Monday, December 24, 2012

Data and Text on Cell Phone Not Protected by Stored Communications Act #ECPA

Case: Garcia v. City of Laredo, Court of Appeals, 5th Circuit 2012

Issue:  Are data and text stored on a personal cell phone protected by the Stored Communications Act?

18 USC § 2701 Access: (a) Offense.- Except as provided in subsection (c) of this section whoever-
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility;
and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.
Question:  Is a cell phone a "facility" as defined under the SCA?

The Eleventh Circuit's decision in United States v. Steiger provides useful guidance. 318 F.3d 1039, 1049 (11th Cir. 2003). In Steiger, when a hacker accessed an individual's computer and obtained information saved to his hard drive, the court held such conduct was beyond the reach of the SCA. Id. The court found that "the SCA clearly applies . . . to information stored with a phone company, Internet Service Provider (ISP), or electronic bulletin board system," but does not, however, "appear to apply to the source's hacking into Steiger's computer to download images and identifying information stored on his hard-drive." Id. It noted that "the SCA may apply to the extent the source accessed and retrieved any information stored with Steiger's Internet service provider." Id. (emphasis added).
A number of district courts that have considered this question have also concluded that "the relevant `facilities' that the SCA is designed to protect are not computers that enable the use of an electronic communication service, but instead are facilities that are operated by electronic communication service providers and used to store and maintain electronic storage." Freedom Banc Mortg. Servs., Inc. v. O'Harra, No. 2:11-cv-01073, 2012 WL 3862209, at *9 (S. D. Ohio Sept. 5, 2012) (emphasis added). Recently, the Northern District of California held that a class of iPhone plaintiffs had no claim under the SCA because their iPhones did not "constitute `facilit[ies] through which an electronic communication service is provided.'" In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1057-58 (N.D. Cal. 2012).[5]
Thus these courts agree that a "home computer of an end user is not protected by the SCA." Kerr, supra, at 1215 (footnote omitted). As explained by Orin Kerr in his widely cited law review article, the words of the statute were carefully chosen: "[T]he statute envisions a provider (the ISP or other network service provider) and a user (the individual with an account with the provider), with the user's communications in the possession of the provider." Id. at 1215 n.47 (emphasis added) (citation omitted).
This reading of the statute is consistent with legislative history, as "Sen. Rep. No. 99-541 (1986)'s entire discussion of [the SCA] deals only with facilities operated by electronic communications services such as `electronic bulletin boards' and `computer mail facilit[ies],' and the risk that communications temporarily stored in these facilities could be accessed by hackers. It makes no mention of individual users' computers . . . ." In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 512 (S.D.N.Y. 2001) (quoting S. REP. No. 99-541, at 36, reprinted in 1986 U.S.C.C.A.N. 3555, 3590).

No comments: