Jennings v. Broome
- International Privacy Experts Adopt Recommendations for Cross-Border Law Enforcement Requests for Data: The International Working Group on Data Protection in Telecommunications has adopted new recommendations to protect individual rights during criminal cross-border law enforcement. The Berlin-based Working Group includes Data Protection Authorities and experts who assess emerging privacy challenges. The Working Group on Data Protection calls on governments and international organisations to ensure law enforcement requests accord with international human rights norms. The Working Group recommends specific safeguards for data protection and privacy, including accountability, procedural fairness, notice and an opportunity to challenge. EPIC addressed similar issues in an amicus brief for the US Supreme Court in the Microsoft case. EPIC and a coalition of civil society organizations recently urged the Council of Europe to protect human rights in the proposed revision to the Convention on Cybercrime. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Aug. 14, 2018)
- Amazon Echo Secretly Recorded And Disclosed User's Private Conversation: "Alexa" secretly recorded the private conversation of a Portland woman and sent it to one of her contacts, according to a news report. The Federal Wiretap Act makes it a crime to intentionally intercept a private communication. In 2015, EPIC urged the Federal Trade Commission and the Department of Justice to investigate whether "always on" smart home devices violated federal wiretap law. EPIC recently warned the Consumer Product Safety Commission that the Google Home Mini continuously record users' private conversations because of a product defect. And EPIC recently testified before the CPSC on the need to regulate privacy and security hazards posed by Internet of Things devices. (May. 24, 2018)
- Supreme Court Vacates Microsoft Email Privacy Case: The Supreme Court has vacated United States v. Microsoft, a case concerning whether a U.S. communications law can be used by a U.S. law enforcement agency to obtain personal data stored outside of the U.S. While the case was pending, the Congress quickly passed the CLOUD Act, which requires internet companies to hand over personal data to U.S. law enforcement agencies, no matter where that data is stored. The Court then determined that there was no longer a matter to adjudicate and ended the proceeding. EPIC's amicus brief to the Supreme Court argued that human rights law and privacy standard should govern law enforcement access to personal data stored abroad. In recent comments to the UN, EPIC explained that the CLOUD Act "undermines communications privacy protections." (Apr. 17, 2018)
- In Supreme Court Brief, EPIC Backs International Privacy Standards: EPIC has filed an amicus brief in United States v. Microsoft, a case before the US Supreme Court concerning law enforcement access to personal data stored in Ireland. EPIC urged the Supreme Court to respect international privacy standards and not to extend U.S. domestic law to foreign jurisdictions. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping). (Jan. 18, 2018)
- EU Parliament Releases Draft Report on ePrivacy Directive: The European Parliament's Committee on Civil Liberties, Justice, and Home Affairs has released a draft report on regulations for privacy and electronic communications. The draft contains several proposals to strengthen online privacy, including end-to-end encryption in all electronic communications and a ban on encryption backdoors. Protecting the privacy of communications is "an essential condition for the respect of other related fundamental rights and freedoms," according to the report. EPIC has urged the FCC to follow developments with the ePrivacy Directive and has recommended the use of end-to-end encryption in applications including commercial e-mail and connected cars. (Jun. 19, 2017)
- House to Consider Narrow Update for Communications Privacy Law: Congress is scheduled to consider the "Email Privacy Act" (H.R. 387) next week. The bill passed the House 419-0 last session. The Act amends the Electronic Communications Privacy Act of 1986 to extend the warrant requirement to communications stored for more than 180 days. An earlier version of the the Act would have required notice of email searches to the user, with some exceptions. EPIC has recommended several other ECPA updates, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services. (Feb. 3, 2017)
- Google Settles Wiretapping Suit, Shifts Scanning of Gmail Messages to Servers: Google and lawyers for a class of Gmail users have reached a settlement in a case concerning the company's interception of private emails. The 2015 lawsuit accused Google of violating the federal Wiretap Act and California law by surreptitiously scanning Gmail messages for advertising revenue. Google has now agreed "to eliminate any processing of email content" for advertising purposes "prior to the point" when a Gmail user can retrieve email, but scanning of Gmail users (and non-Gmail users) on Google's servers will continue. EPIC recently filed an amicus brief in a related case before the Massachusetts Supreme Court, calling attention to Google's "systematic data mining of millions of private email messages" as a clear violation of the state's Wiretap Act. EPIC has also warned of collusive settlements in consumer privacy cases that enrich lawyers and leave business practices essentially unchanged. (Dec. 15, 2016)
- US Government Loses on Overseas Data Searches: A federal appeals court has ruled that the U.S. government cannot seize user data in foreign data centers under the Stored Communications Act. The decision reverses a lower court opinion that would have required Microsoft to hand over the contents of an email account stored in Ireland. The appeals court concluded that the purpose of the Act was to protect “users’ privacy interests in stored communications” not the creation of law enforcement powers that could reach overseas. The decision will likely bolster efforts to keep data in jurisdictions with stronger privacy safeguards. EPIC has recommended US ratification of the International Privacy Convention to preserve trans border data flows. (Jul. 14, 2016)
- House Passes Narrow ECPA Update: The Email Privacy Act of 2016 has passed the House 419-0 The Act amends the Electronic Communications Privacy Act of 1986 to extend the warrant requirement to communications stored for more than 180 days. An earlier version of the the Act would have required notice of email searches to the user, with some exceptions. Senator Leahy tweeted that "Long past time to protect American people's emails & info stored in the cloud from warrantless searches." EPIC has recommended several other ECPA updates, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services. (Apr. 27, 2016)
- U.S. Government Sued Over Refusal to Notify Users of E-mail Searches: Microsoft has sued the Department of Justice, arguing that orders which prevent the company from notifying users about surveillance are unconstitutional. These secrecy orders, issued in connection with orders to disclose users’ private information, arise in thousands of cases each year. EPIC has supported similar challenges to “gag orders" and has opposed the expansion of “no notice” searches. EPIC has also recommended notice requirements for e-mail searches. (Apr. 14, 2016)
- Whether e-mails stored by an e-mail provider after delivery are in "electronic storage" under the Stored Communications Act
This case involves unauthorized access to an e-mail account arising from a domestic dispute. After Mr. Jennings confessed that he "had fallen in love with someone else," and "admitted the two had been corresponding via e-mail for some time," his wife's daughter-in-law, Holly Broome, gained access to his Yahoo! e-mail account by answering his security questions to obtain his password. When Mr. Jennings discovered that Ms. Broom had accessed his e-mails and shared them with his wife, her attorney, and a private investigator, he brought suit in South Carolina state court. All claims were dismissed by the trial court, but the court of appeals ruled that Mr. Jennings could state a claim against Ms. Broome under the Stored Communications Act, 18 U.S.C. §§ 2701-12, because the e-mails were in "electronic storage" as defined in § 2710(15).
The Supreme Court of South Carolina granted certiorari, and reversed the judgment of the court of appeals. However, the five justices of the South Carolina court did not agree on the proper interpretation of "electronic storage" under the Electronic Communications Privacy Act. The justices wrote three separate opinions, which can be summarized as follows:
- Justice Hearn's opinion found that the definition of "electronic storage" did not cover the e-mails at issue in this case because they were not stored "for the purposes of backup protection." This opinion relies on the "ordinary" definition of the term "backup" - "one that serves as a substitute or support" - and the fact that Mr. Jennings did not make a second copy of his e-mail. As a result, Justice Hearn held that his e-mail could not have been a "backup" and thus was not protected by ECPA.
- Chief Justice Toal's opinion finds that there need not be a second copy in order for the e-mail storage to constitute "backup protection," but that the definition of "electronic storage" only includes temporary, intermediate copies. As a result, Justice Toal found that when "a recipient opens the e-mail" it is no longer in "electronic storage" and thus no longer protected from unauthorized access.
- Justice Pliecones wrote a separate opinion concurring with Chief Justice Toal's opinion, but specifying that the definition of "electronic storage" is disjunctive, rather than conjunctive, and includes either "(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof," or "(B) any storage of such communication by an electronic communication service for the purposes of backup protection of such communication." 18 U.S.C. § 2510(17)(A). Justice Pleicones found that the e-mails at issue in this case were not in "electronic storage" because they were not copies made by the service provider for backup protection.
Justice Hearn's Opinion of the Court (Joined by Justice Kittredge)
Chief Justice Toal's Concurring Opinion (Joined by Justice Beatty)
Justice Pleicones' Opinion
All three of the South Carolina Justices' opinions conflict with the Ninth Circuit's view in Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004), that e-mails received and read, and then left on the server instead of being deleted, could be characterized as stored "for the purposes of backup protection" and therefore kept in electronic storage under subsection (B) of 18 U.S.C. § 2510(17). Id. at 1075.
The definition of "electronic storage" is used throughout the Stored Communications Act ("SCA"), and defines the scope of important privacy rights for e-mail users. The SCA prohibits unauthorized access to e-mail and other communications in "electronic storage." See 18 U.S.C. § 2701. The SCA also regulates the voluntary disclosure by service providers of messages in "electronic storage." See 18 U.S.C. § 2702. And finally, the SCA specifies the legal process the government must use to compel disclosure of messages in "electronic storage." See 18 U.S.C. § 2703. The SCA specifies that government must obtain a warrant in order to access an e-mail that has been in "electronic storage" for 180 days or less. See id.
The primary form of electronic communication is e-mail. Unlike at the time the Electronic Communications Privacy Act was passed in 1986, the majority of e-mail is now stored and accessible remotely in cloud-based services. Yet protecting the privacy of e-mail messages, as EPIC has noted in the past, is still one of the core purposes of ECPA. In United States v. Councilman, a case involving a criminal prosecution under the wiretap act for interception of e-mail, EPIC joined leading civil liberties organizations in an amicus brief authored by Professor Orin Kerr. EPIC argued that an e-mail can be simultaneously in "electronic storage" and subject to interception under the Wiretap Act. Several EPIC advisory board members who are technical experts and leading authorities on Internet architecture, e-mail communications, and computer privacy also filed an amicus brief in Councilman, arguing that "ECPA was intended to deal precisely with the improper capture of information by one party that is intended solely for delivery to other(s) . . . ." Senator Patrick Leahy, one of the authors of ECPA, also filed an amicus brief in the case arguing that the definition of "electronic storage" was "designed to distinguish the SCA from ordinary computer crime statutes covering unauthorized system access unrelated to the communications process," and that the definition should not "cast doubt upon Title III's protection of electronic communications" during the transmission phase.
EPIC also filed an amicus brief in Bunnell v. MPAA, a civil wiretap act case involving a question substantially similar to that in Councilman. EPIC's brief argued that Congress added "electronic storage" to the definition of wire communications to expand protections for voicemail, not to lessen protections for stored e-mail.
United States Supreme Supreme Court
- 401 S.C. 1 (2012), cert. denied¸ 133 S. Ct. 1806 (2013).
- Brief Amici Curiae of Nineteen Privacy, Civil Liberties, and Consumer Organizations in Support of Petition for Certiorari
- Petition for Certiorari
- Jennings v. Jennings, __ S.E. 2d ___, 2012 WL 4808545 (S.C. Oct. 10, 2012).
- Supreme Court and Appellate Court Cases
- Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004)
- Fraser v. Nationwide Mut. Ins. Co, 352 F.3d 107 (3d Cir. 2003)
- Steve Jackson Games, Inc. v. U.S. Secret Service, 36 F.3d 457 (5th Cir. 1994)
- Orin S. Kerr, A User's Guide to the Stored Communications Act - And a Legislator's Guide to Amending It, 72 Geo. Wash. L. Rev. 1 (2004)
- The Electronic Communications Privacy Act of 1986, S. Rep. No. 99-541, 1986 USCCAN 3555
- Orin Kerr, South Carolina Supreme Court Creates Split With Ninth Circuit on Privacy in Stored E-Mails — and Divides 2-2-1 on the Rationale, SCOTUSblog (Oct. 10, 2012).
South Carolina Supreme Court
Relevant Law Review Articles, Reports, and Books