Appropriate Email Access – Know The Law!
Depending on the configuration of the technology you access, you may unwittingly be characterized as a criminal simply by checking another’s email. Knowing the law can help avoid this unwelcome predicament.
In an instant-on, full time communication-aware society, there are many times when a person will not think about what he or she is doing at the moment. Suppose you find a mislaid cell phone. You open it up to see if you can find out whose phone it is. You see that it is linked into the owner’s exchange email server, so you start the email application to see if you can identify the person by reviewing the emails on the phone. The access credentials are stored in the phone so you do not have to “hack” into the account. Did you commit a crime? Suppose instead you are getting a divorce, and while visiting your spouse’s house to pick up your children, you see the spouse’s computer logged into a Yahoo account. Do you commit a crime by looking at the computer screen in the already logged in browser, and scrolling through the messages?
Remarkably, the answer in each of these instances can be “yes” but often depends on certain facts and particularly, how certain email servers and communications devices are configured. The laws regarding unauthorized access to, and interception and use of, electronic communications are very unforgiving. There are primarily two controlling federal laws – the Electronic Communication Privacy Act (ECPA), and the Computer Fraud and Abuse Act (CFAA). Many states have their own versions of these laws with varying degrees of different treatment.
The principal distinction between the two federal laws is that the ECPA addresses the interception of, and access to, electronic communications, whereas the CFAA addresses unauthorized access to, or exceeding authorized access in respect of, “protected computers.” In the example above where a spouse casually looked at a screen on a computer – this does not implicate the CFAA because the spouse did not engage in the acts required to gain unauthorized access to that computer. On the other hand, the emails there are probably stored communications – the spouse’s actions in simply clicking the down arrow to view the next email that may not have been read might be sufficient to constitute unauthorized access to that communication (or even – unauthorized interception of it). In the cell phone example, it is even more complex because it is not entirely clear whether a cell phone is a “protected computer” – many new cell phones are smart phones and are essentially mini-computers – and so, merely pressing the power button could constitute unauthorized access to that protected computer.
In addition to being relatively complex laws, their provisions lead the police to take odd legal positions. For example, and in general, the government must have a court order to “intercept” an electronic communication; whereas, it only needs a warrant to access a stored communication. In at least one case, the court held that the communication was not a stored communication until it was accessed by the intended recipient – thus, if a person had “checked” their email, the electronic communication would be a stored communication – requiring only a warrant; but if the person had not checked their email, the police would need a court order to “intercept” it. The Justice Department opposes this construction – essentially arguing for less personal protection, so that they can avoid the need for a court order to review email. This is a critical distinction for certain online businesses – for example, service providers. Service providers in general may have a privilege to access “stored” communications, but without express consent, they virtually never have the right to intercept such communications.
To further highlight the issues, now consider the “cloud” – that area in the memory of linked computers where data resides, unfixed in any stored physical location. Does the Stored Communication Act even apply? Arguably it does not because that email is not “stored” in the sense meant in the statute. If it is not stored, is unauthorized access to it always an interception?
In short, when discussing technology devices and communication devices, how they are configured and used can impact materially which law applies and what exceptions apply to those laws. Online businesses that access or use electronic communications are encouraged to review both their agreements and their underlying technology services and configurations, to optimize the benefit of exemptions and exclusions from the otherwise harsh effects of the ECPA and CFAA.
For more information on this topic, please contact Mike Oliver at 410-583-2400 or Oliver@bowie-jensen.com.