California Court: Passwords Are Communications, Protected By The Stored Communications Act

The Stored Communications Act - enacted in 1986 - is not only outdated, it's also pretty weird. An amendment to the ECPA (Electronic Communications Privacy Act), the SCA added and subtracted privacy from communications.

It's the subtractions that are bothersome. Law enforcement wasn't too happy a lot of electronic communications were now subject to warrant requirements. They much preferred the abundant use/misuse of subpoenas to force third-parties into handing over stuff they didn't have the probable cause to demand directly from criminal suspects.

Private parties - especially those engaged in civil litigation - also preferred to see fewer communications protected by the ECPA. So, this law - which declared every unopened email more than 180 days old free game - was welcomed by plenty of people who didn't have the general public's best interests in mind.

The government tends to make the most use of the ECPA and SCA's privacy protection limitations, using the law and legal interpretations to access communications most people logically assumed the government would need warrants to obtain.

But the SCA also factors into civil litigation. In some cases, the arguments revolve around who exactly is protected by the law when it comes to unexpected intrusion by private parties. In this case - one highlighted by FourthAmendment.com (even as the site owner notes it's not really a Fourth Amendment case) - it involves international litigation involving US service providers. The case directly deals with the Stored Communications Act and what it does or does not protect.

This lawsuit was brought by Path, an Arizona corporation, and its subsidiary, Tempest. Central to the litigation is Canadian citizen Curtis Gervais, who apparently was hired as an independent contractor by Tempest, which promoted him to the position of CEO in February 2022. A few months later, Gervais allegedly hacked into a competitor's (Game Server Kings [GSK"]) computers, leading to Tempest demoting (lol) Gervais to COO (Chief Operating Officer).

This demotion apparently didn't sit well with Gervais, who allegedly began sharing confidential Tempest information with GSK, utilizing communications platform Discord to hand over this information to GSK employees.

So, it's three American companies and one Canadian individual wrapped up in a dispute over ex parte demands to disclose information to the plaintiffs (Path/Tempest). Discord challenged the subpoenas, which asked for - among other things - any passwords used by Gervais to log into its services.

That's where it gets interesting. Very few courts have considered what's explicitly covered by the SCA and/or what can be obtained with subpoenas issued under this authority.

As is implied by both laws in play here (Electronic Communications Protection Act, Stored Communications Act), the protections (or lack thereof) apply to communications. Path argued that its subpoenas did not exceed the grasp of these laws, despite demanding Discord hand over Gervais' passwords. According to the plaintiffs, passwords aren't communications.

But that's a very reductive view of passwords, something Discord pointed out in its challenge of the subpoenas:

Applicants argue passwords are not afforded protection under the SCA because passwords should not be considered content." Discord argues passwords are implicitly included within the SCA's prohibitions because passwords implicate communications. In other words, Discord argues that passwords are content under the SCA because they are information concerning the substance, purport, or meaning" of a communication.

The court [PDF] says Discord is correct. But only after a lot of discussion because, as the court notes, this is an issue of first impression." It has never been asked to make this determination prior to this unique set of circumstances. But, despite the lack of precedent, the court still delivers a ruling that sets a baseline for future cases involving SCA subpoenas.

It begins by saying that even if the language of the SCA doesn't specifically include passwords in its definition of content," it's clear Congress meant to add protections to electronic communications with this amendment, rather than lower barriers for access.

The legislative history agrees with a broad interpretation of content." Congress explained that the purpose of enacting the SCA was to protect individuals on the shortcomings of the Fourth Amendment. Specifically, Congress enacted the SCA due to the tremendous advances in telecommunications and computer technologies" with the comparable technological advances in surveillance devices and techniques." The SCA was further meant to help Americans [who] have lost the ability to lock away a great deal of personal and business information."

With this analysis of the scope of the term content" under the SCA in mind, the Court now turns to determine if passwords are afforded protection under the SCA under that understanding of the definition of the term content." Passwords are undoubtedly a form of information." And passwords broadly relate to" (or are concerning") the substance, purport, or meaning of [a]
communication" even if passwords are not themselves the content of a communication. Passwords further relate to a person's intended message to another; while a password is not the content of the intended message, a password controls a user's access to the content or services that require the user to prove their identity. As a matter of technological access to an electronic message, a password thus relates to" the intended message because without a password, the author cannot access their account to draft and send the message (and the user cannot access their account to receive and read the message).

When a person uses a password to access their account to draft and send a message, that author inherently communicates to the recipient at least one piece of information that is essential to complete the communication process: namely, that the author has completed the process of authentication. The password is information or knowledge which is intended to convey a person's claim of identity not just to the messaging system but also implicitly to the recipient. As such, within the context of electronic communication systems, passwords are a critical element because they convey an essential part" of the communication with respect to access and security protocols.

The dispute at issue here demonstrates the inherency of communicating about passwords when using a messaging platform such as Discord: when the user of the Archetype" sent messages demanding ransom for the stolen source code, those messages conveyed to the recipients that the author is or was an authentic or authorized user of the Archetype" account who used and had access to the password for that account. That password for that account thus is information concerning that communication, even if the password is not itself written out in the content directly.

In addition to all of that, there's the undeniable fact that if you're able to obtain login info (including passwords) with a subpoena, it doesn't matter if courts limit the reach of demands for communications. If you have the keys to the accounts, you have full access to any stored communications, whether or not this access has been explicitly approved by a court.

With this password in hand, a litigant (or their ediscovery consultants) would have unfettered access to all communications within the account holder's electronic storage, without regard to relevance, privilege, or other appropriate bounds of permissible discovery. In other words, litigants could circumvent the very purpose of the SCA by simply requesting that a service provider disclose the password for a user account, ultimately vitiating the protections of the SCA.

No court would allow the government to claim this is acceptable under the SCA and/or the Constitution. And no court should allow it just because it's litigation involving only private parties. This particular demand cannot be honored without violating the law. And the companies behind the subpoenas know this because they obviously have zero interest in obtaining nothing more than Gervais' login info.

The only conceivable use for the passwords here is for Applicants to access the requested accounts (such as Archetype") and view the contents of all electronically stored communications in those requested accounts.

That's clearly the litigants' intent. And it doesn't mesh with the legislative intent, which was to create a few new protections for then-newfangled electronic communications. This particular demand is rejected. The subpoenas are still alive, but they're no longer intact. If the suing entities want access to the defendant's communications, they'll have to do it the old-fashioned way: by making discovery requests that remain on the right side of the law.