A Reminder: You Can’t Subpoena Non-Party ISPs for Emails in Civil Suits

I ordinarily wouldn’t blog about an unpublished short opinion from a magistrate judge in the Northern District of Mississippi (even though great things do come from there), but I view this as the leading edge of a wave of such opinions. In J.T. Shannon Lumber Co. v. Gilco Lumber, Inc., 2008 U.S. Dist. LEXIS 104966 (N.D. Miss. Aug. 14, 2008), Magistrate Judge S. Allan Alexander quashed the plaintiff’s Rule 45 subpoenas on Microsoft, Google, and Yahoo, which sought the “entire contents” of the email accounts of three of the individual defendants, employees of Gilco.

In addition to the ridiculously overbroad nature of the requests (all of the emails in their personal accounts?), J.T. Shannon’s subpoenas ran up against the Stored Communications Act (SCA), Title II of the Electronic Communications Privacy Act. The SCA prohibits a non-party ISP from disclosing emails to litigants in a civil case without the consent of its subscriber. This law may seem counterintuitive to litigation attorneys, who are used to being able to subpoena whomever they want within the scope of the Federal Rules of Civil Procedure. But the SCA is not incredibly onerous; it just means you have to request that the party produce their own emails, not the ISP.

The first case to note this limitation on discovery practice imposed by the SCA was FTC v. Netscape Communications Corp., 196 F.R.D. 559 (N.D. Cal. 2000), but since that was a federal agency enforcement action, it may not have received much attention outside of that context. However, since the California Court of Appeals applied the same reasoning in an ordinary civil case in O’Grady v. Superior Court, 139 Cal. App. 4th 1423 (2006), the SCA’s marker has clearly been placed. I expect a surge of such cases in the future as attorneys unfamiliar with electronic privacy law begin looking for emails in ordinary civil matters.

18 U.S.C. § 2702 limits what an ISP can disclose about their subscribers.  Section 2702(a) provides that neither an “electronic communication service” nor a “remote computing service” to the public may disclose the contents of any communication stored on the provider’s network to any person, with just a few exceptions. One is with the consent of the subscriber, obviously. There are other exceptions for responses to administrative subpoenas, grand jury subpoenas, or trial subpoenas from a “governmental entity.” But there is no exception for ordinary pre-trial discovery.

For reasons that are too complicated to go into here, I think the ISP holding old emails is best viewed as a “remote computing service,” not an “electronic communication service,” under the Act, but it doesn’t matter; in either case, the ISP cannot disclose emails in response to a civil subpoena. The J.T. Shannon court went even further, however, and said that ISPs cannot even disclose customer records to a private litigant, citing Section 2702(c). Customer records include such things as the name and address of the subscriber, a record of access times, and everything other than the contents of communications. But there’s a difference between the two anti-disclosure rules. Section 2702(a)(1) and (2) provide that ISPs cannot disclose the contents of communications to anyone, other than pursuant to an exception. Section 2702(a)(3), however, only prohibits ISPs from disclosing customer records “to any governmental entity.” (See also § 2702(c)(6).) Selling those records to telemarketers, for example, is A-OK, at least under the SCA. And so, it would seem, is responding to a civil subpoena for “non-content” records.

There’s one wrinkle in that argument, which is that attorneys sending a Rule 45 subpoena do so as officers of the court, Fed.R.Civ.P. 45(a)(3), and one might think that the court is a “governmental entity,” so an ISP could not disclose even customer records in response to a civil subpoena. “Governmental entity” is defined in 18 U.S.C. § 2711(4) as “a department or agency of the United States or any State or political subdivision thereof.” Is the judiciary a “department or agency of the United States”? I don’t think so; that sounds like it is referring to executive departments and independent agencies. There have been decisions that have held courts to be “governmental entities,” but those decisions did not discuss the actual definition of the term. The issue does not arise often since most subpoenas will be seeking the contents of emails anyway.

This Post Has 4 Comments

  1. Rand Levin

    How do you reconcile the JT Shannon case with the Flagg v. City of Detroit case? 2008 U.S. Dist. LEXIS 64735 (E.D. Mich. Aug. 22, 2008) 252 F.R.D. 346

  2. Bruce E. Boyden

    Rand, thanks very much for the cite to Flagg, and you raise a great question. The Flagg case, for those who aren’t familiar with it, is one of a series of lawsuits that arose last year involving the text messages of former Detroit mayor Kwame Kilpatrick and his chief of staff Christine Beatty. I had seen press reports of another proceeding in the case, noted here: http://volokh.com/posts/1206816208.shtml — but I somehow missed the federal court decision in Flagg.

    The bottom line is that Flagg is consistent with what I said above, but it takes a while for the court to get there. First, it looks like the defendants — the City, Kilpatrick, and Beatty — made an extreme version of the SCA argument. They argued that the “consent” exception to Section 2702 only applies to unforced, completely voluntary consent. I.e., they argued that they could not even be forced to consent by court order, and without such “real” consent, the messages could not be produced.

    Whatever that has going for it as a philosophical conundrum (do you “consent” to turning over your money to a mugger?) it didn’t persuade the judge. When you get a Rule 34 document request, you can either consensually produce the documents or try your luck in court. If the court orders you to produce them, again you can consensually comply, or risk contempt sanctions. The fact that a court order is involved doesn’t invalidate consent for purposes of Section 2702.

    The trickier question, and one the opinion spends a fair amount of time on, is *who* exactly can consent to the production of the text messages. And there, the distinction between ECS’s and RCS’s I blew by in the post above becomes critical. An electronic communication service provides users with the ability to send and receive non-voice electronic communications. A remote computing service provides remote storage and data processing. The critical distinction is that Section 2702 permits only the sender or receiver of ECS communications to consent to disclosures, but allows an RCS *subscriber* to consent to disclosures from an RCS. The subscriber is whoever pays the bills on the account, not necessarily who wrote or received the communications that are stored there.

    In Flagg, the sender and receiver were Kilpatrick and Beatty, but the subscriber to the text messaging account was the City. So, where does the plaintiff have to send the document request? (One answer that is ruled out is serving a Rule 45 subpoena directly on the ISP, Skytel, which is apparently what Flagg in fact did. The court avoided ruling on whether that was permissible, “instructing” the plaintiff to draft a Rule 34 request instead, but that seems to me to have been an overabundance of caution.) The court concluded, contrary to the recent 9th Circuit decision in Quon v. Arch Wireless, that the messages were being held by an RCS provider, even though it had also provided ECS at one time to the City, and that therefore the “subscriber” — the City — could consent to production. So, the judge instructed, Flagg should serve a Rule 34 request on the City.

    I frankly don’t get why it really matters in this case. All 3 relevant persons — the subscriber, the sender, and the recipient — are parties to the case. Even if the text messages were being held by an ECS, Flagg could serve Rule 34 requests on Kilpatrick and Beatty. But the court instead goes on a tangent about how Beatty and Kilpatrick could be said to have impliedly consented to the City’s ability to request the messages from Skytel, so a Rule 34 request on the two individuals would not be necessary. I’m not sure that works under the SCA, and I think the analogy to the Wiretap Act is inapt. Under the Wiretap Act, an interceptor of communications can do so with consent. So the City could intercept text messages with Kilpatrick’s or Beatty’s implied consent. But under Section 2702, it’s the ISP that needs the consent, not the City. I don’t think the City saying to the ISP, “Trust us, they consented,” should be sufficient.

    I think what’s going on here is the judge is attempting to preserve as much of a previous magistrate judge order as possible, in which the magistrate judge set up a detailed procedure for in camera review of the messages. Also, I suspect there might be some interplay with public records law. If the messages can only be produced by requesting them from the individuals and not the City, that might undercut the argument that they are public records (I’m just speculating here; otherwise I’m not sure why it matters).

  3. Donald Hill

    Given the different perspectives from which the various courts seem to approach the discovery of personal emails, what is your opinion of the best manner to proceed to avoid discovery objections and possible sanctions in seeking to discover emails between defendants in an ongoing Federal District Court case?

    Thank you for your time and consideration.

  4. Bruce Boyden

    Donald, following the recommendation in Flagg, I think the best way to obtain emails or any other electronic message held in an account under the user’s control is to serve a Rule 34 document request on the user (perhaps after first identifying the existence of such messages via interrogatories). Electronic communications stored by an ISP are documents, just like paper documents being stored in a bank safe deposit box or rental storage unit, and since they are typically within the user’s “possession, custody, or control” they can be requested directly from the user. It will be up to the party receiving the request at that point to review the documents for relevance, responsiveness, privilege, and other objections, just like any other document request.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.