Can You Sue If a Computer Reads Your E-mail?
Thanks Dan for the welcome, and I’m excited to be guest-blogging at Concurring Opinions again. I had intended my first post to be a continuation of the discussion Dan and I were having in the comments last week about heightened review for subpoenas to unmask anonymous actors on the internet, but events have overtaken me. Orin Kerr over at the Volokh Conspiracy has put up a post querying whether network-level filtering for copyright-infringing materials would violate the Wiretap Act; Orin appears to believe that it would, at least without consent from every potential sender of material that was scanned. This merges two of my areas of interest, copyright and electronic privacy law.
First of all, the report is a little sketchy, but it looks to me like the topic came up as possibly an off-the-cuff remark or an answer to a question at the CES conference in Las Vegas. It doesn’t appear that anyone is proposing implementing this right away. But the idea seems to be that network intermediaries — either ISPs serving individual subscribers, such as Comcast or Verizon, or perhaps ISPs closer to the Internet backbone, such as Level 3 or Sprint — may be able to use fingerprinting technologies to detect and block copyrighted content transiting the network as a way of preventing infringement.
There might be all sorts of practical problems with this. How would a filter distinguish between authorized and unauthorized downloads, for example? But that’s not what intrigues me right now. The question I want to focus on is, would this violate the Wiretap Act? It’s arguable, but I don’t think it would. I don’t believe an automated scan of communications, where no permanent copy is made, violates the Act.
Of course, as a cautious lawyer (perhaps a redundant description), I’d certainly advise any telecommunications company to be wary before proceeding here. The ECPA, including the Wiretap Act, is a convoluted statute with a lot of unclear terminology. In essence, the Wiretap Act prohibits intentional interception of an electronic communication. There’s an exception for consent — that’s why receiving an email is not a violation of the Act — but Orin’s already indicated why consent might be hard to obtain here from everyone. Could telecommunications companies do this kind of filtering without consent?
I agree with Orin that it doesn’t seem that the exceptions allowing service providers to intercept communications for business-related reasons — Sections 2510(5)(a)(ii) and 2511(2)(a)(i) — would be of much help. In order to take advantage of the first of these exceptions, the service provider would need to be able to claim that filtering traffic for files infringing on the rights of others is “the ordinary course of its business.” Perhaps that will become the ordinary course of business someday, but it doesn’t seem to be right now. The second provision cited above specifically rules out “utiliz[ing] service observing or random monitoring” except for quality control, so that’s no help either.
Nevertheless, I think there may be room in the Act for automated filtering. It all hinges on the definition of the term, “intercept.” The central provision of the Wiretap Act makes any person who “intentionally intercepts … any wire, oral, or electronic communication” liable. “Intercept” is defined as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” So, in order to violate the Act, one has to (1) intentionally (2) use a device to (3) acquire (4) the contents of a communication.
What does it mean to “acquire” the contents of a communication? That has always been a little unclear. Here’s what I wrote in a chapter on civil applications of the ECPA in the PLI treatise, Proskauer on Privacy:
The issue of what qualifies as “acquisition” has proven more difficult. “Acquisition” is not defined in the act, nor is its interpretation necessarily straightforward. For example, are the contents of a communication that is routed somewhere other than the intended destination, but not listened to or recorded, “acquired” for purposes of the act? What about a communication that is recorded but not listened to? Or a communication that is recorded pursuant to an exception, such as by a party, but later acquired and listened to by someone else?
Courts have struggled with the answers to these questions ever since the Wiretap Act was adopted. For example, a telephone conversation may be intercepted by attaching a wire to a telephone line and stringing that wire to a speaker where the conversation is converted back to sound and overheard by a third party. At what point has interception occurred? One theory is that the interception occurs at the moment the signal in the line branches off to the wire installed by the wiretapper. The newly installed wire itself is the “device,” and the diverted signal is the “acquisition,” even if no speaker is attached at the other end. An alternative theory is that the interception occurs when the signal is converted back to sound at the speaker attached to the wire; the speaker is the relevant “device,” and the reconversion to a human-perceptible form is the “acquisition.” A third alternative is that the interception only occurs if a human listener hears the sound waves produced by the speaker. The speaker is still the “device,” but acquisition does not occur unless a human listener is there to overhear the conversation.
In most cases involving live surveillance of the sort just described, the dividing line between wire, speaker, and listener will not be of critical importance, since all three events will occur nearly simultaneously, and it will likely be the case that the same person or group of people attached the wire and the speaker and are using the apparatus. But interception can also be accomplished by recording a communication for later playback. In such a case, does the interception occur
(a) when the signal is diverted;
(b) when the recording is made; or
(c) when the recording is listened to?
One early case to resolve this issue looked at a tape recording that had been made by one participant in a drug transaction. United States v. Turk, 526 F.2d 654 (5th Cir. 1976). When the police searched his car, they found the tape and listened to it. The other person on the tape, Frederick Turk, was then charged with perjury for having lied to the grand jury. When the police listened to the tape, was that an interception in violation of the Act? The Fifth Circuit said no — the first acquisition occurred when the recording was made, with the recorder serving as the “agent of the ear.” Turk’s colleague intercepted the conversation by recording it, but he did so with consent — his own. The police then acquired a lawfully intercepted recording. Most courts have followed Turk — an acquisition occurs no later than the point some device records the conversation, even if the recording is destroyed without anyone ever listening to it. As the Turk court put it, “In a forest devoid of living listeners, a tree falls. Is there a sound? The answer is yes, if an active tape recorder is present, and the sound might be thought of as ‘aurally acquired’ at (almost) the instant the action causing it occurred.”
OK, so copying a communication is enough for a violation, even if no human ever reads it or listens to it. But what about the situation where no recording is made and no human is present to read or listen to the content at issue? For example, suppose a wire communication is tapped, and the tap goes to a speaker in an empty room, where it goes unheard. Is that still an “aural or other acquisition”? Turk waffled on that point, and there have been very few cases that have looked at it. One was the Fourth Circuit’s decision in Sanders v. Robert Bosch Corp., 38 F.3d 736 (4th Cir. 1994), a case premised in part on the somewhat dubious conclusion that recording incoming calls to help capture bomb threats is not use “in the ordinary course of business.” In another part of the opinion, the court reached the issue of whether conversations that were picked up by a microphone in a security office and, unbeknownst to everyone, were directed to a speaker in another area of the plant that apparently was set to a very low volume, had been “aurally or otherwise acquired” under the Act. The court held that it was “satisfied” that no acquisition had occurred. A district court in New Jersey reached a similar conclusion, holding that acquisition occurs when a device either directs a conversation to a human or when it is “permanently memorialized, a feat impossible for a wire to perform.” Pascale v. Carolina Freight Carriers Corp., 898 F. Supp. 276, 280 n.1 (D.N.J. 1995).
I think these decisions are a reasonable interpretation of “acquisition.” Acquisition means enabling a human to perceive the contents of a communication, either by bringing that communication to a place where humans are present, or by recording it for future perception. If that is the correct interpretation of “acquisition,” then automatic scanning of the contents of a communication by a computer is not “acquisition.” It neither carries those contents to a human for perception, nor does it capture them for later perception. So programs like Google’s Gmail service, which automatically scans email content for advertising keywords, would be fine even without consent on this view. So would the ISP filtering at issue in Orin’s post, so long as no contents from the communication are recorded or transmitted to humans. Indeed, given that qualification, it’s hard to see what the privacy harm from such automatic scanning would be. Assuming nonsentient computers, who cares if a computer reads your email and never tells anyone about it?