Did you think your private correspondence stored by email providers like Google and Yahoo is safe from unauthorized access? Think again… In a devastating blow to privacy and the sanctity of proprietary data, the South Carolina Supreme Court has ruled that such data in not protected by the Stored Communications Act (SCA).
In a landmark decision, the Court ruled that online email services do not fit the definition of “electronic storage” as spelled out by the SCA, and are therefore fair game for hackers and snoops. The decision was handed down last Wednesday in a lawsuit filed against a woman who had surreptitiously gained unauthorized access to an email account belonging to Lee Jennings, the plaintiff in the case.
Under the SCA, electronic storage is defined as “any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof” and as being “any storage of such communication by an electronic communication service for the purposes of backup protection of such communication”.
The Justices ruled that since the correspondence in the plaintiff’s emails were not created for the purpose of backing up the data, the information does not warrant protection from intrusion under the Act.
“The ordinary meaning of the word ‘backup’ is ‘one that serves as a substitute or support.’ Thus, Congress’s use of ‘backup’ necessarily presupposes the existence of another copy to which this e-mail would serve as a substitute or support. We see no reason to deviate from the plain, everyday meaning of the word ‘backup,’ and conclude that as the single copy of the communication, Jennings’ e-mails could not have been stored for backup protection… We decline to hold that retaining an opened e-mail constitutes storing it for backup protection under the Act,” the Court explained in the ruling.
The Court went on to specify that while an unopened email did qualify as being in the state of “electronic storage,” once the email has been accessed by the recipient, the data is no longer considered protected by the SCA.
“In my view, electronic storage refers only to temporary storage, made in the course of transmission, by an ECS provider, and to backups of such intermediate communications. Under this interpretation, if an e-mail has been received by a recipient’s service provider but has not yet been opened by the recipient, it is in electronic storage,” the Court ruled.
Many privacy and security experts see the decision as being troubling in the least, and potentially flawed in its reasoning, making the ruling susceptible to being overturned by a higher Court at a later date.
“Regarding the court’s decision in this case, it is apparent the judge does not understand technology adequately to determine sound decisions, and that the referenced legal definitions are sorely in need of updating,” attorney and information security expert Rebecca Herold told Security Bistro.
Former White House CIO and online privacy expert Theresa Payton believes that the adaptation of new technologies by the marketplace have far outpaced legislated protections, leaving the Court to try to interpret new mediums in the light of antiquated definitions.
“I’m not a lawyer but I do follow what our legal system has to say when offering protections in cyber space. When someone infringes upon your right to privacy and security in the digital world, many of our laws have not kept up and the court system does its best in deciding how to handle the digital intrusion,” Payton said in an email interview.
Payton notes a contrary decision previously handed down by the federal courts which made headlines during the last presidential election cycle, and which resulted in a conviction for unauthorized access of an email account.
“There was the high profile hacking case of Sarah Palin. Her hacker guessed his way into her account and posted her emails. U.S. District Judge Thomas Phillips convicted him of a misdemeanor charge in accessing Sarah Palin’s e-mail. That was then, this is now,” Payton quipped.
Courts are inherently reactive, and decisions are based on precedent or through new interpretations of the law which can vary greatly depending on the venue, Payton explains. Protections against violations of privacy and security that are proactive in nature can only come from new legislation that specifically addresses the most cutting edge technology available today.
“To the layman it appears to be black and white but it clearly is not. Until we get laws that have caught up with the digital age, we will continue to have court case decisions that will be hard to predict or explain,” Payton concluded.
The decision handed down by the South Carolina Supreme Court in this case leaves an immeasurable volume of data vulnerable to poaching, whether it be correspondence with healthcare providers, legal council, family members, or sensitive business communications that contain proprietary information. The ruling also leaves victims of unauthorized access without a legal remedy should they be the target of an unauthorized intrusion.