Stanford CIS

Ninth Circuit rules that reliance on an overbroad subpoena to access ISP-held e-mail does not negate ECPA liability if the suib

By Stanford Center for Internet and Society on

Plaintiffs, Wolf and Buckingham, officers of Integrated Capital Associates, Inc (ICA), were embroiled in commercial litigation in New York against defendants, Farey-Jones. During the discovery process, defendants and its attorney (Iryna Kwasny) subpoenaed ICA’S ISP, NetGate for “all copies of e-mails sent or received by anyone at the company”, without limitation as to time or subject matter, and as a result they were given access to339 of ICA’s e-mails, most of them unrelated to the litigation and many privileged and personal. In a separate action, the Court found that the subpoena was massively overbroad and unlawful and that defendants acted in bad faith and showed gross negligence in the crafting of the subpoena. The Court granted motion to squash the subpoena and “socked” defendants with over $9000 in sanctions to cover Wolf and Buckingham’s legal fees. Defendants did not appeal that award.

Plaintiffs filed a civil suit in the United States District Court for the Northern District of California alleging violation of the Stored Communications Act, 18 U.S.C.S Section 2701 et seq., the Wiretap Act, 18 U.S.C.S. Section 2511 et seq., the Computer Fraud and Abuse Act, 18 U.S.C.S. Section 1030, as well as various state laws.

The court had to consider whether the corporation and the attorney violated federal electronic privacy and computer fraud statutes when they used a patently unlawful subpoena to gain access to e-mail stored by the ISP. The District Court dismissed all of the claims on the ground that NetGate had authorized defendants’ access and that their authorization was not coerced, because the subpoena informed NetGate of their right to object. Plaintiffs argue that NetGate’s authorization was nonetheless invalid because the subpoena was patently unlawful and appealed.

The United States Court of Appeals for the Ninth Circuit in April 2003 reversed the District Court’s decision to dismiss the Stored Communications Act claim, affirmed the District Court’s decision to dismiss the claim for violation of the Wiretap Act, reversed with leave to amend the District Court’s decision to dismiss the claims under the Computer Fraud and Abuse Act and finally, reversed the dismissal of the state claims.

a) Stored Communications Act

Section 2701 (a) of the Stored Communications Act provides a civil cause of action against anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided … and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage”. Section 2701 (c) (1) of the Act exempts conduct “authorized by the person or entity providing a wire or electronic communications service”.

Judge Alex Kokinski writing for the Ninth Circuit analogized the case to common law trespass. Like the tort of trespass, the Stored Communications Act protects individuals’ privacy and proprietary interests. Applying trespass doctrine, the Court held that the consent should not be effective “if the defendant knew, or probably of he ought to have known in the exercise of reasonable care, that the consent was mistaken as to the nature and quality of the invasion intended”. In other words, permission to access a stored communication does not constitute a valid authorization if it would defeat a trespass claim in analogous circumstances.

In the tort of trespass doctrine not all deceit vitiates consent. The mistake must extend to the essential character of the act itself, which is to say that which makes it harmful or offensive, rather than to some collateral matter which merely operates as an inducement. The Mistake must be a substantial mistake concerning the nature of the invasion or the extent of the harm. Under this standard, the Court held that NetGate disclosed the sample—which was the subject of the law’s protection-- in response to defendant’s unlawful subpoena. Thus the  mistake by NetGear resulted in the invasion of privacy a lawful subpoena would have prevented.

The test the Court used was whether the defendants “knew or ought to have known in the excise of reasonable care” that the subpoena was unlawful.  Here, the defendants met that standard because they had at least constructive knowledge of the subpoena’s invalidity.  The Court also held that the right to object that NetGate had is not an effective defense because although the Subpoena was not coercive, it was deceptive and that invalidate consent. Alternatively, the defendant argued that the e-mail messages should not have been covered by the Stored Communications Act because they were not in “electronic storage”. Section 2701 of the Act defines “electronic storage” as “a) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and b) any storage of such communication by an electronic communication service for purposes of backup protection of such communication”.

Several courts have held that subsection a) covers e-mail messages stored on an ISP’s server pending delivery to the recipient. Defendants point to these cases and argue that messages remaining on an ISP’s server after delivery no longer fall within the Act’s coverage. The Nine Circuit Court rejected this argument and held that even if such messages are not within the purview of subsection a), they fit within subsection b). This court held that Stored Communications Act covered electronic messages “stored…. for purposes of backup protection”, even after those messages had been delivered to their intended recipients and regardless of whether storage it is intermediary or post-transmission.

b) Wiretap Act

Plaintiffs also alleged a violation of the Wiretap Act which authorizes suit against those who “intentionally intercept any wire, oral or electronic communication”.

Previous cases has stayed that the Act only applies to “acquisition contemporaneous with transmission” and that Congress did not intend for “intercept” to apply to “electronic communications” when those communications are in “electronic storage”. Citing these cases the Nine Circuit affirmed the District Court decision dismissing the claim.

c) Computer Fraud and Abuse Act

Plaintiff also alleged a violation of the Computer Fraud and Abuse Act, which provides in section 1030 a cause of action against individuals who “intentionally accesses a computer without authorization or exceeds authorizes access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication”.

While defendants argued that the Act does not apply to unauthorized access of a third party’s computer, the  Nine Circuit rejected this point finding that individuals other than the computer’s owner may be proximately harmed by unauthorized access, particularly if they have rights to data stored on it.

However, the Court also held that because plaintiffs have not yet alleged the damages or loss they suffered, it would be premature to consider if the case fall within the Act’s minimum limit of $5000.

d) Noerr-Pennington Doctrine

Defendants also claimed the application of Noerr- Pennington doctrine as a defense to any liability alleged.  The doctrrine exempts petitioning of public authorities from civil liability on First Amendment grounds. The Court rejected the application of this doctrine because defendants were not public authorities.

Supreme Court :
The defendants asked the US Supreme Court to review whether e-mail remaining on the server of an ISP after it has been read continues to be subject to the Stored Communications Act. Supreme Court denied on October 4, 2004 the petition for writ of certiorari.

Published in: Blog , Vol. 2, No. 1 , Packets