Stored Communication Act: New Considerations for Webmasters

CIOs, webmasters and managers responsible for establishing and administering policies for websites, intranets and extranets should take note of a recent federal decision regarding the Stored Communication Act (SCA). The details of your online use policies could mean the difference between protection or exclusion from this federal law.

The Stored Communication Act and Its Exclusions

The SCA protects facilities "through which an electronic communication service is provided" from unauthorized access or interception. Seemingly, this law broadly protects websites, email inboxes, intranets, IMs, weblogs, message boards, social networking sites, wikis and just about every other form of electronic communication that requires a registration and login.

The SCA punishes not only those who "intentionally access without authorization," but also those who "exceed an authorization."

There is, however, a critical exclusion from the SCA. The law will only apply if a facility is not "readily accessible to the general public." 18 U.S.C. § 2511(2)(g). This is a higher standard than it sounds, and not all user registration schemes meet the requirement.

In early web years, the requirement that a facility be not readily accessible to the general public may not have been terribly important. The SCA was enacted in 1986 as part of the Electronic Communications Privacy Act of 1986. At that time, very few people were actually using the web. Today, given the ubiquitous nature of the web, the SCA's "readily accessible" exemption has become extremely important, as the following recent federal case illustrates.

Snow v. DirectTV

In Snow v. DirectTV, Inc. (11th Cir. 2006), plaintiff Michael Snow alleging that DirectTV and its law firms violated the SCA while accessing his now-defunct site,

Snow's action arose as a byproduct of DirectTV's campaign against individuals suspected of stealing its encrypted satellite transmissions using "pirate access devices." In the course of investigations related to a case against Snow, DirectTV and its law firms accessed message boards on, which had evolved into a community for people targeted by DirectTV lawsuits.

DirectTV and its agents didn't hack into the message boards. Instead, they simply submitted a completed a registration form, agreed to the terms of use, and were granted access to the boards. It's interesting to note that the terms of use stated that DirectTV was not allowed to access the message boards.

The federal appeals court ruled that although DirectTV had accessed the private message boards against the terms of use to which it had agreed, this conduct was not enough to give protection under the Stored Communications Act.

Such deceptive behavior, according to the court, does not necessarily run afoul of the SCA. "If by simply clicking a hypertext link, after ignoring an express warning, on an otherwise publicly accessible webpage, one is liable under the SCA, then the floodgates of litigation would open and the merely curious would be prosecuted ... Thus, the requirement that the electronic communication not be readily accessible by the general public is material and essential to recovery under the SCA."

In light of the Snow decision, websites cannot rely solely on a strongly-worded terms of use for comprehensive protection. Webmasters who want to avail themselves to the SCA need to ensure adequate steps are taken to limit the facility's public access.

Limiting Public Access

"In order to be protected by the SCA, an Internet website must be configured in some way so as to limit ready access by the general public," the Snow case holds

What precisely does this mean? Evidently, basic online registration schemes used by many sites do not meet the SCA's requirements.

As an example the type of online registration scheme that does qualify for SCA protection, the Snow opinion cites Konop v. Hawaiian Airlines, Inc. There, plaintiff Konop created a list of Hawaiian Airlines employees who were eligible to access his website, which contained critical comments about the airline's management. "To gain access, one had to enter an eligible employee's name, create a password, and click 'SUBMIT' indicating acceptance of the terms and conditions, which prohibited users from disclosing the website's contents and prohibited viewing by Hawaiian Airlines management."

While pre-defining users may strike some webmasters as an unpractical form of registration, there may be some efficient ways to limit pubic access. For example, a facility could pre-define users after they pass a minimal background investigation, which might include email and telephone verification.

Most online facilities have both public and private areas, which require different levels of security. Limiting public access need not apply to the entire facility. In the case of a law firm website, portions of the site, say a private extranet, should be accessible only to predefined clients.

As web usage continues to expand, those responsible for online facilities should review technical policies and consider taking additional steps to limit public access, in order to stay within the protection boundaries of the Stored Communications Act. This is especially the case where the facility's communications are private in nature.