The advent of social media has increasingly affected how people live and communicate. Millions of Americans use social media every day, and the numbers continue to grow. The motivation to post on social media is multifactorial and includes a desire to stay connected, find others with shared interests, change opinions, and encourage action, but posting also serves to boost one’s self-esteem and self-worth. However, posting on social media creates a serious risk of self-disclosure, with people revealing more intimate details online than they would in more traditional settings without really appreciating the privacy issues and potential negative consequences related to such disclosures.
As social media use continues to grow, its use as a tool in police investigations has also increased. Both the content and metadata associated with social media posts now routinely aid law enforcement authorities in finding patterns and, importantly, in establishing timelines in criminal investigations. Thus, there is an urgent need to revise the existing laws governing stored communications—to better adapt them to these new, evolving technologies and improve the legal framework governing online privacy rights. This Note argues that various aspects of the Stored Communications Act (“SCA”) are outdated and that thirty-six years after it was enacted, it is time for an update that reflects the changing landscape of evolving technological advances.
The Note explores how the internet and social media use have evolved over the years and explains why the SCA no longer sufficiently protects consumers from government acquisition of their information. Particular emphasis is placed on the novelty of social media “Stories,” a technology unlike any that Congress could have imagined when it enacted the SCA in 1986. The Note examines the history of the SCA—with a focus on the Fourth Amendment, the Electronic Communications Privacy Act, and Supreme Court cases addressing the applicability of the Fourth Amendment to various forms of communication technology—before analyzing the SCA in detail, and looks at how law enforcement agencies can obtain these communications for use in criminal investigations. The Note concludes by arguing that the SCA needs to be revised to more adequately apply to today’s social media technologies since their content, and non-content, does not easily fit into the currently delineated categories. Revising the SCA would afford greater protection to consumer communication rights: not only would the SCA better apply to modern technology, but it would also be more readily applicable to future emerging media technologies.
The rise of social media has significantly impacted the way people live and communicate, and the trend toward extensive social media use will likely only continue to grow. According to a Pew Research Center study, seven in ten Americans use social media. On average, people spend an estimated two and a half hours on social media platforms over the course of their day, and “[a] majority of Facebook, Snapchat and Instagram users say they visit these platforms on a daily basis.” More specifically, 69% of Americans use Facebook, 40% of Americans use Instagram, and 25% of Americans use Snapchat. These percentages represent a significant number of people—approximately 230 million, 133 million, and 83 million, respectively. Further, social media users make extensive use of the “Stories” feature, with one billion Facebook Stories being posted daily and five hundred million daily active users of Instagram Stories worldwide. The motivation to post on social media is multifactorial and includes a desire to stay connected, find others with shared interests, change opinions, and encourage action, but posting also serves to boost one’s self-esteem and self-worth. These desires create a serious risk of self-disclosure on social media, with people revealing more intimate details online than they would in more traditional settings without really appreciating the privacy issues and potential negative consequences related to such disclosures.
Just as social media has become popular with the American public, it is also becoming increasingly utilized as a tool in police investigations. A 2012 survey showed that four out of five law enforcement agents used social media to gather intelligence during investigations. Not only do authorities look online for public information, but they also request access to private data directly from social media providers—which can help them build their criminal cases. For example, after finding photos and comments “glamorizing alcohol abuse” on a woman’s MySpace page, prosecutors were able to use them as evidence and advocate for a longer sentence for her vehicular manslaughter conviction. Since people are less inhibited when it comes to social media disclosures, they often share details of their lives and more controversial opinions than they may in other forums. After these once private thoughts are stored electronically, they become more easily accessible to investigators. Not only can the content of social media posts aid criminal investigations, but the related metadata alone “can help law enforcement authorities to find patterns, establish timelines and point to gaps in the data.” Therefore, social media metadata can be just as easily used to gather information on a suspect as the actual content of a post. Because the trend toward extensive social media use will likely endure, there is an urgent need to revise the laws governing stored communications—to better adapt them to these evolving technologies and improve the legal framework governing online privacy rights.
This Note argues that various aspects of the Stored Communications Act (“SCA”) are outdated and that thirty-six years after it was enacted, it is time for an update that reflects the changing landscape of evolving technological advances. Part I of this Note explores how the internet and social media have evolved throughout the years and explains why the SCA no longer affords sufficient protections against government acquisition of consumer information. It discusses the evolution and expansion of social media platforms. Particular emphasis is placed on the novelty of social media Stories, which are unlike any technology that Congress could have imagined when they enacted the SCA in 1986.
Next, Part II examines the history behind the SCA to explain why the law was initially passed by Congress, with a focus on the Fourth Amendment, the Electronic Communications Privacy Act (“ECPA”), and Supreme Court cases addressing the applicability of the Fourth Amendment to various forms of technology. Part III analyzes the SCA in detail, focusing on the distinctions made between the different types of internet service providers (“ISPs”) and the different aspects of communications (content versus non-content data). It looks at how the content and non-content information—for example, metadata including a user’s identity, location, and other data not part of the main substance of the communication—can be obtained by law enforcement in the course of a criminal investigation.
Part IV argues that the SCA cannot be easily applied to social media today because it does not fit within the categories delineated in the SCA. Most importantly, it highlights how (1) social media content does not easily fit into either of the SCA’s currently defined categories because Congress could not have anticipated the advances in the technologies that exist today; and (2) “non-content” is not fully defined in the statute, and therefore lends itself to being more easily obtained in some situations as opposed to others. Finally, Part V suggests ways in which the SCA can be revised to more adequately apply to social media today and ultimately protect the right to privacy guaranteed by the U.S. Constitution.
I. INTERNET PRIVACY AND EVOLVING TECHNOLOGY
Americans are entitled to their right to privacy, which on third-party ISPs such as Facebook and MySpace is protected by the SCA. One problem with the SCA, however, is that it is dated. Although the internet was invented in the 1960s, it was not widely used until 1983, when computers on different networks were finally able to easily communicate with one another. When the SCA was enacted in 1986—just three years later—Congress had only a limited experience with internet use and the potential privacy problems it could create, and had certainly not envisioned the extensive modern use of social media. This partially accounts for some of the weaknesses in this legislation and why the SCA is often difficult to apply to social media today.
A. Evolution of Social Media Platforms
Social media is defined as “forms of electronic communication . . . through which users create online communities to share information, ideas, personal messages, and other content.” This definition implies that social media could not exist without the internet, and that it depends on user-generated content. While it can be said that social media began in 1971, when the first email was sent, for many people social media really began in the late 1990s or early 2000s—years after the SCA was enacted—with the advent of messaging services such as AOL and MSN Messenger. MySpace, arguably the “most popular and influential” of the early social media platforms, was later launched in August 2003, and it allowed individuals to interact by commenting on each other’s profiles and sending private messages. It was the largest social media platform until Facebook, created in 2004, overtook it in 2008. Facebook has now grown to be the largest social media platform in the world with almost three billion monthly active users.
The number and types of social media platforms have grown extensively. Today, other prominent social media platforms include Instagram and Snapchat. Instagram was launched in 2010 and is a platform focused on sharing photos and videos. Snapchat was created in 2011 and gained its popularity from users’ ability to send each other pictures or videos (“Snaps”) that disappear shortly after being opened. These platforms allow users to share content with their friends, some of which they believe to be “private,” visible only to those friends they allow to see it. However, the widespread use of these platforms has created new issues with how the government can legally access and use these communications.
B. Emergence of Stories on Social Media Platforms
The continued evolution and development of new information sharing functions on social media platforms have created multiple issues concerning user privacy rights. For example, in 2013, Snapchat began to allow people to share “Stories” that are displayed for twenty-four hours before becoming inaccessible. Stories are a collection of individual Snaps that are played in the order in which they were created and allow users to share their entire day in a narrative manner. Today, Stories are also available on a variety of other social media platforms, including Facebook and Instagram. Part of the reason why Stories are so successful is because they are only available temporarily, so people can post small daily updates or silly images that they only want visible for a short period of time. Therefore, users reasonably believe that their content will remain private and then disappear, becoming permanently inaccessible. Another reason for the success of Stories is that “social media [S]tories tend to be more spontaneous” than an individual’s carefully curated feed, making it feel more “casual.” As a result, these Stories can be extremely useful to law enforcement, as they can provide a less filtered view of an individual’s daily life and a timeline for the posted events. Thus, the challenge becomes balancing users’ right to privacy with the government’s need for access to information in order to investigate criminal offenses.
As it exists now, the SCA does not provide an adequate statutory framework for protecting communications on the various aforementioned social media platforms and, importantly, does not specifically address new advances in technology such as transient Snapchat and Instagram Stories. Since the SCA does not adequately protect individuals from unlawful searches of their private social media data, there is a need for Congress to reform the statute to accommodate evolving technology.
II. HISTORY OF THE STORED COMMUNICATIONS ACT
A. The Fourth Amendment
The Fourth Amendment to the Constitution protects “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” While the meaning of “search” is not immediately defined by the Amendment, the Supreme Court has held that “[a] ‘search’ occurs when an expectation of privacy that society is prepared to consider reasonable is infringed” and that “[i]f the inspection by police does not intrude upon a legitimate expectation of privacy, there is no ‘search.’ ” Thus, when it comes to physical searches, the meaning of the Fourth Amendment is well understood, whereas what constitutes a search in the digital context is more uncertain.
In Olmstead v. United States, the Supreme Court held that wiretapping did not violate the Fourth Amendment because the lack of physical trespass and seizure of anything tangible meant there was no search or seizure. Because the Court refused to expand the Fourth Amendment to protect telephone communications, the government could legally intercept citizens’ communications as long as they did not physically enter their homes. Olmstead was later overruled by Katz v. United States, indicating a change in ideology that afforded citizens protection of their privacy even without a physical search. Because Katz held that a physical intrusion was not necessary to invoke the Fourth Amendment, online searches—which lack physical intrusions—can still violate the Fourth Amendment.
B. The Electronic Communications Privacy Act
In light of these changing viewpoints on the applicability of Fourth Amendment protections, Congress enacted the ECPA in 1986 in an effort to adapt the doctrines of the Fourth Amendment to the various emerging technologies. The SCA, which provides privacy protections to stored electronic and wire communications, is one part of the ECPA. The ECPA was created with the purpose of protecting American citizens from “the unauthorized interception of electronic communications.” Congress recognized a need to “update and clarify Federal privacy protections and standards in light of dramatic changes in new computer and telecommunications technologies.” Rightly, Congress worried that due to these advances, personal communications could be intercepted by individuals who had no right to obtain them, and thus felt it was important to enact the ECPA. However, the scope of the ECPA did not fully anticipate the impact of the growth and extent of social media.
C. Supreme Court Cases Addressing the Fourth Amendment and Technology
More recently, the Supreme Court heard a series of cases that addressed the applicability of the Fourth Amendment to newer technologies. In each of these cases, the Supreme Court Justices grappled with applying the existing legal framework, indicating that it is time for a change. In Justice Sotomayor’s concurring opinion in United States v. Jones, she emphasized that in the absence of a physical trespass, a Fourth Amendment search occurs “when the government violates a subjective expectation of privacy that society recognizes as reasonable.” She also argued that “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties” because “[t]his approach is ill suited to the digital age.” Justice Sotomayor’s statements highlight the need to reevaluate the applicability of the current legal framework to new technologies.
Two years later, in Riley v. California, Justice Roberts acknowledged that because technology enables modern cell phones to contain and potentially reveal a wealth of private information, cell phones require greater privacy protections than would be necessary for a traditional search. Four years after Riley, the Court once again addressed warrantless searches in Carpenter v. United States, this time through the collection of cell phone records from a third party. Again, Justice Roberts recognized the need for stronger privacy protections, stating that “a warrant is required in the rare case where the suspect has a legitimate privacy interest in records held by a third party,” such as the cell site records indicating the defendant’s location and movements. The government had acquired this information pursuant to a court order issued under the SCA, which was obtained based on evidence that the information might be relevant to the ongoing investigation. Finding this burden of proof—requiring only that the information might be relevant, which is lower than the probable cause required to obtain a warrant—to be unacceptable, the Court held that to access these cell site records, a warrant was required. The differing standards of proof required to obtain warrants and court orders to access records from these new technologies illustrate that sometimes the SCA troublingly affords lesser protections to individuals’ private information.
III. THE STORED COMMUNICATIONS ACT
The SCA was enacted to regulate electronic and wire communications that are stored on third-party servers and therefore governs the interaction between government investigators and administrators of third-party service providers. It was meant to expand the privacy protections afforded by the Fourth Amendment to digital content, clarifying its applicability. However, the SCA regulates retrospective communications, meaning it only applies when the government seeks to obtain information already in a provider’s possession. Additionally, the SCA only applies to two types of ISPs: providers of electronic communication service (“ECS”) and providers of remote computing service (“RCS”). An ECS is defined as “any service which provides . . . the ability to send or receive wire or electronic communications;” email and cell phone service providers would therefore be examples of ECS providers. An RCS, on the other hand, is defined as any service that provides to the public “computer storage or processing services by means of an electronic communications system.” Thus, once an email has been received but not deleted or a voicemail has been left in storage for later review, email and cell phone services are treated as RCS providers. Because ECS and RCS providers are afforded different levels of protection, it is important to be able to appropriately categorize modern ISPs to determine how much protection users’ communications will be given.
While transmitting communications and storing communications are different functions, this distinction matters less today, as many modern ISPs provide both services. In 1986, however, Congress was concerned about businesses such as hospitals and banks using remote computing services to store records and process data. Thus, they felt the need to create the RCS category to address this concern. Generally, the SCA prohibits disclosure of both content and non-content data of customer communications, but the SCA provides exceptions to this rule. These exceptions, which are discussed below, are divided between § 2702, which regulates voluntary disclosure, and § 2703, which regulates required disclosure.
A. Disclosure of the Contents of Social Media Posts
1. Voluntary Disclosure of Customer Communications
Section 2702(b) details the nine circumstances in which a provider may voluntarily disclose the contents of a customer’s communications. These exceptions include allowing the contents to be disclosed “to an addressee or intended recipient of such communication” and “with the lawful consent of the originator or an addressee or intended recipient of such communication.” For the most part, the communications can be disclosed only with the permission of the sender or intended recipient, which protects the user, or without their permission in the case of an emergency, such as a missing child. Therefore, while individuals are generally protected against voluntary disclosures of their private information by ISPs, it does not mean that the government is unable to obtain this information; it can be compelled through required disclosure under § 2703.
2. Required Disclosure of Customer Communications
Should the government decide that obtaining an individual’s communications is essential for building a criminal case against them, the disclosure of those communications is governed by § 2703. This is where the largest privacy threat to social media users lies, as ISPs are then legally required to turn over the contents of customer communications to law enforcement. How the government goes about getting this information under § 2703, however, depends on a variety of factors, beginning with whether the ISP is categorized as an ECS or an RCS.
If the government requires information from an RCS, there are three ways for it to compel disclosure. First, the government can compel disclosure without notifying the customer if “the governmental entity obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures . . . ) by a court of competent jurisdiction.” Alternatively, if the government provides notice to the customer, it can compel disclosure by using either (1) “an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena;” or (2) “a court order . . . [obtained] under subsection [2703](d).” Warrants place a higher burden on the government in order to obtain the requested information, while subpoenas and court orders are more easily obtainable. Thus, allowing the government to choose the second or third method to avoid having to obtain a warrant shifts the burden to the individual, who then must object to the subpoena or court order to protect their private information.
Required disclosure from an ECS, on the other hand, is even more complicated because it also considers information about the age of the communication. If the communication is 180 days old or less, the government may only compel disclosure “pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures . . . ) by a court of competent jurisdiction.” If the communication is more than 180 days old, however, the government can compel disclosure with either a warrant or, if prior notice is provided, a subpoena or court order. In effect, this makes it easier for investigators to obtain older communications, with no explanation as to why the 180-day mark is significant; thus, in this situation, users are arbitrarily afforded less protections.
B. Disclosure of the Non-Content Data of Social Media Posts
1. Voluntary Disclosure of Customer Records
Section 2702(a)(3) prohibits ECS and RCS providers from “divulg[ing] a record or other information pertaining to a subscriber to or customer of such service . . . to any governmental entity.” However, § 2702(c) provides an exception to this rule: “A provider . . . may divulge a record or other information pertaining to a subscriber to or customer of such service . . . as otherwise authorized in section 2703.” Therefore, while the SCA prevents ECS and RCS providers from voluntarily disclosing non-content information to governmental entities, as with content, the government can still obtain the information by utilizing § 2703’s required disclosure provision.
2. Required Disclosure of Customer Records
Section 2703(c)(1) states that a governmental entity can require an ECS or RCS provider to disclose a record or other information when the governmental entity “obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures . . . ) by a court of competent jurisdiction”; “obtains a court order”; “has the consent of the subscriber or customer”; “submits a formal written request relevant to a law enforcement investigation concerning telemarketing fraud”; or “seeks information” under § 2703(c)(2). Section 2703(c)(2) allows ECS and RCS providers to disclose the name; address; telephone connection records (or records of session times and durations); length of service and types of service utilized; subscriber number; and “means and source of payment” when the governmental entity “uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena or any means available under [§ 2703(c)](1)].” Again, governmental entities are able to obtain varying amounts of private information about customers from ECS and RCS providers with either a warrant or a court order, sometimes even with only a subpoena. Even more troubling, § 2703(c) does not require the government entity receiving the records or information to provide notice to the customer. Thus, subscribers’ privacy may be being infringed without their knowledge, providing them with fewer opportunities to protect themselves.
IV. SOCIAL MEDIA AND THE STORED COMMUNICATIONS ACT
Prior to 2010, no court had specifically addressed whether social media platforms were within the jurisdiction of the SCA. In order for the SCA to apply to social media platforms, these ISPs must be considered either ECS or RCS providers. The District Court for the Central District of California was the first to examine whether social media platforms were ECS or RCS providers in Crispin v. Christian Audigier, Inc. The district court held that because the three social media platforms in question provided either private messaging or email services, they qualified as ECS providers. This demonstrated that the SCA could be applied to social media platforms and can, therefore, be used to control the release of social media communications. While Crispin made it clear that Facebook, Instagram, and Snapchat would be governed by the SCA, it remains unclear whether these platforms qualify as an ECS, an RCS, or both, in the context of specific functions. As a result, which regulations should be applied when the government seeks to obtain users’ content (or non-content) from social media platforms during a criminal investigation remains uncertain.
A. Obtaining Contents of Social Media Posts
1. Obtaining Contents from Private Social Media Accounts
The SCA only applies to communications that are not “readily accessible to the general public.” Thus, it is important to understand how a user’s varying privacy settings on social media platforms can affect the applicability of the SCA. Facebook, Instagram, and Snapchat each have varying features that provide users with controls to limit who can see the content they have posted on their individual accounts, in some instances allowing the users to limit who can view individual posts as well, and the ability to block other users from viewing their content. Accordingly, should a user want their social media content to be private, they have the ability to set those limits using the social media platform settings.
In Crispin, the court held that “[u]nquestionably, the case law . . . require[s] that [user content] be restricted in some fashion . . . [to] merit protection under the SCA.” Therefore, if a user sets their content visibility to anything other than public, it qualifies as private. This was confirmed in Ehling v. Monmouth-Ocean Hospital Service Corp., in which the District Court of New Jersey found that “when users ma[d]e their Facebook wall posts inaccessible to the general public, the wall posts [we]re ‘configured to be private’ for the purposes of the SCA.” Similarly, in Facebook v. Superior Court (Hunter), the Supreme Court of California held that social media posts that were configured to be public fell within § 2702(b)(3)’s lawful consent exception, which allows ISPs to disclose a user’s content with the user’s consent. By this logic, if a user’s content is visible to the public, they are consenting to the RCS provider’s disclosure of their content. The SCA, therefore, does not protect social media content that is posted publicly because consent is an exception to the prohibition of voluntary disclosure under § 2702. The Hunter court also held that “restricted communications sent to numerous recipients cannot be deemed to be public—and do not fall within the lawful consent exception.” In other words, even if social media communications are limited to a large group of people, that does not mean these posts are considered public. According to the Ehling court, “the critical inquiry is whether Facebook users took steps to limit access to the information . . . . Privacy protection provided by the SCA does not depend on the number of Facebook friends that a user has.” By restricting one’s content with privacy settings, a social media user can therefore take advantage of the SCA’s privacy protections and make it more difficult for the government to obtain their content—by requiring them to get a warrant, for example—for use in a criminal case, but not all users are that savvy or careful.
Based on this jurisprudence, it should not matter how broad the user’s privacy settings are—as long as the individual specifically took steps to limit who can view their content, it becomes protected from voluntary disclosure. This is not foolproof, however, because, as discussed earlier, disclosure may still be permitted if authorized by § 2703. This remains problematic because, as Justice Sotomayor stated in Jones, a Fourth Amendment search online occurs when the government violates a “subjective expectation of privacy[,]” and one could argue that when an individual invokes privacy settings, they reasonably expect that their content will be kept private. If obtaining individuals’ social media data constitutes a search, then under Justice Roberts’s logic in Carpenter, a warrant should be required because social media content can contain lots of information about a person’s day, including their location and movements, like the cell site records in Carpenter. Therefore, it stands to reason that all searches of private social media content should require a warrant, which is not currently the case under the SCA.
2. Social Media: Does Disclosure of Its Content Follow ECS or RCS Regulations?
As previously discussed, the SCA has different standards for an ECS than for an RCS—the government can more easily obtain communications from an RCS, whereas obtaining communications from an ECS depends on how long ago the communications were created, thus emphasizing the importance of properly categorizing each social media platform. In Crispin, the court found that social media platforms can be characterized differently depending on the state of the messages: before the messages have been opened, ISPs operate as ECS providers, but once the messages have been opened and retained, the ISPs operate as RCS providers. This creates significant complexity and results in variability in how the SCA is applied to each social media platform, given the different standards between RCS and ECS providers and the difficulty in determining which standard will apply.
The Crispin court acknowledged that Facebook wall posts and MySpace comments “present a distinct and more difficult question” as to whether the social media platforms are acting as ECS or RCS providers. On one hand, the court stated that Facebook and MySpace were ECS providers with respect to wall posts and comments because they were being held for “backup purposes once read.” Here, the court relied on Snow v. DIRECTV, Inc., in which a district court found that because electronic bulletin board services (“BBS”) did not have temporary, intermediate storage, they were actually storing the information for backup purposes and thus were an ECS. The court analogized Facebook and MySpace wall posts and comments to BBS, concluding that these posts and comments were also being stored for backup purposes since they were not deleted after being read, and thus the social media platforms should be considered ECS providers.
On the other hand, the court also said that Facebook and MySpace could be considered RCS providers with respect to wall posts and comments because they maintained these communications not only for storage, but also for display purposes, as users wanted their friends to be able to see the communications. The court relied on Viacom International Inc. v. YouTube Inc. in this instance, analogizing Facebook wall posts and MySpace comments to private YouTube videos. In Viacom, the court found that YouTube was an RCS provider because it stored videos on behalf of its subscribers. Thus, the Crispin court concluded that Facebook wall posts and MySpace comments, like YouTube videos, can be stored for the purpose of allowing other users to view the content, thus making Facebook and MySpace RCS providers, like YouTube. Ultimately, the court did not rule whether Facebook and MySpace were ECS or RCS providers with respect to wall posts and comments, remanding the case for further development. This complexity demonstrates how ill-suited the SCA currently is to protect individuals’ privacy on social media platforms, as there is no clear and consistent way to apply it. Further, the arguments made in Crispin emphasize just how arbitrary the distinction between an RCS and ECS provider can be when it comes to social media platforms. Because social media platforms do not fit neatly into either category, courts can come to different conclusions as to how these ISPs should be regulated, thus leading to uncertainty regarding the protection of privacy rights of social media users. This arbitrariness can be explained by the fact that the SCA was written in 1986, as articulated in Konop v. Hawaiian Airlines, Inc.:
[T]he ECPA was written prior to the advent of the Internet and the World Wide Web. As a result, the existing statutory framework is ill-suited to address modern forms of communication like [social media platforms]. Courts have struggled to analyze problems involving modern technology within the confines of this statutory framework, often with unsatisfying results.
The Konop court’s words make clear that the SCA has become outdated because Congress was unable to foresee the problems that would arise for privacy protections resulting from not yet existing communication technologies. This is further supported by the fact that the Crispin court was unable to make a decision regarding the status of Facebook and MySpace with respect to wall posts and comments, given the limitations in clearly and consistently applying the SCA to communications on the various social media platforms. Courts’ inability to readily place certain features of social media platforms into existing categories highlights the inadequacy of the SCA in affording privacy rights to users of the prevalent modern technologies and supports that now is the time to change the SCA to clarify its applicability and afford stronger protections for various types of social media communications by creating more appropriate categories that these ISPs can be classified into.
3. Challenges in Applying SCA Content Disclosure to Stories
Stories are a relatively new feature of social media platforms, having only been in existence since 2013. Like with the aforementioned difficulty in generally applying the SCA to social media platforms and user content, Stories, which disappear within twenty-four hours, provide another example that highlights the limited applicability of the current statutory framework under the SCA to modern communication technologies. From a privacy perspective, the good news is that most of these posts are removed from ISPs’ servers as soon as the twenty-four hour period is up. Since the content is no longer on the social media platform’s server, it is not possible for ISPs to disclose this content—even pursuant to a court order, subpoena, or warrant—because the content would no longer be in storage. However, concerns remain for any content that remains saved on the server, which might still be obtainable for criminal investigations under the current SCA.
In addition, both Facebook and Instagram Stories can be saved in Story Archives, and Snapchat Stories can be saved in Memories. This content, therefore, could feasibly be disclosed to the government under the SCA if the proper exceptions and procedures were met. Because part of the appeal of Stories is that posts are only available for twenty-four hours, users likely do not think about how long their content is maintained in storage. Rather, many incorrectly assume that the content has been permanently deleted when the twenty-four hours expire. The problem here is that if Stories are governed by current ECS rules, once Stories are more than 180 days old, they can be obtained with notice and a subpoena or court order. This goes against the intent underlying Justice Robert’s opinion in Carpenter because one could similarly argue that individuals who post Stories believe they have a reasonable expectation of privacy in these Stories that are now only available for their own view, yet they can, in fact, still be obtained with lesser protections than a warrant. Therefore, even though the SCA was intended to extend the protections of the Fourth Amendment to online communications, currently it does so unsuccessfully, particularly in the case of Stories.
Because Stories are so new, there have not been many cases addressing how the SCA applies to them. In Facebook, Inc. v. Pepe, the District of Columbia Court of Appeals considered an allegedly sent “disappearing Instagram ‘Story’ ” for the first time. The court found that the Instagram Story was content under the SCA, and that because James Pepe was an “addressee or intended recipient” under § 2702(b), Facebook was permitted to disclose any Instagram Stories that were responsive to the subpoena. However, this addressee or intended recipient exception would not apply if the government were seeking disclosure in a criminal case, as the individual who posted the Story would likely not have invited a government official to view their private Facebook, Instagram, or Snapchat Story. Thus, the inquiry then shifts to consider whether social media platforms are acting as RCS or ECS providers when it comes to Stories.
One could analogize Stories to Facebook wall posts and MySpace comments when applying the SCA to social media Stories. Following the Crispin court, this would mean that ISPs offering Stories could be considered either RSC or ECS providers. The first argument is that Facebook, Instagram, and Snapchat act as ECS providers when individuals post Stories because the individual is “sending” the electronic communication to the people who they have allowed to view it. This would follow from analogizing Stories to wall posts or comments that are in “backup” storage. As per Crispin, if the messages are being stored on the servers solely because they were not deleted, then they are in backup storage and, thus, should be governed by ECS rules. Unfortunately, users do not usually think about deleting this type of content because they know that once it disappears, no one else can see it. However, what they often fail to realize is that these communications are then considered to be in backup storage, meaning they can still be disclosed to the government under the SCA.
Alternatively, Facebook, Instagram, and Snapchat could be considered RCS providers because they are simply storing the Stories on the server for others to view. In Crispin, wall posts were compared to YouTube videos that were stored for the purpose of allowing other users to view the content. Arguably, Stories are also stored for the purpose of allowing others to view them, not simply because they have not been deleted. Therefore, even though a Story disappears after twenty-four hours, the user can reshare the content from their Archive, similar to changing a YouTube video’s settings to modify who can view it at any point in time.
On the other hand, Stories could also be analogized to private messages, which further complicates the analysis of SCA protections, particularly when considering the reasoning in Crispin, which stated that when a message is unread, the ISP acts as an ECS, but once the message has been read, the ISP then acts as an RCS. Stories can be viewed by whomever the user allows, depending on their privacy settings, meaning that at any given point in time, the Story might have been viewed by a portion, but not all, of the potential audience. Thus, is the Story considered “unread” until all possible viewers have seen it, or does it switch to being “read” once at least one individual has viewed it? Alternatively, a Story could be “sent” while it is available for viewing by others but then switched to “read” once the twenty-four hours are up.
Whether or not a Story is considered to be an ECS or an RCS function directly impacts how law enforcement agencies can obtain its contents since the content of a Story would only be protected with a warrant if it were governed by ECS rules and 180 days old or less. Otherwise, Stories could be obtained with either a subpoena or a court order, making them easier to acquire for criminal investigations. These types of questions have not yet been adequately addressed by courts, and because Stories have qualities of both RCS and ECS communications, it is not possible to consistently predict whether RCS or ECS rules should govern in individual cases. The difficulty in determining how to appropriately apply the SCA to Stories supports the need for the proposed changes to the SCA.
B. Obtaining Non-Content Data From Social Media Posts
1. Applying SCA Non-Content Disclosure to Social Media Platforms
Disclosure of non-content data stored by social media platforms is different from disclosure of content in that non-content disclosure does not depend on whether the provider is an ECS or an RCS. While content is defined as including “any information concerning the substance, purport, or meaning of that communication,” non-content is not well-defined. The SCA does, however, define some non-content data that can be obtained with only a subpoena, including the user’s name, address, and telephone number. This stems from the third-party doctrine, which states “the
Fourth Amendment does not prohibit the [government from] obtaining . . . information revealed to a third party.” This creates an exception to the reasonable expectation of privacy that is protected by the Fourth Amendment: once an individual voluntarily shares information with a third party, they lose any reasonable expectation of privacy in that information. It can be assumed, however, that non-content data is any information that is not the main substance of the communication, including the metadata incorporated in the communication, for example, the user’s identity, location, payment information, and telephone number. This is problematic because under § 2703(c), non-content data can sometimes be easily obtained by the government with a court order. Because the SCA does not explicitly state which types of non-content data can be obtained with a court order and which require a warrant, a lot of discretion is left to police officers and the courts.
“Some non-content information, particularly associational information and location information, is inherently expressive, capable of directly exposing intimate details of an individual’s life.” In the age of social media, people are constantly posting images and videos online; when people take photos, for example, the image files contain metadata that includes the time and date when the image was taken, along with the exact location where the photograph was taken. Facebook, Instagram, and Snapchat collect a lot of information about an individual’s daily life, including sensitive location information. Like wireless providers, Facebook, Instagram, and Snapchat are all able to collect individuals’ locations from Bluetooth signals, wireless networks, and cell towers. Additionally, these platforms also store information such as the location, date, and time at which the photograph or file was created. This information could be used in a criminal investigation to pinpoint the time and place where a crime occurred or where a suspect was located at a particular time, making it highly valuable for the government when charging someone with a crime. Thus, it is important to afford this information the highest level of protection.
Because social media is a newer phenomenon, most courts have yet to address the issue of obtaining non-content data, which can include time and location information from a social media platform. In In re Application of the United States of America for an Order Pursuant to 18 U.S.C. § 2703(d), a magistrate judge ordered Twitter to turn over information
pertaining to multiple subscribers; this information included “records
of user activity . . . including the date [and] time” as well as
“non-content information associated with the contents of any communication . . . [including] IP addresses.” The Virginia district court held that because § 2703(d) requires the government to show only “reasonable grounds” that the records sought are relevant and material to an ongoing criminal investigation, and because the third-party doctrine applies to IP address information, the court order was valid. The court differentiated IP addresses from beeper monitoring because IP addresses are shared with all internet routers when a user accesses Twitter, while tracking a beeper allowed the government to monitor inside a private residence, which was not otherwise open for visual surveillance. While this case clarified what one district court believed the SCA means for IP addresses, it does not help to clarify how the SCA applies to exact location information such as the metadata embedded in Facebook, Instagram, and Snapchat posts.
However, courts have addressed the issue of whether obtaining location information from a wireless carrier constitutes a search under the Fourth Amendment. In Carpenter, the Court held that a court order obtained under § 2703(d) was not a permissible means of acquiring a defendant’s historical cell-site location information (“CSLI”) from a wireless carrier. The Court found that individuals have a reasonable expectation of privacy in their physical location, and when the government accessed CSLI from the wireless carriers, it violated the defendant’s reasonable expectation of privacy. As a result, the Court held that the government “must generally obtain a warrant supported by probable cause” before acquiring records containing location information.
Because the SCA was intended to extend Fourth Amendment rights to online communications, it might be acceptable to infer that obtaining location information from social media platforms would also require obtaining a warrant supported by probable cause. However, the Carpenter Court articulated that its decision was “narrow” and that it does not “address other business records that might incidentally reveal location information,” which means that the metadata contained in the photos and videos posted on social media may not require the government to obtain a warrant, which could compromise people’s privacy rights. As Justice Sotomayor pointed out in her concurrence in Jones, “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy” in the information they disclose online. “This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.” Justice Sotomayor is right: in the digital age, individuals post a wealth of information online that they expect—as a result of their privacy settings—to be visible only to those they choose. Thus, it is time to reconsider the notion that revealing this information to third-party social media platforms means that the government should be able to easily obtain their locational information because there is no “reasonable expectation of privacy.”
2. Challenges in Applying SCA Non-Content Data Disclosure to Stories
Stories provide users with the unique opportunity to create information that can qualify as both content and non-content data at the same time. When an individual posts their Story online, they are able to add “stickers,” which can indicate to those viewing the Story the exact location of the individual and the date and time the Story was posted, among other things. Thus, when a user posts a location in their social media Story, it actually appears as part of a graphic. In this sense, it would appear to be content because it is part of the image. On the other hand, since it is a location, Instagram will likely also collect that information separately from the content. It would then appear that, in this situation, the location information would be both content and non-content data at the same time; how then should a court determine whether a subpoena, court order, or warrant is required to compel the information from Instagram? Unfortunately, this is unclear under the current statutory framework of the SCA.
Former CIA agent Michael Morell admits that “[t]here’s a lot of content in metadata” and that “[t]here’s not a sharp difference between metadata and content . . . It’s more of a continuum.” If even the government accepts that it is difficult to distinguish between content and non-content data, then the SCA should not be differentiating between the two and allowing weaker protections for non-content data when, in fact, it may reveal information just as sensitive as content. Because the SCA was created prior to the creation of social media, it does not account for the overlap in the types of information that can be obtained from non-content and content data. This is another reason why the SCA needs to be rewritten: to clarify and remove the ambiguity of how sensitive non-content information can be disclosed.
V. REVISING THE STORED COMMUNICATIONS ACT
A. Requiring Warrants for All Compelled Content Disclosures
While the SCA provides some protections for private communications on ISPs, the statute needs to be updated and better tailored so that it is applicable to all the various nuances of modern technologies. Currently, the strongest protections are afforded to unretrieved emails and other temporarily stored files that are 180 days old or less. All other communications can be more easily obtained with a subpoena combined with prior notice. Under the Federal Rules of Criminal Procedure, a subpoena “may order the witness to produce any books, papers, documents, data, or other objects the subpoena designates.” This is even less protective of an individual’s right to privacy than having to obtain a court order, which requires that the “governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a[n] . . . electronic communication . . . are relevant and material to an ongoing criminal investigation.” To obtain a warrant, on the other hand, there must be “probable cause to search for and seize a person or property.” This places a heavier burden on the government and thus ensures that social media users are not losing their right to privacy without stringent protections, which should be the goal of any such legislation.
Because the line between defining a social media platform as either an ECS provider or an RCS provider is so unclear, applying existing laws can lead to variable results that negatively impact users’ privacy rights. As previously discussed, under the SCA, the same ISP can be treated as an ECS for some functions, but an RCS for others; this leaves users with inconsistencies in the treatment of their personal communications, which can infringe on their privacy. Importantly, whether a social media platform is characterized as an ECS or an RCS has a direct impact on the stringency of the procedures that law enforcement must follow to obtain the content. Further, although the SCA does not specifically differentiate between public and private social media accounts, because the SCA was only intended to cover private communications, it inadvertently creates counterintuitive privacy protections. For example, in Crispin, the court held that opened private messages on Facebook and MySpace were covered by RCS rules, while ECS rules covered restricted wall posts and comments. Effectively, this meant that wall posts and comments, which can arguably be seen by all of an individual user’s friends, were afforded greater protections than private messages, which are typically only seen by the sender and the intended recipient. This is counterintuitive because it means that less private communications receive greater protection than more private communications.
Consequently, there is a clear need for Congress to reform the SCA now, and as a first step, require warrants for all communications, regardless of whether an ISP is characterized as an RCS or ECS. Warrants provide the strongest protection for social media users, and when it comes to individual liberties, the government has an obligation to preserve these liberties with the broadest legal protections possible. This is especially important considering the case law, which argues that individuals have a right to be protected under the SCA if they took steps to protect their content. By requiring warrants for the disclosure of all social media communications, the SCA would be able to provide the strongest statutory framework to protect users’ privacy and prevent the unjust use of their social media content against them in criminal court.
B. Removing the Differentiation Between RCS and ECS
The previously highlighted variability and liability in characterizing social media platforms as RCS providers in some instances and ECS providers in others has become even more problematic with the recent emergence of social media Stories. If Stories are analogized to emails or private messages—because the user posts the Story with the intention that others will see it and it will be gone shortly after the message is read—they would be governed by ECS rules, similar to the private messages in Crispin. Alternatively, Stories considered analogous to YouTube videos—because they are stored for only a limited number of people to view—would be governed by RCS rules. The courts have yet to address whether Stories should be governed by ECS or RCS rules, but there are arguments for both sides because Stories do not fit neatly into either category.
Because the SCA was not created to accommodate these newer technologies, it would be more effective to revise the SCA categories rather than attempting to fit new technologies into the existing categories. Because social media platforms offer various functions that involve both message transmissions and electronic storage, the language of the SCA needs to be amended to eliminate the distinction between RCS and ECS altogether. Orin Kerr suggested doing this by identifying that the SCA applies only to “network service providers,” which would encapsulate the current definitions of ECS and RCS and then apply the SCA rules to different types of files held by the network service providers. This would alleviate the difficulty of determining which rules apply to social media providers in different situations and would further clarify privacy rights for users by establishing when and how their content is protected. Importantly, this would also provide consistency and give users a better understanding of their rights online, which may, in turn, influence what information they choose to post on social media—especially if they know it could later be used against them in a criminal case. Without this clarity, social media users do not know whether their content is protected and what steps they need to take to protect their private communications, which may, consequently, have a “chilling effect” on their conduct.
C. Requiring Warrants for All Compelled Non-Content Data Disclosures
As technology has grown and evolved, the distinction between content and non-content data has continued to blur. This is particularly true when individuals include the date, time, and location of their posts in the actual post or Story. When Facebook, Instagram, and Snapchat collect that information, it becomes non-content data, some of which can be disclosed pursuant to only a subpoena, and some of which requires either a court order or a warrant. One way to address this issue would be to require warrants for all compelled disclosures of non-content data. This is in line with the suggestion to require warrants for all compelled disclosures of content.
By requiring warrants for compelled disclosures of non-content data, criminal investigators would then have to show probable cause before obtaining the information, which is the highest standard available. In Carpenter, the Court acknowledged that individuals have a reasonable expectation of privacy regarding their physical location. Unlike cell-site records, social media platforms do not collect information on users every time their phone pings a cell tower. Instead, locations are collected when individuals post to social media. Therefore, it is currently unclear whether location information would always be protected by a warrant under the SCA.
While it is true that some non-content data records reveal more than others, advances in metadata analysis have shown that assembling disparate pieces of metadata can lead to larger discoveries. Thus, although one might argue that it would be better to specify which types of records require a subpoena, which require a court order, and which require a warrant, this practice would be difficult to consistently implement. Rewriting the SCA to guarantee that such non-content metadata is protected by the highest protection affordable would ensure that social media users are provided their First Amendment rights.
D. Removing the Distinction Between Content and Non-Content Data
Perhaps a simpler solution to this problem of differentiating between content and non-content data would be to eliminate the distinction altogether. The distinction comes from Ex parte Jackson, in which the Court held that “a distinction is to be made between different kinds of mail matter,—between what is intended to be kept free from inspection, such as letters . . . and what is open to inspection, such as . . . printed matter, purposely left in a condition to be examined.” The Court held that mail can only be opened and examined under a warrant because otherwise it would constitute an illegal search. Thus, content is what is “intended to be kept free from inspection,” as it is sealed away, and non-content data is what is left in the open.
When the Court first created this distinction in Ex parte Jackson, it made sense to differentiate between the information on the outside of an envelope, which could be openly seen by others, and the content that was stored within an envelope. However, trying to apply that logic to social media now no longer makes sense because the distinction between content and non-content data has become so blurred. For example, when a user posts a picture of their dog on their Instagram profile, they can include a geotagged location to where the photograph was taken. Is the location still non-content data because it is not the “substance” of the post, or is the location content because the user is using it to indicate where the picture was taken and, therefore, it is part of the description? If the latter were true, it would then arguably be content.
If the same information can be considered both content and non-content, it does not make sense to allow law enforcement to obtain the same information with lesser protections solely because they can argue that it is non-content data. Eliminating the distinction between non-content and content data would remove the uncertainty and enable social media users to be confident that all aspects of their posts would be protected.
The Ninth Circuit had it right when it said, “until Congress brings the laws in line with modern technology, protection of the Internet and websites such as [social media platforms] will remain a confusing and uncertain area of the law.” Social media platforms, as a whole, do not fit nicely into the existing ECS and RCS categories that Congress created when drafting the SCA in 1986. Some functions of social media platforms lead to the platform being treated as an ECS, while other functions lead to the platform being treated as an RCS. In other instances, it is difficult to determine whether a specific function indicates that the social media platform is acting as an ECS or an RCS. As a result, the SCA can be inconsistently applied to disclosures of social media content. Most importantly, certain functions on social media are arbitrarily afforded stricter protections than others, solely because of how they are inconsistently categorized under the current SCA. The rationale for affording communications greater protections when they are classified as an ECS that is 180 days old or less versus the fewer protections afforded to an ECS that is more than 180 days old or as an RCS is unclear. As a result of these arbitrary distinctions, law enforcement has an easier time searching an individual’s private social media, which may only require a subpoena or court order, than it would going through someone’s diary, which requires a warrant.
Further complicating the application of the SCA to social media today is the fact that in the age of social media, it is becoming more difficult to distinguish content from non-content data. When Congress drafted the SCA, it attempted to apply the Fourth Amendment to online communications and therefore made a distinction between content and non-content data; however, the difference between what constitutes content—analogous to what is contained inside an envelope—and non-content—analogous to what is on the outside of an envelope—in the digital context has become difficult to discern. Courts have also considered the third-party doctrine when determining what information could be obtained with a subpoena, reasoning that because the information had been disclosed to a third party, the user had no reasonable expectation of privacy. However, social media users disclose a variety of personal information when signing up for an account, often including, at a minimum, their name, birthdate, and email address, and their posts include lots of additional metadata. The privacy of these data is critical to define because they can be used by law enforcement to piece together where an individual was at the time they posted to social media or where an individual was when the content they posted was retrieved. Whether this very sensitive information should require a warrant or a lesser means to be retrieved by law enforcement is not currently clearly defined in the SCA.
The ECPA—which includes the SCA—was enacted to protect citizens from having their electronic communications intercepted without the proper authorization, but these protections need to change in response to evolving communication technologies. This legislation was intended to extend Fourth Amendment protections to new technologies, but because social media technologies have evolved so rapidly since 1986, the SCA no longer truly affords the intended protections. For citizens to be protected against unreasonable searches of their digital media, Congress needs to restructure the existing legislation to properly address how communication technologies have evolved over the past thirty-six years. Not only can one social media platform function as both an ECS and an RCS provider under the current SCA definitions, but it is now also difficult to determine whether a specific social media function, such as Stories, which has properties of both, should be governed by ECS or RCS rules. Further, there is now duplication of content and non-content data, making it difficult to clearly differentiate them and ensure that all of this personal information is being adequately protected under the SCA.
To ensure the protection of constitutional privacy rights and prevent private social media communications from being unfairly used against their creators in court, Congress should require that all compelled disclosures be governed by the same rules as the Fourth Amendment; that is, it should require that there be a warrant and “probable cause.” If all compelled disclosures were to require a warrant, then equal protections would be applied in all situations, as the standard would be consistent across physical and digital searches; this would help ensure that defendants’ due process rights were not violated. Further, because the distinctions between an ECS and RCS, as well as content and non-content data, are no longer appropriate, it would be advantageous for Congress to revise the SCA to better align with modern technologies by drawing the necessary delineations based on the functions being used, not on the specific type of provider. This way, the SCA would not only better apply to modern technology, but it would hopefully also better apply to future emerging technologies.
96 S. Cal. L. Rev. 707
* Executive Senior Editor, Southern California Law Review, Volume 96; J.D. Candidate 2023, University of Southern California Gould School of Law; M.S. Clinical Research Methods 2020, Fordham University; B.A. Psychology 2015, New York University. My thanks to my parents, Marlene and Lee Allen, and Jennifer Guillen for their input and support throughout the note-writing process. I would also like to thank my Note advisor, Professor Eileen Decker, for her guidance, and the members of the Southern California Law Review for their hard work and thoughtful suggestions.