On Friday, May 9 the Department of Justice (DOJ) released a white paper stating that under its interpretation of the Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., communications companies are permitted to disclose “non-content information to the government” as long as that information is in its “aggregate form.” The lynchpin of the DOJ’s analysis is whether the shared information identifies or provides information regarding particular subscribers or customers. Under that standard, data that “is aggregated but still provides information about a particular subscriber or customer” is prohibited from disclosure under the SCA. In releasing its white paper, the DOJ recognized that “information sharing is a critical component of bolstering public and private network owners’ and operators’ capacity to protect their networks against evolving and increasingly sophisticated cyber threats.” As such, “the private sector would benefit from a better understanding of whether the electronic communications statutes [DOJ enforces] prohibit them from voluntarily sharing useful cybersecurity information with the government.”
Under the SCA, electronic communication and remote computing service providers are generally prohibited from disclosing the content of customer communications as well as any “record or other information pertaining to a subscriber to or customer of such service.” 18 U.S.C. § 2702(a)(1-3). “Electronic communication” service providers are entities that provide “the ability to send or receive wire or electronic communications,” 18 U.S.C. § 2510(15), while “remote computing” service providers are entities that provide “computer storage or processing services by means of an electronic communications system.” 18 U.S.C. § 2711(2). By way of example, the white paper notes that Internet Service Providers (ISPs) are both electronic communication and remote computing service providers, while email providers are electronic communication service providers and companies that allow “users to store and retrieve files or photos on its servers” are remote computing service providers.
The DOJ provided specific examples of the cyber threat information that such communications companies can share with the government without running afoul of the SCA’s prohibitions. The white paper states that “characteristics of a computer virus or malicious cyber tool that do not divulge subscriber or customer-specific information (e.g., the associated file size, protocol, or port) could be shared.” In addition, data regarding “Internet traffic patterns is also susceptible to lawful sharing if divulged in aggregate form.” The DOJ went on to note that communications companies could “report to a governmental entity an anomalous swell in certain types of Internet traffic traversing its network or a significant drop in Internet traffic, which could be harbingers of a serious cyber incident.”
In reaching its conclusion, the DOJ stated that its statutory interpretation is consistent with the “SCA’s text, structure, purpose, and legislative history.” According to the white paper, in enacting the SCA Congress was intending to prohibit the disclosure of “information that identifies or otherwise provides information about a particular subscriber or customer, rather than information loosely associated with groups of unknown subscribers or customers, such as the total number of a provider’s customers, or traffic flow across its network.” The purpose of the act was to “provide statutory protection for personal privacy rights” by ensuring customer information “was not subject to wrongful use or public disclosure by law enforcement authorities or unauthorized private parties.” The DOJ therefore concluded that sharing cyber threat information with the government in the form of “aggregated data that does not identify or otherwise provide information about a particular subscriber or customer” was not meant to be prohibited by the SCA.
This white paper, along with the recently released joint DOJ and Federal Trade Commission Antitrust policy statement related to sharing cybersecurity information, show that the government is increasingly taking steps to encourage information sharing regarding cyber threats.