Tuesday, October 12, 2010

In Which We Learn That an Email Stored on a Laptop is not in "Electronic Storage"

What is it about former-boyfriends or girlfriends and hacking into the ex's email account? There is a growing litany of caselaw developing in this area (would make a good law review article somebody!).

Today we review Thompson v. Kaczmarek, No. 2:10-cv-479 (Sept. 30, 2010). In the words of the court, the relationship between the Plaintiff and the Defendant "deteriorated." Defendant got her hands on Plaintiff's laptop and "became intent on embarrassing [Plaintiff] in revenge." Defendant allegedly turned over the alleged laptop to nefarious dudes with the skill to hack into the hard drive and retrieve allegedly embarrassing emails. Plaintiff sued them all.

As per normal, we are particularly interested in the causes of action based on federal law; in this case Plaintiff claimed that Defendants violated the Stored Communications Act (SCA).

I always struggle with the SCA and ECPA –doesn’t the SCA apply to email somehow magically in transit – and once you have downloaded the email to your own machine, whatever happens to that email is of no concern of ECPA/SCA? If accessing stuff on the Plaintiff's machine caused some type of consternation, wouldn’t that be more of a Computer Fraud and Abuse Act claim?

Let's go to the video tape and find out.

Before the Court is Defendant's Rule 12(b)(6) Motion to Dismiss for failure to state an SCA claim upon which relief can be granted. "[T]he question before the Court is whether the unauthorized access of previously received electronic mail messages ("e-mail") that had been downloaded by the recipient and saved to the hard drive of his personal laptop computer violates the Stored Communications Act." For purposes of this motion, Defendants assume "that Plaintiff did not provide them with authority to access the data saved to the laptop hard drive." The problem, Defendants argue, is that even if the access were unauthorized, this is not a situation covered by the SCA.

The relevant portion of the SCA 18 U.S.C. § 2701 states


(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

Once an email has been downloaded and saved to a person's laptop, the electronic communication (the email) is no longer in electronic storage at the electronic communications service.

Okay, a few definitions.

"The SCA defines electronic storage as either a) 'any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof', and b) 'any storage of such communication by an electronic communications service for purposes of backup protection of such communication.' 18 U.S.C. § 2510(17); see also 18 U.S.C. § 2711(1) (providing that terms defined in § 2510 apply to Title II of ECPA)." The SCA is anticipating the brief, temporary, temporal storage that is involved in electronic, store-and-forward communications. It is when the email is stored on the email server. It is when the email is stored in transit. It is not after it has been received, read, and saved. It is not when the email is on Plaintiff's laptop.

Next, “'electronic communications system' means any wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission of wire or electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications." 18 U.S.C. § 2510(14). In other word, this is a service in the business of communications – not an end user. Even if Plaintiff wants to claim that the act of backing up his email makes him a "facility," it does not, concludes the court, make him an "electronic communications service."

Defendants' Motion to Dismiss Plaintiff's SCA Cause of Action is granted.

This time the allegedly hacking romantic ex-partner wins. See Global Policy Partners, Inc. v. Yessin, (EDVa Nov. 24, 2009) where the hacking-ex-partner loses. Plaintiff did not apparently raise a Computer Fraud and Abuse Act cause of action. Would the outcome have been different under the CFAA?