TR Daily Court Says Opened Webmail Entitled to SCA Protection
News
Thursday, March 7, 2019

Court Says Opened Webmail Entitled to SCA Protection

A three-judge panel of the U.S. Court of Appeals for the Fourth District (Richmond) has unanimously overturned a district court ruling that opened and delivered e-mails stored on a third-party server do not qualify for “electronic storage” protections against unauthorized access under the Stored Communications Act (SCA).

The case “Patrick Hately v. Dr. David Watts” (case 18-1306) stems from a lawsuit that Patrick Hately brought against Nicole Torrenzano, with whom he has two children, and her lover, David Watts, who used a password Mr. Hately had previously shared with Ms. Torrenzano to access his e-mail account on a web-based e-mail client that Google provides to Blue Ridge Community College. In an initial lawsuit against both individuals, Mr. Hately alleged violations of the federal Computer Fraud and Abuse Act, the SCA, and the Virginia Computer Crimes Act. The trial courts dismissed the claims against Ms. Torrenzano.

In a March 2018 ruling, the U.S. District Court for the Eastern District of Virginia (Alexandria) held that “‘previously opened and delivered emails’ stored “in a web-based email client” were not in protected “electronic storage”’ for purposes of the Stored Communications Act,” Circuit Judge James A. Wynn Jr. wrote in the opinion for the Fourth Circuit dated yesterday.

“The district court also held that Hately’s emails were not protected under the statute because they were not stored by an ‘electronic communication service’ and were not stored ‘for purposes of backup protection,” Judge Wynn noted.

“According to the court, Blue Ridge College was acting, for purposes of the Stored Communications Act, as a ‘remote computing service’ — not as an ‘electronic communication service’ — because the emails Watts accessed were ‘service copies’ maintained by Blue Ridge College ‘for the purposes of transmitting them to a single user’s account upon that user’s command.’ … Furthermore, the emails were not stored for purposes of backup protection because, the court maintained, they were stored for Hately’s backup purposes rather than Blue Ridge College’s ‘own backup or administrative purposes,” Judge Wynn continued.

Judge Wynn noted that Congress adopted the SCA in the wake of a report by the Office of Technology Assessment that “emphasized the lack of legal protection for email,” citing electronic storage in an electronic mailbox as one of the points of vulnerability.

“Section 2701 of the Stored Communications Act — under which Hately seeks relief — criminalizes and provides a private civil cause of action against anyone who ‘intentionally accesses without authorization a facility through which an electronic communication service is provided . . . and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system[,]’” Judge Wynn wrote.

The SCA includes “any storage of such communication by an electronic communication service for purposes of backup protection of such communication” in its definition of electronic storage. Judge Wynn noted that Congress indicated in the House Report on the bill that became the SCA that “it intended for courts to construe the meaning of ‘storage’ broadly, stating that it did not intend to limit the term to particular mediums, forms, or locations.”

“In light of the ordinary meaning of storage and Congress’s intent that the term be interpreted broadly, we agree with the Ninth Circuit that ‘prior access is irrelevant’ to whether an email is in ‘storage,’ …—i.e., ‘reserved for future use’ or available to ‘be obtained as needed.’ When a user of a web-based email client, like Hately, opens a message and then chooses not to delete the message after he reads it, the message remains ‘reserved’ on the host server for ‘future use’ — i.e., in the event the user needs to view the message again,” Judge Wynn continued.

“Regardless of whether Hately had previously opened and accessed his web-based emails, those emails were nevertheless ‘reserved for future use’ by the Blue Ridge College email host in the event that Hately would need to access them in the future. Accordingly, Hately’s emails were in ‘storage’ within the meaning of Subsection (B),” the judge wrote.

The appeals court also overruled the district court in its view that the webmail service was a remote computing service, not an electronic communication service.

As for whether the e-mails in question were maintained for backup purpose, Judge Wynn said that “the purpose of the web-based email service in providing storage for the message — storage that is a feature of the product the web-based email service offers — is to afford the user a place to store messages the user does not want destroyed.”

The appeals court also said the district court erred in dismissing Mr. Hately’s claims under the Virginia Computer Crimes Act because it improperly applied the doctrine of collateral estoppel and it “incorrectly determined that he failed to plausibly allege injury to person or property.”

The appeals court “reverse[d] the district court’s dismissals of Hately’s Virginia Computer Crimes Act and Stored Communications Act claims and remand[ed] the case to the district court for further proceedings consistent with this opinion.”

Judge Wynn was joined in the opinion by Chief Judge Roger L. Gregory and Circuit Judge Diana Gibbon Motz.

In a statement, Greg Nojeim, director of the Freedom, Security and Technology Project at the Center for Democracy & Technology, which had joined in an amici brief in support of Mr. Hately, said, “This is an important victory for privacy. A contrary ruling would have meant that spam emails nobody opens are better protected from government access than sensitive, personal messages you open and save.”

“The court cut through the haze, accounted for the intent of Congress to protect privacy, and reached the right decision,” Mr. Nojeim added.

Kevin Bankston, director of New America’s Open Technology Institute, which joined in the amici brief with CDT and the Electronic Frontier Foundation, said that the Fourth Circuit’s decision “clarifies an important and long-standing question about the scope of the protections under the Stored Communications Act. The court recognized that emails stored with an online web-based email service fall under the highest protections of the Stored Communications Act, and that the intent of Congress in passing the SCA was to protect data stored in just such a way. This decision is a victory for every American who uses the convenience and security of online services to store their data.” —Lynn Stanton, [email protected]

MainStory:

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More