and ensure that ISPs cannot access and use their customer's
stored e-mail unless it is necessary to provide the service or the subscriber
has provided consent. At the time of this writing, it is not certain as to whether
either of these bills will be acted on this year.
Conclusion
A long-established maxim in the technology sector is that, in effect, "the
law cannot keep up with rapid technological growth." The Councilman decision illustrates that this maxim
is very much alive and that the judicial system must be cognizant of the practical
effect of its decisions as they are presented with an increasing amount of cases
involving complex technologies. This case is now on appeal and will hopefully
be fixed either judicially or legislatively as the courts and Congress continue
to interpret and refine existing laws to reflect our new digital realities.
Mark Becker is a director with Privacy Council, Inc., the global resource for privacy and
data protection services. He is an attorney with experience in the areas of
privacy, telecommunications, and government. Prior to joining Privacy Council,
Inc., Mr. Becker served as the privacy officer for Arbitron Inc., was a director
of regulatory affairs for e.spire Communications, and worked as an attorney
for the Federal Communications Commission. He received his JD from Touro Law
School in Huntington, New York, and his BS from Syracuse University's Newhouse
School of Public Communications in Syracuse, New York. Mr. Becker can be reached
by e-mail at mark.becker@privacycouncil.com.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.