Managing your inbox: A matter for the FBI?

November 28, 2012

As the “Love Pentagon” scandal has been publicly unfolding, engulfing the careers of former CIA director David Petraeus and threatening that of Gen. John Allen, one of the questions that has emerged is, how did the FBI get access to so many e-mails between private parties?

Obviously, a warrant would probably do the trick, but is it necessary where suspects are sharing information on a shared GMail account?  Some in various corners of the internet have made an argument that the feds don’t have to get a warrant; that draft emails stored on an external server are not ‘electronically stored’ pursuant to the Stored Communications Act and therefore, require only a subpoena, not a warrant.  A recent and popularly-referenced ACLU article on the matter notes:

Ironically enough, by storing emails in a draft folder, rather than an inbox, individuals may be making it even easier for the government to intercept their communications. This is because the Department of Justice has argued that emails in the “draft” or “sent mail” folder are not in “electronic storage” (as defined by the Stored Communications Act), and thus not deserving of warrant protection. Instead, the government has argued it should be able to get such messages with a mere subpoena.

Finding documents where the Justice Department specifically argues that draft email is not electronic storage was difficult at first.  But,  the following search delivers interesting results especially from trial court documents:

TI,PR(united-states) and stored-communications-act and draft folder /s isp “internet service provider” server google gmail yahoo

See especially, this 2007 government memo opposing a defendant’s motion to suppress evidence:

Undelivered e-mail stored on a service provider’s servers falls within the scope of “electronic storage,” but delivered e-mail, draft e-mail, and copies of sent e-mail do not. See Fraser v. Nationwide Mut. Ins. Co., 135 F. Supp. 2d 623, 636 (E.D. Pa. 2001), aff’d in part on other grounds, 352 F.3d 107, 114 (3d Cir. 2004). But see Theofel v. Farey-Jones, 359 F.3d 1066, 1077 (9th Cir.), cert denied, 543 U.S. 813 (2004) (holding that previously accessed e-mail remained in “electronic storage”).

UNITED STATES OF AMERICA, Plaintiff, v. Darren A. FERGUSON, Defendant., 2007 WL 4994374 (D.D.C.)

The government’s understated (but certainly professional) ‘but see’ annotation maybe belies their heart-felt opinion of the Theofel decision as evidenced by the Department of Justice Manual:

Unfortunately, as a result of the Ninth Circuit’s decision in Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004), there is now a split between two interpretations of “electronic storage”–a traditional narrow interpretation and an expansive interpretation supplied by the Ninth Circuit…As traditionally understood, “electronic storage” refers only to temporary storage made in the course of transmission by a service provider and to backups of such intermediate communications made by the service provider to ensure system integrity. It does not include post-transmission storage of communications. …Essentially, the Ninth Circuit’s reasoning in Theofel confuses “backup protection” with ordinary storage of a file.

Emphasis in the quote above is ours but  Theofel “continues to receive substantial judicial and academic criticism” according to a Georgetown Law Journal article which does an excellent job outlining the Stored Communications Act as it applies to webmail. See William Jeremy Robison, Free at What Cost?: Cloud Computing Privacy Under the Stored Communications Act, 98 Geo. L.J. 1195 at 1211.


We also performed a quick search in All Federal materials on WestlawNext regarding the Stored Communication Act’s 180 day rule:

e-mail /250 warrant! /250 180-day

It’s a broad search, but it didn’t return as many cases as we expected. U.S. v. Hart, 2009 WL 2552347, provides a nice synopsis for a starting point in analyzing the relevant law, the Stored Communications Act:

The Stored Communications Act prohibits unauthorized access to certain electronic communications and records, see 18 U.S.C. 2701, and places restrictions on a service provider’s disclosure of its customers’ communications and records, 18 U.S.C. § 2702. See Warshack v. United States, 532 F.3d 521, 523 (6th Cir.2008) (en banc). Pursuant to the Stored Communications Act, the police may—using only an administrative subpoena and without providing any notice to the customer—obtain from a internet service provider such as Yahoo! certain records (as opposed to sent or received communications) associated with a particular account. See 18 U.S .C. § 2703(c). Specifically, the police may obtain a customer’s name, address, and telephone connection records; the length and type of the customer’s service; the customer’s telephone or instrument number or other subscriber number or identity (including any temporarily assigned network address); and the customer’s means and source of payment (including any credit card or bank account number). See 18 U.S.C. § 2703(c)(2). The Act does not require the police to notify the customer that they have requested this type of information. See § 2703(c)(2) and (3).
If the police wish to obtain more than account record information, such as a customer’s electronic communications (e.g., his content-laden email communications, text messages, chat logs) the Act imposes additional requirements. To obtain disclosure of any such electronic communications less than 180 days old, the police must obtain a federal or state warrant and, if they satisfy the warrant requirements, are not required to notify the customer. See 18 U.S.C. §§ 2703(a) and 2705 (limiting its terms to disclosures obtained by means other than a warrant). Communications over 180 days old may also be obtained without any notice to the customer, but also only means of a warrant. See id. at § 2703(b)(A).
 If the police cannot obtain a warrant, or for whatever reason do not wish to obtain one, they still may obtain communications over 180 days old by means of a subpoena or by ex parte court order. See 18 U.S.C. § 2703(b). If the police choose to forego the warrant route, however, the Act requires them to notify the customer that they have requested disclosure of communications associated with his account. See id. at § 2703(b)(1)(B). The police are, however, permitted to delay notice to the customer, but only if the requirements of § 2705 are met.
So there is no requirement that a warrant be obtained for communications that are more than 180-days old, but only if the customer is provided notice.  When that notice must be provided, though, is another question.
 To delay notice pursuant to § 2705, the police must establish that there is reason to believe that prompt notice would cause an “adverse result,” such as the endangerment of a person’s life or physical safety, or any event that would “seriously jeopardize an investigation or delay a trial” (e.g,, the destruction of evidence or intimidation of a witness). See 18 U.S.C. § 2705(a)(2). Even if the police can establish that an “adverse result” would occur if notice were not delayed, they cannot unilaterally choose to delay notice, however, but must obtain permission for the delay either by court order, or, if they choose to use an administrative subpoena, by obtaining a written certification of a supervisory official. See 18 U.S.C. § 2705(a)(1).
U.S. v. Warshak, 631 F.3d 266, also provides a pretty thorough analysis of the relevant law.
For more on the Stored Communications Act, I ran a plain language search on WestlawNext, again in All Federal materials.
Stored Communications Act
In particular, the secondary sources were interesting, highlighting issues ranging from proposed amendments to the legislation, to employee e-mail privacy, to discovery under the Act of information stored on foreign servers.  My personal favorite article title?
“Unfriending the Stored Communications Act: How Technological Advancement and Legislative Inaction Have Rendered Its Protections Obsolete,” 22 DePaul J. Art, Tech. & Intell. Prop. L. 75