It would be unusual these days to find a hotel, coffee shop, cruise line or airline that doesn’t offer some form of internet access to its customers. It’s unlikely, however, that those businesses have had occasion to give much thought to the Stored Communications Act (SCA), 18 U.S.C. §§ 2701, et seq., a federal law that governs voluntary and compelled disclosure of certain types of electronic records. After a recent District of Columbia federal court decision finding that Royal Caribbean Cruises is a covered provider under the SCA, that needs to change. See In re Application of the United States for an Order Pursuant to 18 U.S.C. § 2703(d), Misc. No. 17-2682, 2018 WL 1521772 (D.D.C. Mar. 8, 2018) (Royal Caribbean).

The SCA and its state counterparts impose a complex set of rules on covered entities regarding the disclosure of customer and subscriber information. The statute is most commonly applied to traditional internet service providers, email providers, social media providers and phone companies. A recent opinion by Chief Judge Beryl A. Howell of the U.S. District Court for the District of Columbia, however, finds that the SCA covers any entity that provides internet access to its customers or the public, even if its core business (e.g., operating cruise ships) has little to do with providing such services.

Background

The case originated last fall when the U.S. Attorney’s Office applied for a court order to compel Royal Caribbean to produce records regarding money transfers allegedly made using a particular IP address onboard one of its ships. The request was unusual because under normal circumstances the government can simply issue a subpoena to compel a company like Royal Caribbean to produce business records; there’s no need for the government to seek a court order. In this case, however, the government concluded that because Royal Caribbean provides internet access to its passengers, it is a provider of electronic communication service (ECS) and thus subject to the SCA.

Under the SCA, the government is permitted to compel only a narrow set of records related to a covered provider’s customers (e.g., name, email address) with a subpoena. To obtain the more detailed records the government wanted from Royal Caribbean (i.e., records of user activity for every person who used a particular IP address on a certain date and time), the SCA requires the government to get a court order. See 18 U.S.C. § 2703(d). That order must be based on an application that provides the reviewing judge with “specific and articulable facts” sufficient to establish “reasonable grounds to believe” that the records are “relevant and material to an ongoing criminal investigation.” Id. And if the government wants the actual contents of any communications (e.g., copies of emails, text messages or social media posts), it must get a search warrant based on a finding of probable cause. Id. § 2703(a).

In Royal Caribbean, the reviewing magistrate denied the government’s original application for a court order, rejecting the government’s view that Royal Caribbean was subject to the SCA. The magistrate found that accepting the government’s theory that Royal Caribbean is an ECS provider under the SCA would mean that “every entity which now offers free WiFi would be rendered” an ECS provider. See In re Application of the United States for an Order Pursuant to 18 U.S.C. § 2703(d), Misc. No. 17-2682, Memorandum Order, at 2-3 (D.D.C. Nov. 29, 2017) (Dkt. No. 2). The magistrate concluded “that such a result would be inconsistent with the intent of Congress in enacting the [SCA],” which typically only applies to companies like traditional internet service providers, email providers or phone companies. Id. at 3 & n.3.

The government appealed the magistrate’s denial of its application, and Chief Judge Howell reversed the magistrate in an 18-page opinion issued on March 8th and recently unsealed with redactions. See In re Application of the United States for an Order Pursuant to 18 U.S.C. § 2703(d), Misc. No. 17-2682, 2018 WL 1521772 (D.D.C. Mar. 8, 2018).

The court held that Royal Caribbean is a covered provider under the SCA because it “provides passengers the ability to access the internet,” and this remains the case “regardless of whether its primary business function is the provision of ECS.” Id. at *5. The court found that the SCA’s definition of an ECS “captures any service that stands as a ‘conduit’ for the transmission of wire or electronic communications from one user to another.” Id. at *6 (quoting Council on Am.-Islamic Relations Action Network, Inc. v. Gaubatz, 793 F. Supp. 2d 311, 334 (D.D.C. 2011)). Chief Judge Howell went on to conclude that it is irrelevant whether the government could have sought records from the ISP that provided internet connectivity to Royal Caribbean because “whether the government may compel an entity to disclose records concerning electronic communications service turns not on whether the entity ‘owns’ the means by which such service is provided, but on whether the entity ‘provide[s]' such service.” Id. (quoting 18 U.S.C. 2703(c)).[1]

The court also observed that Royal Caribbean is not a provider of “free WiFi,” but instead “charges passengers to access the internet, whether wirelessly or through an internet café.” Id. at *7. The court appears to have pointed this out in response to the magistrate’s concern that adopting the government’s position would render every business that offers free Wi-Fi subject to the SCA. The Chief Judge, however, never addresses the fact that free services are equally subject to the SCA. See, e.g., In re Search of Information Associated with [redacted]@gmail.com That is Stored at Premises Controlled by Google, Inc., No. 16–mj–00757 (BAH), 2017 WL 3445634 (D.D.C. July 31, 2017) (Howell, J.) (applying the SCA to free email services). Thus, the fees Royal Caribbean charges for its internet service are irrelevant to whether Royal Caribbean is providing an SCA-covered service.

Lessons for Companies Providing Internet Access

As the opinion makes clear, “[e]ntities covered by the SCA face serious penalties for violations of the Act, including actual damages of not less than $1,000 per offense, punitive damages in certain cases” and imprisonment. Royal Caribbean, 2018 WL 1521772, at *4.

Not mentioned by the court, but equally important in these days of heightened sensitivity to privacy issues, is the risk of reputational harm that a business can suffer for mistakes in this area. Accordingly, any business providing internet access, via Wi-Fi hotspots or otherwise, to customers or any member of the public must understand:

1. What data it collects about the use of its internet access services;
2. The SCA’s prohibitions regarding disclosure of that data; and
3. The business’s obligations under the SCA upon receipt of a legal demand—such as a search warrant, court order or subpoena—for that data.[2]

If you have questions about your obligations under the SCA and any changes your company may need to consider to be compliant, contact experienced counsel.

ENDNOTES

[1] There is, however, an important distinction between businesses that use ECS services and those—like Royal Caribbean—that provide them. For example, an e-commerce website that simply allows customers to buy or sell products but does not provide them with any means of communicating with third parties is considered a “user” of an ECS, not a “provider” of such services subject to compliance obligations under the SCA. See, e.g., United States v. Standefer, No. 06-CR-2674-H, 2007 WL 2301760, at *1, *5 (S.D. Cal. Aug. 8, 2007) (e-gold was not covered by the SCA because it simply “allows the instant transfer of gold ownership between users utilizing the internet”); Crowley v. CyberSource Corp., 166 F. Supp. 2d 1263, 1270 (N.D. Cal. 2001) (Amazon only allows customers to send electronic communications directly to Amazon and therefore does not provide electronic communication services under the SCA).

[2] While the court found that an entity providing internet access to its customers is subject to the SCA, this holding does not affect FCC guidance that such entities are not required to reconfigure their networks to comply with the real-time (e.g., wiretaps) surveillance assistance requirements of the Communications Assistance for Law Enforcement Act, 47 U.S.C. § 229, §§ 1001-1010 (“CALEA”). See In re Commc’ns Assistance for Law Enforcement Act and Broadband Access and Servs., First Report and Order, 20 FCC Rcd. 14989, at ¶ 36 & n.99 (Sept. 23, 2005) (establishments such as “hotels, coffee shops, schools, libraries, or book stores” “that acquire broadband Internet access service from a facilities-based provider to enable their patrons or customers to access the Internet from their respective establishments are not considered facilities-based broadband Internet access service providers subject to CALEA”). Rather, the CALEA compliance requirements fall on the underlying provider of facilities-based broadband internet access service from whom the entity purchases internet access services. Id. ¶ 36.

© 2018 Perkins Coie LLP