The following white paper was released by the Department of Justice on May 9, 2014.
Sharing Cyberthreat Information Under 18 USC § 2702(a)(3)
- 7 pages
- May 9, 2014
Improved information sharing is a critical component of bolstering public and private network owners’ and operators’ capacity to protect their networks against evolving and increasingly sophisticated cyber threats. As companies continue to adopt the newest technologies, these threats will only become more diverse and difficult to combat. Ensuring that information concerning cyber threats that U.S. companies detect on their domestic networks can be quickly shared will assist those companies in identifying new threats and implementing appropriate preventative cybersecurity measures. But sharing must occur without contravening federal law or the protections afforded individual privacy and civil liberties.
We understand that the private sector would benefit from a better understanding of whether the electronic communications statutes that the Department of Justice (DOJ) routinely interprets and enforces prohibit them from voluntarily sharing useful cybersecurity information with the government. Companies have affirmatively expressed the desire to share information with the government, but have had questions about exactly what information may lawfully be shared. Overly expansive views of what information is prohibited from voluntary disclosure could unnecessarily prevent the sharing of important information that would be used to enhance cybersecurity, thereby thwarting opportunities to address a substantial challenge facing our modern society.
In the interest of advancing discussions in this important area, DOJ has prepared this paper providing its views on whether the Stored Communications Act (18 U.S.C. § 2701 et seq.) (SCA) restricts network operators from voluntarily sharing aggregated data with the government that would promote the protection of information systems. We hope that this analysis will help companies make informed decisions about what information legally may be shared with the government to promote cybersecurity.
Issue: Whether the SCA prohibits an electronic communication or remote computing service provider from voluntarily disclosing “aggregate” non-content information to the government.
As a consequence of providing communications services, electronic communications service (ECS) and remote computing service (RCS) providers possess a variety of information that is useful for cybersecurity purposes. Federal law, however, regulates whether and how communications service providers may divulge such information. In particular, the SCA generally prohibits communications service providers “to the public” from disclosing certain types of information. Sections 2702(a)(1) and (2) prohibit the voluntary disclosure of specified content by a provider of ECS or RCS, respectively, to anyone, including a governmental entity, generally unless an exception applies under section 2702(b). In addition, section 2702(a)(3) prohibits communications service providers from disclosing to governmental entities “a record or other information pertaining to a subscriber to or customer of such service,” which the SCA specifies does not include the contents of communications. Again, that prohibition generally will apply unless there is an applicable exception under section 2702(c). Thus, communications service providers furnishing services to the public cannot, absent further legal process or another applicable exception, share with the government either specified content or non-content “record[s] or other information pertaining to a subscriber to or customer of such service.” A violation of these restrictions does not carry with it criminal liability under the SCA, but it could subject a communications service provider to civil liability under 18 U.S.C. § 2707.
The SCA clearly restricts communications service providers from sharing some information they possess as a consequence of providing communications services; however, communications service providers have asked whether non-content aggregate information falls within section 2702(a)(3)’s restriction on sharing “record[s] or other information pertaining to a subscriber to or customer of such [i.e., the ECS or RCS] service.” The SCA does not define the scope of information covered by section 2702(a)(3). See In re Application of the United States of America for an Order Authorizing Disclosure of Location Information of a Specified Wireless Telephone, 849 F.Supp.2d 526, 573 (D. Md. 2011) (“The statute offers no definition nor explanation of what constitutes ‘records’ or ‘information pertaining to a subscriber.’”). In particular, it does not expressly address whether information in aggregate form “pertain[s] to a subscriber . . . or customer.”
Despite the lack of explicit language in the statute, we believe the SCA’s text, structure, purpose, and legislative history, as well as the scope of other federal statutes that regulate the disclosure of customer information by telecommunications companies, support an interpretation of section 2702(a)(3) that would not prohibit a communications service provider from disclosing non-content information to the government that is in aggregate form. That is so, we believe, as long as the aggregation of data results in records or other non-content information that does not identify or otherwise provide information about any particular subscriber or customer. Where information is aggregated but still provides information about a particular subscriber or customer, we believe that section 2702(a)(3) prohibits disclosure to the government.
For example, many of the characteristics of cyber threats can be shared, if they do not pertain to any specific customers or subscribers. Similarly, characteristics of a computer virus or malicious cyber tool that do not divulge subscriber or customer-specific information (e.g., the associated file size, protocol, or port) could be shared. Information about Internet traffic patterns is also susceptible to lawful sharing if divulged in aggregate form. A communications provider could, for example, report to a governmental entity an anomalous swell in certain types of Internet traffic traversing its network or a significant drop in Internet traffic, which could be harbingers of a serious cyber incident.
At the outset, Congress apparently intended for the SCA’s restrictions on disclosure of non-content information to be less stringent—or at least less absolute—than restrictions on disclosure of the content of communications. Sections 2702(a)(1) and (2) prohibit a communications service provider from disclosing covered content from a subscriber or customer’s communications to any person, subject to certain exceptions. In contrast, the restriction in section 2702(a)(3) applies only to disclosure to government entities. Further, and directly relevant to the issue at hand, the restriction in section 2702(a)(3) is explicitly limited to disclosure of only “record[s] or other information pertaining to a subscriber to or customer of such service.” (Emphasis added). To give appropriate meaning to Congress’s inclusion of this specific requirement, the phrase “pertaining to a subscriber . . . or customer” should be interpreted to mean something more exact than any non-content information in an ECS or RCS provider’s possession. Cf. Organizacion JD Ltda. v. U.S. Dep’t of Justice, 124 F.3d 354, 359-61 (2d Cir. 1997) (interpreting Congress’s use of the term “customer” rather than “persons” in the Electronic Communications Privacy Act to intentionally narrow the scope of aggrieved parties who may bring a cause of action under section 2707).
In addition, we note that the SCA refers to “a subscriber to or customer of” an ISP rather than “subscribers or customers.” This use of the singular noun indicates that Congress was concerned with information that identifies or otherwise provides information about a particular subscriber or customer, rather than information loosely associated with groups of unknown subscribers or customers, such as the total number of a provider’s customers, or traffic flow across its network. Cf. United States v. Hayes, 555 U.S. 415, 421-22 & n.5 (2009) (treating Congress’s use of the singular rather than plural as meaningful when context supports that interpretation).
This interpretation is consistent with the purposes for which the SCA was enacted. The SCA, which was passed as part of the Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (1986) (ECPA), was intended to provide statutory protection for personal privacy rights in light of the “third-party doctrine” endorsed by the Supreme Court in United States v. Miller, 425 U.S. 435 (1976). Mindful that, under Miller, customer information in the possession of communication service providers might not receive Fourth Amendment protection, Congress enacted the SCA to ensure that such information was not subject to “wrongful use [or] public disclosure by law enforcement authorities [or] unauthorized private parties.” S. Rep. No. 99-541, at 3 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3557. See also id. at 3, 5 (stating that “[f]or the person or business whose records are involved, the privacy or proprietary interest in that information should not change” because it is stored or processed by a third-party, and that “Congress must act to protect the privacy of [American] citizens . . . [lest it] promote the gradual erosion of this precious right”).