Do VPNs fall under the data retention requirements of the Stored Communications Act?
One of the common areas of confusion regarding law and online privacy is the Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701-2712, and how it applies to government requests for stored data from online service providers such as Yahoo, Google, Amazon, and Virtual Private Networking (“VPN”) companies. The SCA imposes a number of requirements for data retention and storage of data on applicable organizations and companies. The SCA has been argued by some to universally apply to online service providers, and it is true the SCA applies to a significant number of larger online companies. Contrary to understanding in some circles, the SCA does not apply to VPN-only services, despite meeting the geographical jurisdiction requirements as well as some of the elements.
Before we delve into the legal analysis, we have to define a few terms. The most important question to determine whether the SCA applies is if an organization qualifies as an electronic communications service (“ECS”) or a remote computing service (“RCS”). First, the SCA broadly defines an ECS as “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510(15), see See S. Rep. No. 99-541 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3568; Quon v. Arch Wireless Operating Co., 529 F.3d 892, 900-03 (9th Cir. 2008) (text messaging service provider qualified as an ECS); In re Application of United States, 509 F. Supp. 2d 76, 79 (D. Mass. 2007) (cell phone service provider classified as an ECS); Kaufman v. Nest Seekers, LLC, 2006 WL 2807177, at *5 (S.D.N.Y. Sept. 26, 2006) (electronic BBS qualified as an ECS); Freedman v. America Online, Inc., 325 F. Supp. 2d 638, 643 n.4 (E.D. Va. 2004) (AOL qualified as an ECS). Email providers and instant messaging companies are the most likely parties whom fall under the ECS classification.
A service does not qualify as an ECS provider if the service did not feature sending or receiving the communication in question. See Sega Enterprises Ltd. v. MAPHIA, 948 F. Supp. 923, 930-31 (N.D. Cal. 1996) (video game company accessing a user’s private email on another company’s bulletin board service was not a provider of electronic communication service); State Wide Photocopy, Corp. v. Tokai Fin. Servs., Inc., 909 F. Supp. 137, 145 (S.D.N.Y. 1995) (financing company used facsimiles and computer systems but failed to provide sending or receiving of communications did not qualify as a ECS provider). Moreover, Courts don’t recognize online services such as Amazon.com as a ECS because Amazon uses ECS provided by a third-party, but that use does not qualify them as an ECS. Crowley v. CyberSource Corp., 166 F. Supp. 2d 1263, 1270 (N.D. Cal. 2001).
So, technically a VPN provider qualifies as an electronic communications service for sending of electronic communications, but it likely does not qualify as an electronic communications services provider for the purposes of the statute under the case law promulgated in Sega Enterprises Ltd. or Crowley. While a VPN offers an online service, the service does not include the specific ability to send or receive the likely communication in question. A VPN allows a user to send an email or communication with the VPN enabled or disabled. For the purposes of qualifying under the statute, whether the VPN is enabled or disabled is not relevant as to how or under what context an electronic communication is sent.
The second section that a VPN provider may qualify under is the definition of remote computing services available to the public. The statute defines a remote computing service as “the provision to the public of computer storage or processing services by means of an electronic communications system.” In less legal sounding terms, a remote computing service is provided when a person can access an off-site computer for storage or processing of data for a customer.
A server or computer system that stores data on behalf of users for future retrieval purposes qualifies as a RCS. See Steve Jackson Games, Inc. v. United States Secret Service, 816 F. Supp. 432, 442-43 (W.D. Tex. 1993) (BBS provider qualified as a RCS), aff’d on other grounds, 36 F.3d 457 (5th Cir. 1994). A business or organization operating a website and any associated servers is not necessarily a RCS, unless the business primarily offers storage or processing services via the web services. For example, a cruise line or airline company may compile and store passenger information and itineraries through its website, but these functions are incidental to providing the primary function of reservation services, and not data storage and processing; cruise liner company then does not become a RCS. See In re Jetblue Airways Corp. Privacy Litigation, 379 F. Supp. 2d 299, 310 (E.D.N.Y., 2005). A VPN would not likely qualify as a remote computing service because a VPN does not on its own offer storage or data processing functionality, nor does it primarily function to store and allow for user data retrieval.
So, while a number of common web services that consumers are likely to be familiar with qualify under the SCA as a ECS or RCS, VPNs do not seem to fall within that range under the current state of the law. Although it is understandable to be concerned with claims that VPNs qualify as an ECS or an RCS for purposes of the SCA, and are thus required to store or retain logs of user activity; it appears that these claims do not likely appear to be founded in relevant case law.