Facebook and the Stored Communications Act: What’s protected? (part 1)

September 6, 2011

Facebook Magnifying glassThis is first part in a series on the current state of federal cyberlaw and privacy protections.

Click here for the post on the court ruling requiring a warrant for cell-phone location data.

As many users know, Facebook is continually unveiling new features that allow people to tell their friends where they were, what they did, and what they think.

Considering how many individuals actually use these features on a regular basis, one has to wonder exactly what kind of legal mechanisms are in place to protect this very personal information.

As lightly touched on last week, outdated ones.

The most pertinent federal law on the issue is 1986’s Stored Communications Act (SCA), which was enacted as part of the larger Electronic Communications Privacy Act (ECPA).

The SCA deals with the voluntary and compelled disclosure of “stored wire and electronic communications and transactional records” retained by third-party internet service providers (ISPs).

In addition, it also prohibits ISPs from divulging the contents of electronic communications carried, stored, or maintained by the service.

It should be noted that “ISP” here has a much broader definition than normal.

Instead of simply referring to an organization that provides internet access, “ISP” in the SCA sense means that it provides either one of two very wide services: “electronic communication service” (ECS) or “remote computing service” (RCS).

An ECS is “any service which provides to users thereof the ability to send or receive wire or electronic communications,” while an RCS is publicly-available “computer storage or processing services by means of an electronic communications system.”

Put simply, ECS is email, and RCS is storage.

While the SCA provides different levels of protection for an ECS and an RCS, usually, if a provider offers an ECS, it is also provides an RCS.

This wasn’t typical when the law was enacted in 1986, and subsequently, analyses involving the two usually look at whether a specific message or communication falls into either of the two categories, rather than the service-provider itself.

Unsurprisingly, social media sites such as Facebook and MySpace were found to provide both ECS and RCS.

What does this mean?

In civil matters, a court cannot issue a subpoena to either of the two (or any other social media sites) for the release of communications relating to a third-party (the SCA also has criminal law implications, but they are extensive enough to warrant a separate post).

Nevertheless, Courts can, and often do issue discovery orders compelling a party of a lawsuit to grant an opposing party access to his or her Facebook page.

For example, in the case of Jack v. Jill, Jack can ask the court to force Jill to give him access to her Facebook page, but Jack can’t ask the court to force Facebook to give him access to the same.

Although this difference may seem immaterial, it’s anything but.

Consider this common scenario: in anticipation of litigation, but before the start of discovery, Jill’s attorney instructs her to “clean up” her Facebook page – meaning, delete any and all potentially implicating content.

This information is out of Jack’s reach because of the SCA.

If not for the SCA, Jack could subpoena Facebook and acquire Jill’s unedited information, since Facebook archives all user information (even that which was deleted by the user herself).

So while the Stored Communications Act is outdated, and its authors never contemplated the prevalence of social media, it still is able to offer some privacy protections in civil suits.