If you’re a SaaS webmaster, it’s not a question of if, but when, a law enforcement official wants a copy of one of your user’s email archived on your SaaS website. You’re caught between the proverbial rock and a hard place. Critical questions arise: What are your legal obligations, and what are your rights? How do you protect yourself from liability?
Email archived electronically on websites is typically viewed as a potential treasure trove by law enforcement officials looking for evidence.
The pace of requests by law enforcement officials for personal information stored on web servers is best illustrated by the actual experience of Google and Facebook. Google established an online tool showing the frequency of these requests by various countries. It’s been reported that for the first half of 2010, Google had received in excess of 4,000 requests from the United States alone. Newsweek reported that Facebook in 2009 had customer information requests averaging at least 10 per day.
The Electronic Communications Privacy Act
In 1986, Congress passed the Electronic Communications Privacy Act (ECPA) to provide privacy rights for electronic transmissions by telephones, computers, cell phones, and other means of electronic communications.
ECPA made a critical distinction regarding how long electronic communications such as emails are stored. If the emails are stored for less than 180 days, law enforcement must first obtain a search warrant approved by a judge or magistrate prior to gaining access. However, if the emails are stored for more than 180 days, law enforcement is not required to first obtain a search warrant; a simple subpoena from a prosecutor will suffice. Search warrants require a showing of probable cause under the Fourth Amendment’s protection against unreasonable searches and seizures; subpoenas do not.
So, ECPA provides more protection for emails stored for less than 180 days, than for emails stored for more than 180 days. While this distinction may have made sense in 1986 prior to commercial use of the Internet, it makes no real sense in today’s cloud computing environment where electronic storage and archival is relatively inexpensive.
Privacy advocates have long argued that emails deserve the same protection as regular communications such as phone calls and letters.
6th Circuit Weighs In On Search Warrant vs. Subpoena
In December, 2010, the 6th Circuit Court of Appeals ruled that the Fourth Amendment protects an individual’s e-mail communications that are stored on a third party’s server against unreasonable search and seizure. The effect of the ruling is that the 180 day distinction made in ECPA no longer holds – emails are protected regardless of the amount of time they are stored or archived.
The court reasoned that phone calls and letters are protected by the Fourth Amendment, and because email is also a communications medium, it would “defy common sense to afford e-mails lesser Fourth Amendment Protection”.
At this time, it’s unknown whether the 6th circuit ruling will be appealed, and if so, what the outcome will be. Nevertheless, until we know the answers to these questions, to protect yourself from liability email production should be made only in response to a search warrant and advice of counsel.
Also, we don’t yet know if the decision will extend beyond emails stored in web servers by Internet service providers and SaaS websites to other areas such as law enforcement demands to turn over employee emails and the level of protection for personal information stored in a web server that is not email.
What about notice to users whose emails are subject to search and seizure? At present there are no laws to guide us. It’s a good idea, however, for SaaS privacy policies to provide for notice to users prior to turning over emails to law enforcement authorities.
As we move inexorably to fully embracing the cloud computing model, what’s needed is for Congress to reform and update ECPA to conform to the 6th Circuit ruling and to provide the additional guidance needed.