Indiana University

Stored Communications Act needs revisions, IUís Cate tells house committee

In testimony before the U.S. House Judiciary Committee Sept. 23, Indiana University Maurer School of Law Distinguished Professor Fred Cate called for revisions to the Stored Communications Act (SCA), a piece of legislation that regulates how and when authorities can obtain electronically stored communications.

Cate, director of IU's Center for Applied Cybersecurity Research, said the rise of "cloud computing" -- the increasingly common method of storing data externally, allowing it to be accessed from multiple locations through an Internet connection -- has created the need for clearer and more concise laws.

Fred H. Cate

Fred H. Cate

The SCA essentially serves as an extension of the Fourth Amendment to protect users' data -- such as e-mails or other documents -- from unlawful searches. However, the legislation is often criticized for being dense and confusing, Cate said.

"Law enforcement officials, service providers, and courts have considerable difficulty understanding and applying the statute," Cate said. "The result is that it is often misapplied. This situation serves no one's interest, because it means that the SCA provides inadequate protection for privacy and inadequate certainty for when law enforcement can access important information."

In 1986, when the SCA was enacted, e-mail was in its infancy among the general public and data was stored locally due to excessive storage costs. Technology has advanced dramatically in the two decades since, but the law has not, Cate said. Today e-mails are stored in an almost unlimited amount of space on external servers, complicating the SCA's time qualifications for various search procedures.

Consider the different standards required by authorities to obtain access to one e-mail message:

"Under the framework of which the SCA is a part, e-mail gets one standard of protection while being composed and later retained in a 'sent' mail folder, one while in transit, one in remote storage until opened or 180 days has passed, and one standard after being opened or 180 days has passed," Cate said. "This is inadequate protection: inadequate to protect privacy and inadequate to provide government officials with clarity about what they are permitted by law to access and the procedures they must follow when they do so."

Cate concluded his testimony by urging the committee to consider a new set of proposals put forth by the Digital Due Process Coalition, of which Cate is a member. Those proposals, with broad industry and academic support, provide substantive privacy protection while giving law enforcement clear and easy-to-understand guidance in the access process.

Cate is a Distinguished Professor, the C. Ben Dutton Professor of Law, and an adjunct professor of Informatics and Computing at Indiana University. He is the founding director of IU's Center for Applied Cybersecurity Research (CACR), a National Center of Academic Excellence in Information Assurance Education and in Information Assurance Research, and part of Indiana University's Pervasive Technology Institute. He is the president of the Phi Beta Kappa Society and an elected member of the American Law Institute.