Written by a human
And it’s the Stored Communications Act that sets out the rules. In which situations can these agencies ask for personal data, and what reasonable grounds do they require?
More importantly, when should companies keep the data private and refuse their requests? Because on some occasions, protecting the fourth amendment rights of their staff, customers and partners supersedes the guides of the Stored Communications Act.
At Global Relay, we provide an end–to–end solution to compliant communications, taking nothing more seriously than the security of your data. We’re going to walk you through the Stored Communications Act so if you receive a subpoena, you’ll know what to do.
What is the Stored Communications Act?
The Stored Communications Act (SCA) is a US–based law that preserves the privacy of an individual’s electronic messages, media and documents stored by third parties.
The SCA operates under the wider Electronic Communications Privacy Act (ECPA 1986), which was introduced as the use of computers was on the rise. It aims to balance the nature of privacy in stored electronic communications and accessibility for the government or law enforcement.
The electronic storage laws have been updated several times since it was first published, most notably after the 9/11 attacks, and works closely with the Wiretap Act.
What are the provisions of the Stored Communications Act?
There are two different categories of Stored Communications providers which have requirements to protect their data:
- Electronic Communications Services (ECS): covering emails, text messages, social media messages, well–known providers in this category include the likes of Gmail, Snapchat and Whatsapp
- Remote Communications Storage (RCS): including photos, videos and documents stored over the cloud such as Dropbox, Google Drive and Microsoft 365
The rules state that neither group may voluntarily disclose the stored electronic communication data, except in certain approved scenarios.
Exceptions
The first in divulging the customer communications data to the originator, recipient or addressee, with their lawful consent. For example, imagine that Anna has deleted her whatsapp chat with Kevin, but Kevin decides to sue her. Anna can ask Whatsapp to reveal their conversation in order to provide evidence in her defence.
Another exception is divulging information to an authorised employee of the stored communications provider. It’s therefore key to revoke access to all employees after they stop working for you to prevent misuse of this exception.
Thirdly, in order to protect the service provider in continuing to provide their service. For example, remote computing service providers may have to share information with a supplier in the case of a critical incident to get programs back up and running.
Next, if the contents of the communications were inadvertently obtained by the provider and appear to pertain to a crime they are obliged to report the evidence to law enforcement. For example, if a service provider suspects that a user is using their platform to commit fraud, they can share the stored communication messages or transactional records that provide evidence of this.
And last, if the provider believes that there is some sort of emergency that will involve danger or death, they must make a disclosure about the communications to the government without delay. For example, if two people are using encrypted Whatsapp communications to share their plans of attacking someone, Whatsapp should report this.
If an authorised party seeks private information?
There are two scenarios where government or law enforcement are able to access stored electronic communications:
| If the communications have been in storage for less than 180 days | If the communications have been in storage for 180 days or more | |
| Stored by an Electronic Communications Service | The enforcement team must prove probable cause with a search warrant | The enforcement team must gather either a search warrant, subpoena or court order to access |
| Stored by Remote Communications Service | The enforcement team must gather either a search warrant, subpoena or court order to access | The enforcement team must gather either a search warrant, subpoena or court order to access |
However, it should be noted that the 180 day rule has been criticised as arbitrary and is likely to be reviewed in the future.
The rules of SCA are confusing, even for the government
In the case of Carpenter vs The United States in 2018, the government acquired historical phone records under the authority of a court order. Although the records were supported by specific and arguable facts, with reasonable grounds for material, the court order was later deemed insufficient.
That’s because the fourth amendment enables an individual to voluntarily provide data and reasonably expect it to be kept private.
Similarly, another court upheld this rule when they ruled that there is a reasonable expectation of privacy in email communications, and a search warrant would be required if the government required access here too. In fact, there are countless examples of record –keeping failures relating to the SCA.
Know your stored communications compliance rules
By understanding the SCA rules inside out, you’ ll ensure your business can support law enforcement when they require it, and protect the privacy of your customers at all other times.
Getting these rules right could mean the difference between maintaining your stellar reputation and causing mass distrust. Because the fastest way to lose customers is if you’ve shared their private and confidential communications without grounds.
Global Relay solves compliant communications for regulated organizations of all shapes and sizes, whether you’re looking for an intelligent archive or a compliant app, we have a solution for you.