Sophos Cloud Optix
In the US, the South Carolina Supreme Court has decreed that email stored in Google, Yahoo or any other web service isn’t “electronic storage” and therefore isn’t protected by the Stored Communications Act.
In a decision handed down on Wednesday, the court said [PDF]) that a man who sued over a woman hacking into his Yahoo Mail account is out of luck, given that his email doesn’t constitute a backup and wasn’t created by his ISP for the purpose of creating a duplicate file.
Hence, his email doesn’t warrant protection under the SCA, which under the United States Code defines “electronic storage” as:
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for the purposes of backup protection of such communication.
Justices Kaye G. Hearn and John W. Kittredge wrote that because the man, respondent Lee Jennings, had no other copies of his Yahoo email, they couldn't possibly constitute a backup as outlined in clause B.
The two judges wrote:
"We decline to hold that retaining an opened e-mail constitutes storing it for backup protection under the Act."
"The ordinary meaning of the word 'backup' is 'one that serves as a substitute or support.' Thus, Congress's use of 'backup' necessarily presupposes the existence of another copy to which this e-mail would serve as a substitute or support. We see no reason to deviate from the plain, everyday meaning of the word 'backup,' and conclude that as the single copy of the communication, Jennings' e-mails could not have been stored for backup protection."
For her part, Chief Justice Jean Hoefer Toal, with Justice Donald Beatty concurring, said that Jennings' email stopped being a 'backup' after its recipient opened them:
"In my view, electronic storage refers only to temporary storage, made in the course of transmission, by an ECS provider, and to backups of such intermediate communications. Under this interpretation, if an e-mail has been received by a recipient's service provider but has not yet been opened by the recipient, it is in electronic storage."
The case came about after Jennings' wife, Gail, found a card for flowers for Jennings' paramour in his car. When Gail confronted him, he confessed he had fallen in love with another woman.
Jennings refused to identify his lover but admitted they had been corresponding via email for some time.
Gail confided in her daughter-in-law, Holly Broome, who had previously worked for Jennings and knew he had a personal Yahoo account.
Broome hacked into his account by correctly guessing answers to his security questions. She read the emails between the two lovers, printed out copies and handed them over to Gail's lawyer and to a private investigator Gail had hired.
Earlier court rulings found that the emails at issue were in "electronic storage", thus protected under the SCA. Wednesday's ruling reversed that decision, agreeing with Broome's earlier contention that the court had misunderstood the definition of "electronic storage" under the Act and incorrectly concluded the e-mails had been stored for the purpose of backup protection.
The case, as well as our expectations that email won't be hoovered up like so many dust bunnies, turns on an acrobatically convoluted definition of the term "backup".
Previous court decisions have held that opened email that's kept in your online inbox, be it in Yahoo, Gmail or whatever other web service you use, is kept there for backup.
But in this case, Jennings v. Jennings, the judges dived into Merriam-Webster's dictionary for a definition of the word.
Regardless of what that dictionary says, it seems darn clear to me that if people aren't deleting their email, they obviously want to store it for possible future reference.
Woodrow Hartzog, a professor at the Cumberland School of Law at Samford University, holds the same opinion, as he told Ars Technica:
"All of the discussions regarding backups, temporary copies, and the read/unread distinction seem to have very little to do with the way that most people perceive their use of e-mail."
Hartzog said that a "politically palatable" update to the SCA hasn't yet been achieved.
At any rate, there's still hope for Jennings, he told Ars, given that Broome could still be found liable under the Computer Fraud and Abuse Act.
Turning to a dictionary for a definition of a word such as "backup" is a time-honored way to supposedly win an argument, as the court did in this case.
But this pedantic tactic of treating a dictionary as sacred gospel ignores the fact that dictionaries morph, sag and lag behind current usage. After all, if they were in fact sacred documents, there would be no need for more than one dictionary.
I refer you here to David Foster Wallace's brilliant 2001 review of Oxford University Press's then-recent release of Bryan A. Garner's A Dictionary of Modern American Usage, in which Foster Wallace illustrates the point:
Did you know that probing the seamy underbelly of U.S. lexicography reveals ideological strife and controversy and intrigue and nastiness and fervor on a nearly hanging-chad scale? For instance, did you know that some modern dictionaries are notoriously liberal and others notoriously conservative, and that certain conservative dictionaries were actually conceived and designed as corrective responses to the "corruption" and "permissiveness" of certain liberal dictionaries? That the oligarchic device of having a special "Distinguished Usage Panel ... of outstanding professional speakers and writers" is an attempted compromise between the forces of egalitarianism and traditionalism in English, but that most linguistic liberals dismiss the Usage Panel as mere sham-populism? Did you know that U.S. lexicography even had a seamy underbelly?
If the court wants to determine the meaning of the word "backup" as it pertains to actual usage, by real, live, breathing, email-using humans, as opposed to deriving meaning from an arbitrary dictionary definition, I'd suggest that judges survey real, live, breathing humans, many of whom, I predict, would deliver the unsurprising news that they don't delete their cloud messages because they're storing them for backup purposes - backup meaning, in this case, "I don't want to delete this yet."
Not that we should trust the cloud to protect our precious documents, mind you.
One incident that made this clear was when US feds told Megaupload users to choose between paying for the forensic expertise to dig out their seized files, or suing Megaupload or its server farm to get them.
No, we shouldn't trust the cloud. But in default of doing anything to further protect our content - namely, backing it up - we do.
And lo, I come across this piece on Lifehacker about Dashlane Courier's new service for sending private, encrypted notes that self-destruct after being read.
Could that be a solution? Are such emails truly deleted forever, beyond the reach of the courts?
If you're familiar with this type of service, please share your thoughts below.
Until and unless the courts apply the Computer Fraud and Abuse Act or other privacy-protecting measures in cases such as this one, it would be nice to have an alternative email solution, for when we really, really don't want email to be read by lawyers and judges.
Woman at desk, shocked woman and email screen courtesy of Shutterstock
There are so many practical 'take-aways' to this story. Here's mine:
Men, listen up! A woman scorned is your worst nightmare. And if the woman you have scorned has friends, well… you've just ticked off a whole lot of ladies. And if some of those angry ladies have been observing you for a while and know personal things about you, be warned. You can run, but you can't hide. LOL Thank you, Lisa.
I think an email should be treated the same way as a letter in your mail box. Tamper with it, and go to jail.
Yeh’, placed in an envelope…
http://www.youtube.com/view_play_list?p=C12354D2D…
How stupid are these Judges. very. all data should be protected irrespective of its contents.
The responsibility of the judges is to apply the correct interpretation of what the lawmakers intended at the time they draughted the legislation. The correct interpretation, by convention, lies somewhere above a general expectation that the legislators meant well but does not necessarily reach to taking their words literally.
A judge may have an entirely reasonable opinion as to what would, ordinarily, be fair and just, but he is not free to impose it; justice would be arbitrary, if he were.
The legislation discussed here appears concerned with intercepting transmissions. (If you got hold of my mail and read the letters before they were delivered to me, that would be interception; if you broke into my home and read one lying open on my desk, it wouldn't be.)
(17) (A) is clearly referring to the temporary holding (e.g. in a router's RAM) of information whilst it is being conveyed from place to place. It is not unreasonable, therefore, to take the "backup", in (17) (B), as being a back-up for the temporary storage of (17) (A) or against some failure during the conveyance.
Where (17) (B) refers to the "purposes of backup protection", it is not easy to argue that the "purposes" being served are other than those of the "electronic communication service". The "electronic communication service" had been defined, at (15) as "any service which provides to users thereof the ability to send or receive wire or electronic communications". Once a message is in my in-box, it's no longer dependent on the "electronic communication service", and any back-up of the message would serve no purpose for service. (If I'm using web mail, I will become dependent upon another "electronic communication service" when I wish to read the message by having an HTML representation of its text transmitted to my browser.)
I think the case was decided by how the data was stored, not what the contents were.
This points out the concern I've had for many years here in the USA as our legislation lags behind the technology. The definitions of these things can divert the legal or illegal direction by the term of some item that the legislators may not even be aware when the law was written. With cloud technology being so widespread, it must be taken into consideration as being a valid 'storage' location even if not dubbed a 'backup'. Of course the definitions are the defining part of the case, but in this case it's still a private communication no matter how or why it's stored or whether the user has a current copy on their machine as with cloud technology, it's why you don't have it on your machine!
If you have nothing to hide, you'll have nothing to fear.
Please then Rick, paste your email address and your password.
"If you have nothing to hide, you'll have nothing to fear. "
Yeah…I love that argument. It's often put forth by people who have never been victims of a malicious lawsuit, in which every document they own is potentially exposed to the risk of subpoena in the discovery phase.
It’s such stupid decisions as this one in South Carolina that sets just one more legal precedent in support of the ongoing onslaught against privacy. And if you think that I think the court's decision is stupid because I approve of some scumbag cheating on his wife, guess again. That's a separate issue.
The point is not whether you have something to hide. The point is whether your private communications are anyone else's business. If you've never been afflicted by all the ways in which scoundrels can manipulate the court system into making your affairs their business, you have a lot to learn about the way things actually work in the upside down world of state "justice".
Alas, things just got more upside down.
Please read:
Daniel J. Solove (George Washington University Law School) ‘I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy.
https://papers.ssrn.com/sol3/papers.cfm?abstract_…
https://papers.ssrn.com/sol3/papers.cfm?abstract_…
Rick,
You might be right in your case but privacy? When account was open with mails provider, it was tight security and later on have started meshing………. there are feelings-relationships and what not on mail; how a person allow to entertain for spoiling for no reason?
I feel it is not fair…………………judgement should be re-considered and to be amended, if not how to keep faith in system?
This term is often used by the ignorant…
Megaupload is banned in countries that depend on USA main lines. But in china for example it is still live under different domains. Therefore those looking for their files need to contact data brokers in china to retrieve their files and send to them.
About the mail box such as yahoo and gmail, as long as you cannot have the right to it’s mailbox policy then the judge is correct. In any moment you may lose your mailbox account. Free account is not your right to keep account.
I expect that the problem is not in the definition of a singe word – "backup" in this case – but rather in attempting to apply a static law to something as flluid and dynamic as technology.
In the present case, the Supremes were right. The original data is kept on the server as the primay, and whatever scheme Yahoo! has for making an additional copy of that data is the backup.
What is needed is a law that will provide for the privacy of the primary data. Regardless of whether that primary data is kept on a personal computer (as is generally the case with POP email) or on a cloud server (as is generally the case with IMAP email) or on a corporate server (as with Exchange, etc.)
Guy Briggs claimed, "In the present case, the Supremes were right."
I am not a lawyer, and my only knowledge of this case and the particular act cited are what Lisa wrote up in this article. However, based on the facts as presented here, it appears that the justices failed to make a careful, wise, and accurate decision.
"(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and…"
Isn't that an accurate description of e-mail? Someone sends you an electronic message, but since the sender can't transmit it directly into your brain, your mail provider's server (and anywhere else your message travels between the sender and the recipient) is a "temporary" and "intermediate storage" of the electronic communication.
"…(B) any storage of such communication by an electronic communication service for the purposes of backup protection of such communication."
A copy of an e-mail stored on an e-mail provider's server is not, in fact, the original. The original was written on the sender's system. Since then, it has been modified (headers have been added) and now this copy is what's actually being stored on the e-mail server. Even by the strict and limited definition of a backup cited by Hearn and Kittredge, this copy "serves as a substitute or support" because it substitutes the original that was transmitted by the sender. This "substitute" copy is being stored and "protected" until the intended recipient can read it.
Justices Hearn and Kittredge said, "We decline to hold that retaining an opened e-mail constitutes storing it for backup protection under the Act."
This is utter nonsense.
After the intended recipient has read the e-mail, the copy residing on the server most certainly constitutes a backup, because then the contents of the e-mail are presumably stored in the recipient's brain (and/or perhaps printed or saved to a local hard drive), so the copy on the server is a backup (or a "support" by the definition Hearn and Kittredge used) in case the user wants to retrieve it again to recall its exact contents.
As Lisa points out in the article, the very fact that the e-mail wasn't deleted after being read is evidence that the recipient intended to keep a copy stored on the server as a backup.
In short, based on the facts as presented in this article, it would seem that the justices failed spectacularly.
I totally agree Guy. The answer had to be based upon the law, if the law isn't written properly then change the damn thing but it is up to the courts to follow the law and read it sideways to make it do what they want. The main server isn't a backup, your backup is the backup! Everyone trying to bend the definition to say the active account is a backup is as silly as how poorly this law is worded, but then maybe this law is just being misapplied and the intent was only to cover what it stated.
Sounds great to 'change the damn thing!' and I agree, but there are so many laws, at least here in the US that there is not time for them to go over what used to be and correct it. They need to target an item, such as e-mail, and then write a useful law that applies to that part. If they would zoom in and specify they could do this in a way that may work for many years. Too bad that isn't what happens in the real world. They also can't leave it in an open ended mode such as 'unless this changes' or they will always have an appeal going. I do think they need to move to a data model that all data is personal, no matter who owns it and just require a judge to issue a search warrant. Will it tie the hands, yes to some extent, but it will move the public to a more protected position and not let the government just mine for fishing purposes. It is obvious that that is what the FBI is wishing and we must not give them. As much as I wish to stop crime, don't open the doors!
It is definitely ridiculous that the laws do not protect the primary storage.
What about with pop3 accounts? I use outlook as my primary email interface, and check the box to "leave a copy of the message on the server". That is my backup for my email. My primary storage is in outlook.
Again, this is because the legislation is far behind the actual technology. By the time they do a pop3 legislation it won't be used anymore! They need a more dynamic approach and make all data private then let them worry about getting a warrant. This is the best way to stop general data mining and it's associated fishing expedition.
While the 4th Amendment may be lacking content to properly deal with the digital age when it comes to privacy and protection "against unreasonable searches and seizures…," one would think that user authentication requirements, at the very least, establish a basis for "reasonable expectation of privacy." Granted, however, this was about the Stored Communications Act.
Regarding "Broome hacked into his account by correctly guessing answers to his security questions," I always tell people to never, never, never enter the true answers to these so-called "security" questions! Broome has proved part of my reasoning behind this.
Either way, big brother is growing and loving the rate that all those databases (be they Facebook, Google, Yahoo or whatever) are aggregating all the "bits" of our lives, activities, and thoughts.
Now where did I put my abacus?
So how does the court skirt the Federal Regulations on Civil Procedures (Dec. 2006) that says all emails, communications, files, directives and requests that may be relevant to a current or future litigation cannot simply be deleted or overwritten. The data must be produced if a court asks for it and thus it must be archived, because that's the law. Does this meant that the law has been overturned?
My take from this is: Don't use simple secret answers. In my case I actually use other passwords for secret answers. So even if the question is "What was your childhood dog's name?", the answer would be a secondary password.
Rename your inbox to "backup"?
Awesome! So it's okay if I read the emails of these Judges, all the emails of Congress, the President, Vice President, etc, as long as I don't read the "backup" copy. Cool.
As long as it does not compromise national security, allow you to absorb intellectual property, or allow you to do insider trading, I guess it's OK.
So I have my email available and downloaded to my android phone…So in the definition of this law all my mail in my google account will be seen as a 'backup'?
Does this mean I get to dig through the judges’ email?
OMG!?!?!? I am FURIOUS to think my GMAIL account could be opened and read like a newspaper… F* that… honestly… gees if I needed reason to shut down my computer and start using carrier pigeons, I think this comes close to it.
Well, does this mean you are a tremendously interesting woman or terribly boring? My email would probably bore most people to death.
Like it or not, email is covered by the fourth amendment to the US Constitution. The email is the personal property of the owner and requires a WARRANT in order for anyone to view it except the owner.
This case has nothing to do with interpreting the Stored Communications Act, which itself is, in this case, redundant of the fourth amendment.
SHAME ON YOU South Carolina Supreme Court!
This isn’t the end of this issue. Warrantless citizen surveillance is being mandated by our brain dead Corporate Oligarchy overlords. And it remains ILLEGAL.
Of course, this case isn't actually about surveillance. Or about hacking, or warrants, or anything. It's isn't even really about privacy – though the Justices mention the issue of privacy and the SCA in their judgement – or its damnation.
This case _is_ about interpreting the SCA, since that's the law that the plaintiff chose to use. (It's a civil matter, not a criminal one.)
In my opinion, this simply isn't the right sort of case to use for an advocacy rant about privacy. See @Bill's comment. This is really just part of a sad story about a foundered marriage, and the vengefulness provoked by it, rather than a potential cause celebre for Fourth Amendment activism.
Exaggeration? Why? I kept this simple and basic. The wife had no right and the US Constitution says so.
But there is what you point out to be the basis of this decision, the SCA. From the information provided here, it provides no defense for the Lee Jennings. It should never have been considered in this case. If that was the only point of this case, I’d agree with the judges. But as I said, this isn’t the end of this issue.
The wife had no right to his email, despite the fact that the guy was a cheating, deceiving liar. I pointed out why. Lee Jennings has grounds to continue his case but he needs a better lawyer, I’d say.
Meanwhile, as I pointed out, there is a lot larger scope to this issue in our current age where cheating, deceiving and lying is standard human behavior, as is compromising and ignoring fundamental human rights. I’m not pointing at the Jennings case as anything more than just another example in a different context.
Yes, this particular case is not a "cause celebre for Fourth Amendment activism."
However, the SCA and the 4th Amendment are entangled to some degree. The 4th Amendment does not properly deal with the issues of the digital age. It is necessary that proper legislative measures be enacted to strengthen the intent of the 4th Amendment with respect to our digital lives.
I would welcome anyone to crusade for clearly written Acts that leave less room for poor interpretation, while strengthening our currently questionable digital rights in the true spirit of the 4th Amendment.
Perhaps the SCA was an attempt at this. Perhaps we can do better.
This article (filed under "Law & order, Privacy") resulted in a minor "advocacy rant about privacy," however misguided. But sometimes people's replies get to the heart of their concerns (as tangential as they may be).
I see this as an opportunity for nakedsecurity to enlighten us on issues raised. We appreciate the valued content on your site.
"If an unopened email has been in storage for 180 days or less, the government must obtain a search warrant. There has been debate over the status of opened emails in storage for 180 days or less" …[they may only need a subpoena].
That was from the Stored Communications Act link at the top of the article.
This is the problem of legislation not keeping up with technology (and legislators not continuing their education).
The bottom line is that your email is not covered by the 4th Amendment (while I feel it should be). New Acts need to be legislated to keep the essence and spirit of the original framework of the Constitution current with things the founding fathers could never have imagined. But that's why they made it amendable. So that it could evolve with the times.
We need to have the Acts from Congress written properly, and with the interest of the citizenry at the forefront. I find the Stored Communications Act lacking, which is why it was so open to poor interpretation. Let's face it, Congress has been part of the problem rather than the solution (in spite of the efforts of a few good men and women).
The use of the term backup does change over time and so the dictionary definition doesn't coincide with with the current meaning of backup. However, the use of the term backup when defining electronic storage was most likely the older meaning found in the dictionary and so the concept 'electronic storage' would be best defined using the older definition of backup. However, we can't know what was meant by backup when electronic storage was defined. The best solution would be to include a glossary or dictionary every time a law is passed.
I am pretty sure that yahoo would have redundancies in their systems to ensure their customer's data. So that would not be the only copy. A backup truly is in the eye of the beholder.
Rick,
It's not a question of having anything to hide, these are private emails. Are you happy to have your emails all over the web, available to all, just to show you have nothing to hide?
Some things are private.
When I read this piece, yesterday, it was titled "US court says reading other people's online email is OK, privacy be damned" (see http://www.pchelpforum.com/xf/threads/us-court-sa…. Today, the title is "US court overturns judgement against ex-wife who read cheating hubby's emails".
The direction taken, by some of the earlier comment-leavers, seems more explicable in the context of the contemporaneous title.
As I haven't seen a note about the bulletin being revised, I'm worried your site was hacked 🙂
The change was deliberate, not a hack. Stand down from Blue Alert 🙂
What happened is that after reading the headline, the article and the judgement, I formed the opinion that "privacy be damned" was not at all what the relevant court had said, and indeed that the Justices had nowhere even implied that "reading other people's online email is OK."
I put my case to the Naked Security editors, and they agreed. The headline was changed as you describe above.